Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Ethereal v0.9.13 to v0.10.10 DISTCC Denial of Service Exploit (Buffer Overflow)

Ethereal v0.9.13 to v0.10.10 DISTCC Denial of Service Exploit (Buffer Overflow)

From: David Jungerson <david-jungerson_at_web.de>
Date: Wed, 11 May 2005 12:59:36 +0200

>From the original Ethereal Advisory on
http://ethereal.com/appnotes/enpa-sa-00019.html : `The DISTCC dissector
was susceptible to a buffer overflow. Discovered by Ilja van Sprundel
Versions affected: 0.9.13 to 0.10.10'. Just had a quick look at it, but
the exploit is a classical signed vs. unsigned issue when providing the
payload length in a DISTCC Packet (for example `SERR'). When providing a
packet length of -1 (0xffffffff), the dissector utility routines copy
the whole payload into a 255 bytes buffer, so this should be trivial to
be exploited further.

Sample `DoS-Exploit':
# nc $SOME_SNIFFED_MACHINE 3632 | perl -e 'print "SERRffffffff" . "oxff"
x 256'

Please note, that the sniffed machine has to have port 3632 open. Since
the DISTCC dissector is a application layer dissector, this may be
exploited via all IP routed networks, for example the internet.

    Best Regards,
    Georg 'oxff' Wicherski

    http://www.mwcollect.org/
Received on May 11 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos