Wireshark-bugs: [Wireshark-bugs] [Bug 8112] New: MS-MMC dissector crash
Date: Thu, 20 Dec 2012 20:26:40 +0000
Bug ID 8112
Summary MS-MMC dissector crash
Classification Unclassified
Product Wireshark
Version 1.8.4
Hardware x86-64
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component Wireshark
Assignee bugzilla-admin@wireshark.org
Reporter laurentb@gmail.com

Created attachment 9726 [details]
crashfile

Build Information:

--
--
Hi,

Here is a PCAP file triggering an SIGSEGV that could enable (at least) a remote
party to trigger a denial of service.

This file was generated thanks to a fuzz testing campaign.

Laurent Butti.

--

Program received signal SIGSEGV, Segmentation fault.
format_text (string=0x7ffff0956000 "", len=<optimized out>) at strutil.c:188
188     c = *string++;
(gdb) bt
#0  format_text (string=0x7ffff0956000 "", len=<optimized out>) at
strutil.c:188
#1  0x00007ffff5565030 in dissect_server_info (tree=0x7ffff7ff0140,
tvb=0x15fc400, pinfo=<optimized out>, offset=<optimized out>) at
packet-ms-mms.c:888
#2  dissect_msmms_command (tree=<optimized out>, pinfo=<optimized out>,
tvb=0x15fc400) at packet-ms-mms.c:546
#3  dissect_msmms_pdu (tvb=0x15fc400, pinfo=<optimized out>, tree=<optimized
out>) at packet-ms-mms.c:334
#4  0x00007ffff517d1bb in call_dissector_through_handle (handle=0xcaf250,
tvb=0x15fc400, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:429
#5  0x00007ffff517d865 in call_dissector_work (handle=0xcaf250, tvb=0x15fc400,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
    at packet.c:524
#6  0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=1755, tvb=0x15fc400, pinfo=0x7fffffffd520, tree=0x7ffff7fef000, 
    add_proto_name=1) at packet.c:943
#7  0x00007ffff5767452 in decode_tcp_ports (tvb=<optimized out>,
offset=<optimized out>, pinfo=0x7fffffffd520, tree=0x7ffff7fef000,
src_port=1755, 
    dst_port=51312, tcpd=0x7fffecfcd9c0) at packet-tcp.c:3874
#8  0x00007ffff576788e in process_tcp_payload (tvb=0x15fbf60, offset=32,
pinfo=0x7fffffffd520, tree=0x7ffff7fef000, tcp_tree=0x7ffff7fef870,
src_port=1755, 
    dst_port=51312, seq=0, nxtseq=0, is_tcp_segment=0, tcpd=0x7fffecfcd9c0) at
packet-tcp.c:3933
#9  0x00007ffff5767e31 in desegment_tcp (tcpd=0x7fffecfcd9c0,
tcp_tree=0x7ffff7fef870, tree=0x7ffff7fef000, dport=51312, sport=1755,
nxtseq=145, seq=1, 
    offset=32, pinfo=0x7fffffffd520, tvb=0x15fbf60) at packet-tcp.c:1799
#10 dissect_tcp_payload (tvb=0x15fbf60, pinfo=0x7fffffffd520, offset=<optimized
out>, seq=<optimized out>, nxtseq=145, sport=1755, dport=51312, 
    tree=0x7ffff7fef000, tcp_tree=0x7ffff7fef870, tcpd=0x7fffecfcd9c0) at
packet-tcp.c:4000
#11 0x00007ffff576927f in dissect_tcp (tvb=<optimized out>,
pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet-tcp.c:4748
#12 0x00007ffff517d180 in call_dissector_through_handle (handle=0x100eab0,
tvb=0x15fbf60, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:433
#13 0x00007ffff517d865 in call_dissector_work (handle=0x100eab0, tvb=0x15fbf60,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
    at packet.c:524
#14 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=6, tvb=0x15fbf60, pinfo=0x7fffffffd520, tree=0x7ffff7fef000, 
    add_proto_name=1) at packet.c:943
#15 0x00007ffff54bfe6b in dissect_ip (tvb=0x15ead80, pinfo=<optimized out>,
parent_tree=0x7ffff7fef000) at packet-ip.c:2396
#16 0x00007ffff517d180 in call_dissector_through_handle (handle=0xb99b30,
tvb=0x15ead80, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:433
#17 0x00007ffff517d865 in call_dissector_work (handle=0xb99b30, tvb=0x15ead80,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
    at packet.c:524
#18 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=33, tvb=0x15ead80, pinfo=0x7fffffffd520, tree=0x7ffff7fef000, 
    add_proto_name=1) at packet.c:943
#19 0x00007ffff5629072 in dissect_ppp_common (tvb=<optimized out>,
pinfo=0x7fffffffd520, tree=0x7ffff7fef000, fh_tree=0x7ffff7fef2d0,
ti=0x7ffff7fef2d0, 
    proto_offset=2) at packet-ppp.c:3935
#20 0x00007ffff517d180 in call_dissector_through_handle (handle=0xdef680,
tvb=0x15eae40, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:433
#21 0x00007ffff517d865 in call_dissector_work (handle=0xdef680, tvb=0x15eae40,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
    at packet.c:524
#22 0x00007ffff517e08e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=4, tvb=0x15eae40, pinfo=0x7fffffffd520, tree=0x7ffff7fef000, 
    add_proto_name=1) at packet.c:943
#23 0x00007ffff53dfc1b in dissect_frame (tvb=0x15eae40, pinfo=0x7fffffffd520,
parent_tree=0x7ffff7fef000) at packet-frame.c:383
#24 0x00007ffff517d180 in call_dissector_through_handle (handle=0xa2a740,
tvb=0x15eae40, pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:433
#25 0x00007ffff517d865 in call_dissector_work (handle=0xa2a740, tvb=0x15eae40,
pinfo_arg=0x7fffffffd520, tree=0x7ffff7fef000, add_proto_name=1)
    at packet.c:524
#26 0x00007ffff517f5a1 in call_dissector (handle=<optimized out>,
tvb=0x15eae40,
pinfo=0x7fffffffd520, tree=0x7ffff7fef000) at packet.c:2050
#27 0x00007ffff517f9b4 in dissect_packet (edt=0x7fffffffd510,
pseudo_header=0x0,
pd=0x15d43a0 "\377\003", fd=0x7fffffffd6b0, cinfo=0x0) at packet.c:364
#28 0x000000000041ad8b in process_packet (cf=0x6449e0, offset=<optimized out>,
whdr=<optimized out>, pseudo_header=0x15cf328, pd=0x15d43a0 "\377\003", 
    filtering_tap_listeners=<optimized out>, tap_flags=4) at tshark.c:3106
#29 0x000000000040dc5f in load_cap_file (max_byte_count=0, max_packet_count=0,
out_file_name_res=0, out_file_type=2, save_file=0x0, cf=<optimized out>)
    at tshark.c:2899
#30 main (argc=<optimized out>, argv=<optimized out>) at tshark.c:1791
(gdb) info registers
rax            0x30 48
rbx            0x7ffff0956000   140737229709312
rcx            0x7fffe4dec010   140737033191440
rdx            0x0  0
rsi            0x4000000    67108864
rdi            0x30 48
rbp            0x8000c1f6aea0   0x8000c1f6aea0
rsp            0x7fffffffc670   0x7fffffffc670
r8             0x4000000    67108864
r9             0x7ffff76bc388   140737344422792
r10            0x1  1
r11            0x246    582
r12            0x27ac57b    41600379
r13            0x2  2
r14            0x27ac57f    41600383
r15            0x7ffff76bc370   140737344422768
rip            0x7ffff51a3b11   0x7ffff51a3b11 <format_text+145>
eflags         0x10283  [ CF SF IF RF ]
cs             0x33 51
ss             0x2b 43
ds             0x0  0
es             0x0  0
fs             0x0  0
gs             0x0  0
(gdb) python import exploitable
(gdb) exploitable
Description: Access violation on source operand
Short description: SourceAv (18/21)
Hash: b1df062b627bdf3a76e6241c48834bfd.ad1f532fee83b5b5c12d3e43cd6390e6
Exploitability Classification: UNKNOWN
Explanation: The target crashed on an access violation at an address matching
the source operand of the current instruction. This likely indicates a read
access violation.
Other tags: AccessViolation (20/21)


You are receiving this mail because:
  • You are watching all bug changes.