beside the l2tp vulnerability mentioned on this list this month, I found two other locations in the code
which an attacker could use to crash, or in the worst case exploit, tcpdump.
The first critical piece of code is found in print-isakmp.c:332. The function rawprint() does not
check its arguments thus it's easy for an attacker to pass a big 'len' or a bogus 'loc' leading to a
segmentation fault in the for loop.
rawprint() gets called at various places in print-isakmp.c.
The second bug is located in print-radius.c:471. The for loop of print_attr_string() is written in an
unsafe manner. 'length' and 'data' should be checked.
print_attr_string() is called via a function pointer from radius_attr_print() line 784 where no upper bound
for 'rad_attr->len' is defined. This leads to a segmentation fault aswell.
Both vulnerbilities were tested against tcpdump 3.8.1, libpcap 0.7.1 and linux.
Thanks, Jonathan Heusser
-- Key fingerprint = 2A55 EB7C B7EA 6336 7767 4A47 910A 307B 1333 BD6C
- This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
