Ethereal-users: Re: [Ethereal-users] HP JetDirect and ethereal SNMP vulnerabilities
At 8:43 AM -0800 2/20/02, Breen Mullins wrote:
>>> As an interesting side note, Ethereal (a popular open source sniffer /
>>> traffic analyzer) crashes every time it sees this packet also.
>>> It gives the error "GLib-ERROR **: could not allocate -1 bytes
>> aborting...".
>
>I saw this too. I'm in the midst of rebuilding ethereal and I'll
>try to reproduce it.
Verified on RedHat 7.2
[bpm@archy bpm]$ rpm -qa|grep ethereal
ethereal-gnome-0.9.1-1
ethereal-base-0.9.1-1
ethereal-usermode-0.9.1-1
ethereal-gtk+-0.9.1-1\
[bpm@archy bpm]$ rpm -q gtk+
gtk+-1.2.10-11
[bpm@archy bpm]$ rpm -qa|grep ucd-snmp
ucd-snmp-utils-4.2.3-1
ucd-snmp-devel-4.2.3-1
ucd-snmp-4.2.3-1
[bpm@archy bpm]$ rpm -qa|grep glib
glibc-2.2.4-13
glibc-common-2.2.4-13
glib-1.2.10-5
glibc-devel-2.2.4-13
glib-devel-1.2.10-5
EtherPeek captures the frame w/o crash -- here's a decode of the
SNMP message:
SNMP - Simple Network Management Protocol
Comm/Auth Object Type/Len: 0x30 0x4b (75)
Version Number Type/Len/Value:0x02 0x01 (1) 0x00
Community Type/Len/Value: 0x04 0x06 (6) public
PDU Message Type: 0xa3 Set Request
PDU Message Length: 0x3e (62)
Request ID Type/Len/Value: 0x02 0x02 (2) 0x35cb
Error Status Type/Len/Value: 0x02 0x01 (1) 0x00 No Error
Error Index Type/Len/Value: 0x02 0x01 (1) 0x00
Variable Bindings Type/Len: 0x30 0x32 (50)
Variable Binding Type/Len: 0x30 0x30 (48)
VarBind Object Type/Len: 0x06 0x08 (8)
VarBind Object Identifier: 1.3.6.1.2.1.1.5.0
VarBind Value Type/Len: 0x04 0x84 0xffffffff (4294967295)
VarBind Value: No more data.
Variable Binding Type/Len: 0x63 Invalid Type
Remaining SNMP Data:
06-snmpv1 with % 30 36 2d 73 6e 6d 70 76 31 20 77 69 74 68 20 25
s%s%s%.999d%x%n- 73 25 73 25 73 25 2e 39 39 39 64 25 78 25 6e 00
Frame Check Sequence:
Packet is too short for further decode.
Breen
--
Breen Mullins
SQA Engineer
Asante Technologies, Inc.
800-662-9686x323
<bmullins@xxxxxxxxxx>
