Wireshark-bugs: [Wireshark-bugs] [Bug 8213] New: Capture file that crashes tshark in tshark.c
Date: Tue, 15 Jan 2013 16:02:52 +0000
Bug ID 8213
Summary Capture file that crashes tshark in tshark.c
Classification Unclassified
Product Wireshark
Version 1.8.4
Hardware x86-64
OS All
Status UNCONFIRMED
Severity Major
Priority Low
Component TShark
Assignee bugzilla-admin@wireshark.org
Reporter laurentb@gmail.com

Created attachment 9809 [details]
Capture file that crashes tshark.c (process_packet)

Build Information:
TShark 1.8.4 (SVN Rev Unknown from unknown)

Copyright 1998-2012 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3.4, without
POSIX capabilities, without SMI, without c-ares, without ADNS, with Lua 5.1,
without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos,
without GeoIP.

Running on Linux 3.2.0-30-generic, with locale en_US.UTF-8, with libpcap
version
1.1.1, with libz 1.2.3.4.

Built using gcc 4.6.3.
--
Hi,

Here is a PCAP file triggering a SIGTRAP that could enable a remote party to
trigger (a least) a remote denial of service.

This file was generated thanks to a fuzz testing campaign.

Laurent Butti.

--

Program received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff3bdcfdb in g_logv () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
(gdb) bt
#0  0x00007ffff3bdcfdb in g_logv () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#1  0x00007ffff3bdd1b2 in g_log () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2  0x00007ffff5173401 in emem_free_all (mem=0x7ffff76ba700) at emem.c:1210
#3  0x000000000041adc1 in process_packet (cf=0x6449e0, offset=<optimized out>,
whdr=<optimized out>, pseudo_header=<optimized out>, pd=<optimized out>, 
    filtering_tap_listeners=<optimized out>, tap_flags=4) at tshark.c:3158
#4  0x000000000040dc5f in load_cap_file (max_byte_count=0,
max_packet_count=-8276, out_file_name_res=0, out_file_type=2, save_file=0x0,
cf=<optimized out>)
    at tshark.c:2899
#5  main (argc=<optimized out>, argv=<optimized out>) at tshark.c:1791
(gdb) python import exploitable
(gdb) exploitable -v
'exploitable' version 1.04
Linux nitro 3.2.0-30-generic #48-Ubuntu SMP Fri Aug 24 16:52:48 UTC 2012 x86_64
Signal si_signo: 5 Signal si_addr: 0x0
Nearby code:
   0x00007ffff3bdcfca <+458>:   je     0x7ffff3bdcfdb <g_logv+475>
   0x00007ffff3bdcfcc <+460>:   mov    r8d,DWORD PTR [rsp+0x14]
   0x00007ffff3bdcfd1 <+465>:   test   r8d,r8d
   0x00007ffff3bdcfd4 <+468>:   jne    0x7ffff3bdd118 <g_logv+792>
   0x00007ffff3bdcfda <+474>:   int3   
=> 0x00007ffff3bdcfdb <+475>:   lea    rdi,[rip+0x2a513e]        #
0x7ffff3e82120
   0x00007ffff3bdcfe2 <+482>:   mov    esi,r14d
   0x00007ffff3bdcfe5 <+485>:   call   0x7ffff3c11980 <g_private_set>
   0x00007ffff3bdcfea <+490>:   nop    WORD PTR [rax+rax*1+0x0]
   0x00007ffff3bdcff0 <+496>:   test   ebx,ebx
Stack trace:
#  0 g_logv at 0x7ffff3bdcfdb in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3
#  1 g_log at 0x7ffff3bdd1b2 in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3
#  2 emem_free_all at 0x7ffff5173401 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
#  3 process_packet at 0x41adc1 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/bin/tshark
#  4 load_cap_file at 0x40dc5f in
/home/laurent/fuzzing/bin/wireshark-1.8.4/bin/tshark
#  5 main at 0x40dc5f in /home/laurent/fuzzing/bin/wireshark-1.8.4/bin/tshark
Faulting frame: #  0 g_logv at 0x7ffff3bdcfdb in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3
Description: Uncategorized signal
Short description: UncategorizedSignal (21/21)
Hash: 47f6dd79e185cf95228e228818ee1a85.30491f48d17275f4e86741ff583f87a7
Exploitability Classification: UNKNOWN
Explanation: The target is stopped on a signal. This may be an exploitable
condition, but this command was unable to categorize it.


You are receiving this mail because:
  • You are watching all bug changes.