Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Ethereal v0.9.13 to v0.10.10 DISTCC Denial of Service Exploit (Buffer Overflow)
From: David Jungerson (david-jungersonweb.de)
Date: Wed May 11 2005 - 05:59:36 CDT
From the original Ethereal Advisory on
http://ethereal.com/appnotes/enpa-sa-00019.html : `The DISTCC dissector
was susceptible to a buffer overflow. Discovered by Ilja van Sprundel
Versions affected: 0.9.13 to 0.10.10'. Just had a quick look at it, but
the exploit is a classical signed vs. unsigned issue when providing the
payload length in a DISTCC Packet (for example `SERR'). When providing a
packet length of -1 (0xffffffff), the dissector utility routines copy
the whole payload into a 255 bytes buffer, so this should be trivial to
be exploited further.
# nc $SOME_SNIFFED_MACHINE 3632 | perl -e 'print "SERRffffffff" . "oxff"
Please note, that the sniffed machine has to have port 3632 open. Since
the DISTCC dissector is a application layer dissector, this may be
exploited via all IP routed networks, for example the internet.
Georg 'oxff' Wicherski