Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
CVE-2017-13016/ES-IS: Fix printing of addresses in RD PDUs.
Always print the SNPA, and flag it as such; only print it as a MAC address if it's 6 bytes long. Identify the NET as such. This fixes a buffer over-read discovered by Bhargava Shastry, SecT/TU Berlin. Add tests using the capture files supplied by the reporter(s), modified so the capture files won't be rejected as an invalid capture.
- Loading branch information
1 parent
9851220
commit c177cb3
Showing
13 changed files
with
72 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| UI 22! ES-IS, length 65565 | ||
| redirect (6), v: 1, checksum: 0x70a1 (incorrect should be 0xf519), holding time: 22339s, length indicator: 17 | ||
| 00.22 | ||
| SNPA (length: 0): <empty>, opt (0) too long |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| UI 22! ES-IS, length 65565 | ||
| unknown type: 0 (0), v: 1, checksum: 0x00a1 (incorrect should be 0x859d), holding time: 0s, length indicator: 17 | ||
| 0x0000: 0200 04ec ff00 0000 | ||
| UI 22! ES-IS, length 2650865693 | ||
| redirect (6), v: 1, checksum: 0x0300 (incorrect should be 0xbce5), holding time: 21480s, length indicator: 17 | ||
| ec.ff00.00 | ||
| SNPA (length: 0): <empty> |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| UI 22! ES-IS, length 65565 | ||
| ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfb4e), holding time: 21315s, length indicator: 17 | ||
| Number of Source Addresses: 2 | ||
| NET (length: 0): isonsap_string: illegal length | ||
| NET (length: 4): ec.ff00.00, bad opts/li | ||
| UI 22! ES-IS, length 65565 | ||
| redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x44ec), holding time: 21315s, length indicator: 16 | ||
| 02.0400 | ||
| SNPA (length: 0): <empty> | ||
| Unknown Option #0, length 0, value: | ||
| UI 32! ES-IS, length 65565 | ||
| ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfb4e), holding time: 21315s, length indicator: 17 | ||
| Number of Source Addresses: 2 | ||
| NET (length: 0): isonsap_string: illegal length | ||
| NET (length: 4): ec.ff00.00, bad opts/li | ||
| UI 22! ES-IS, length 4244701213 | ||
| redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x36fe), holding time: 21315s, length indicator: 17 | ||
| isonsap_string: illegal length | ||
| SNPA (length: 0): <empty> | ||
| NET (length: 4) 00.0000.00 | ||
| Q.922, invalid address |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| UI 22! ES-IS, length 65565 | ||
| ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfc4c), holding time: 21315s, length indicator: 17 | ||
| Number of Source Addresses: 3 | ||
| NET (length: 0): isonsap_string: illegal length | ||
| NET (length: 4): ec.ff00.00 | ||
| NET (length: 0): isonsap_string: illegal length | ||
| UI 22! ES-IS, length 65565 | ||
| redirect (6), v: 1, checksum: 0x7034 (incorrect should be 0x3ff0), holding time: 21315s, length indicator: 17 | ||
| 04 | ||
| SNPA (length: 4): 00:00:00:00, bad opts/li |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| UI 22! ES-IS, length 65565 | ||
| ESH (2), v: 1, checksum: 0x70a1 (incorrect should be 0xfb4e), holding time: 21315s, length indicator: 17 | ||
| Number of Source Addresses: 2 | ||
| NET (length: 0): isonsap_string: illegal length | ||
| NET (length: 4): ec.ff00.00, bad opts/li | ||
| UI 22! ES-IS, length 65565 | ||
| redirect (6), v: 1, checksum: 0xffff (incorrect should be 0x6b16), holding time: 21253s, length indicator: 17 | ||
| 00.04ec.0000 | ||
| SNPA (length: 0): <empty>, bad opts/li | ||
| Q.922, hdr-len 2, DLCI 0, Flags [FECN], NLPID unknown (0x22), length 72482: | ||
| 0x0000: 0082 1000 5542 5343 70a1 0200 0400 0000 ....UBSCp....... | ||
| 0x0010: 007e .~ |
Binary file not shown.