Published: 2005-10-29,
Last Updated: 2005-10-29 02:28:22 UTC by Johannes Ullrich (Version: 1)

In case you missed it last week, Idefense released an advisory regarding Ethereal, the very popular open source protocol analyzer. Several buffer overflow and DOS vulnerabilites are corrected with the latest release version - 0.10.13.

"It may be possible to make Ethereal crash, use up available memory, or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file."

The IDefense advisory is at:

There is exploit code for at least one of the BOF vulns. Now, who uses Ethereal, anyway? Net admins, incident handlers, auditors, analysts....nothing important to worry about on their systems, eh?

A great way to avoid getting bitten badly by these protocol parser attacks is to not run them as a super user, if you don't have to. Do your packet capturing with something dumb (like tethereal or tcpdump with the -w switch), then analyze as a non-priv user. This way an attacker is limited in the damage that can be done, should they slide the evil bits into your sniffer.
SANS - Internet Storm Center - Cooperative Cyber Threat Monitor An Alert System