Date: Sun, 19 Jun 2005 11:15:53 +0200
From: "Simon L. Nielsen" <simon@FreeBSD.org.>
To: [email protected]Subject: Another tcpdump BGP infinite loop vulnerability (CAN-2005-1267)
Message-ID: <20050619091553.GB982@zaphod.nitro.dk.>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="GID0FwUMdk1T2AWN"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
X-Virus-Scanned: antivirus-gw at tyumen.ru
--GID0FwUMdk1T2AWN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello
While working on the FreeBSD Security Advisory for the recent tcpdump
issues (CAN-2005-1278, CAN-2005-1279, and CAN-2005-1280) I noticed
another similar infinite loop DoS vulnerability in the BGP handling
code. It affects at least tcpdump 3.8.3 and tcpdump 3.9 snapshots
=66rom before May 5.
The problem was in bgp_update_print() in print-bgp.c around line 1652
(for tcpdump 3.8.3), where the -1 return value from decode_prefix4()
was not properly handled.
The issue was verified to cause an infinite loop against tcpdump 3.8.3
running on FreeBSD (before FreeBSD-SA-05:10.tcpdump), which included
the patches for the first set of tcpdump DoS vulnerabilities, and
against a Gentoo Linux with tcpdump-3.8.3-r2 (Gentoo has released an
update for GLSA-200505-06 which addresses the new issue).
The very ugly proof-of-concept exploit code, which is based on
bgp4_update.c from libnet, and the patch which fixes the problem
(based on part of print-bgp.c v. 1.95) can be found at the URL's
mentioned below. The proof-of-concept has been tested on FreeBSD
using libnet 1.1.2.1.
Note that this issue has been public for a bit and most major vendors
has already release advisories for this issue, so this email is mainly
to have a reference for the issue.
This issue has been assigned the CVE name CAN-2005-1267.
http://people.freebsd.org/~simon/security/CAN-2005-1267/tcpdump-bgp-update-=
poc.c
http://people.freebsd.org/~simon/security/CAN-2005-1267/tcpdump-bgp-infinit=
e-loop2.patch
--=20
Simon L. Nielsen
--GID0FwUMdk1T2AWN
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)
iD8DBQFCtTfJh9pcDSc1mlERAnZbAJ9qgtJtpc1Ekbl71i1d6aoBHN38DgCeOkO1
ctxWngJTOnkgaY5mvAt/rC4=
=RfxJ
-----END PGP SIGNATURE-----
--GID0FwUMdk1T2AWN--