Date: 28 February 2003
References: ESB-2003.0129
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2003.0132 -- iDEFENSE Security Advisory 02.27.03
TCPDUMP Denial of Service Vulnerability in ISAKMP Packet Parsing
28 February 2003
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: tcpdump
Vendor: iDEFENSE
Operating System: Linux
UNIX
Impact: Denial of Service
Access Required: Remote
Ref: ESB-2003.0129
Comment: CVE Id: CAN-2003-0108
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 02.27.03:
http://www.idefense.com/advisory/02.27.03.txt
TCPDUMP Denial of Service Vulnerability in ISAKMP Packet Parsing
February 27, 2003
I. BACKGROUND
TCPDUMP is a widely used network debugging tool that prints out the
headers of packets on a network interface that match a boolean expression.
More information about the application is available at
http://www.tcpdump.org .
II. DESCRIPTION
A vulnerability exists in the parsing of ISAKMP packets (UDP port 500)
that allows an attacker to force TCPDUMP into an infinite loop upon
receipt of a specially crafted packet.
The following output is from TCPDUMP replaying a previously captured
malformed ISAKMP packet:
# tcpdump -vvvr tcpdump_isakmp_inf_loop | head 05:14:57.954719
192.168.2.243.isakmp > 192.168.2.243.isakmp: isakmp 8.9 msgid 7d380dee
cookie 773b4e8a1618caa8->51efacc0a65e0334: phase 2/others ? #69[C]:
(#83)
(#237)
(#237)
(#237)
(#237)
(#237)
(#237)
(#237)
(#237)
...
The string "(#237)" will continue to print indefinitely; at this point
TCPDUMP is no longer processing other packets. The vulnerable segment of
code has been narrowed down to the following loop from
print_isakmp.c:isakmp_sub_print(), the while() loop is never broken as the
variable 'np' never equates to zero:
while (np) {
safememcpy(&e, ext, sizeof(e));
if (ep < (u_char *)ext + ntohs(e.len)) {
printf(" [|%s]", NPSTR(np));
cp = ep + 1;
break;
}
depth++;
printf("\n");
for (i = 0; i < depth; i++)
printf(" ");
printf("(");
cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto);
printf(")");
depth--;
np = e.np;
ext = (struct isakmp_gen *)cp;
}
III. ANALYSIS
Any remote user can generate a specially crafted packet that will cause
TCPDUMP to enter an infinite loop thereby rendering the application
useless and preventing the administrator from viewing network traffic.
Attackers can anonymously trigger this vulnerability by spoofing the
source address of the malicious packet, this is possible because it
traverses over the User Datagram Protocol (UDP), a stateless protocol.
While the vulnerability exists specifically in the TCPDUMP code base there
are some applications that utilize code from TCPDUMP or "wrap" around
TCPDUMP, and such applications would also be affected.
IV. DETECTION
iDEFENSE has confirmed the existence of this vulnerability in TCPDUMP
versions 3.6, 3.6.3, 3.7.1 built against LIBPCAP versions .6 and .7 on
both the Linux and FreeBSD platform. Many other Linux distributions
contain vulnerable TCPDUMP versions
V. RECOVERY
An affected application is rendered useless upon entry into the infinite
loop. The application must be restarted to regain normal functionality.
VI. WORKAROUND
An ad hoc work around that can be implemented until an official vendor
patch has been made available is to simply filter out parsing of packets
destined to TCP or UDP port 500. This will prevent a malformed packet from
affected a vulnerable version of TCPDUMP. The addition of the following
boolean string can be used to accomplish this task:
[and] dst port not 500
Where the [and] is optional depending on whether or not additional boolean
expressions are provided.
VII. VENDOR FIX/RESPONSE
This vulnerability was already closed by Guy Harris during routine
development; users of the CVS version downloaded since September 6, 2002
(revision 1.34 of print-isakmp.c) are not vulerable. The new 3.7.2
tcpdump release includes this and a couple of additional security
fixes; the 0.7.2 libpcap release includes new functionality but no
security fixes.
The following packages are available:
http://www.tcpdump.org/release/tcpdump-3.7.2.tar.gz
http://www.tcpdump.org/release/libpcap-0.7.2.tar.gz
Debian 2.2 (potato) contains tcpdump 3.4a6, which does not appear to be
vulnerable (version 3.4a6 does not include an isakmp dissector). Debian
3.0 (woody) contains tcpdump 3.6.2, which is vulnerable. Updated packages
are available from http://www.debian.org/security/ .
VIII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has
assigned the identification number CAN-2003-0108 to this issue.
XI. DISCLOSURE TIMELINE
12/09/2002 Issue disclosed to iDEFENSE
02/25/2003 TCPDUMP maintainers notified: guy_harris@users.sourceforge.net,
itojun@users.sourceforge.net, mcr@users.sourceforge.net and
fenner@users.sourceforge.net
02/25/2003 Responses from Guy Harris, Bill Fenner, Michael Richardson
02/25/2003 iDEFENSE clients notified
02/26/2003 OS vendors notified via vendor-sec@lst.de
02/27/2003 Public Disclosure
X. CREDIT
Andrew Griffiths (andrewg@d2.net.au) is credited with discovering this
vulnerability.
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .
- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPl5kgPrkky7kqW5PEQKOHQCeOpW3nL8O4KLeXbpPtWYxEAvj5RAAn1iJ
CzXiu8TzsrftUGUlxCElW4AE
=/uV9
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPl9GUCh9+71yA2DNAQFQJQQAhpzXxJF6yVEUBXNvLHek9grvAlU7UFOo
2Y6A96lbPIWqo1QIfkE+WcfLFkt/O8KYsNL90AeW8TmtxdzqJyL+MX+mRlAYpNyM
vAf3676NiCIykURO8Dd7GVtvZyeWQPFq8ynHuYX0E06F+E9+DuKfSRqLlXQqB0/k
Kv+i+1Qd+zk=
=rmjC
-----END PGP SIGNATURE-----
|