Wireshark-bugs: [Wireshark-bugs] [Bug 8213] New: Capture file that crashes tshark in tshark.c
Bug ID |
8213
|
Summary |
Capture file that crashes tshark in tshark.c
|
Classification |
Unclassified
|
Product |
Wireshark
|
Version |
1.8.4
|
Hardware |
x86-64
|
OS |
All
|
Status |
UNCONFIRMED
|
Severity |
Major
|
Priority |
Low
|
Component |
TShark
|
Assignee |
bugzilla-admin@wireshark.org
|
Reporter |
laurentb@gmail.com
|
Created attachment 9809 [details]
Capture file that crashes tshark.c (process_packet)
Build Information:
TShark 1.8.4 (SVN Rev Unknown from unknown)
Copyright 1998-2012 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3.4, without
POSIX capabilities, without SMI, without c-ares, without ADNS, with Lua 5.1,
without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos,
without GeoIP.
Running on Linux 3.2.0-30-generic, with locale en_US.UTF-8, with libpcap
version
1.1.1, with libz 1.2.3.4.
Built using gcc 4.6.3.
--
Hi,
Here is a PCAP file triggering a SIGTRAP that could enable a remote party to
trigger (a least) a remote denial of service.
This file was generated thanks to a fuzz testing campaign.
Laurent Butti.
--
Program received signal SIGTRAP, Trace/breakpoint trap.
0x00007ffff3bdcfdb in g_logv () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
(gdb) bt
#0 0x00007ffff3bdcfdb in g_logv () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#1 0x00007ffff3bdd1b2 in g_log () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#2 0x00007ffff5173401 in emem_free_all (mem=0x7ffff76ba700) at emem.c:1210
#3 0x000000000041adc1 in process_packet (cf=0x6449e0, offset=<optimized out>,
whdr=<optimized out>, pseudo_header=<optimized out>, pd=<optimized out>,
filtering_tap_listeners=<optimized out>, tap_flags=4) at tshark.c:3158
#4 0x000000000040dc5f in load_cap_file (max_byte_count=0,
max_packet_count=-8276, out_file_name_res=0, out_file_type=2, save_file=0x0,
cf=<optimized out>)
at tshark.c:2899
#5 main (argc=<optimized out>, argv=<optimized out>) at tshark.c:1791
(gdb) python import exploitable
(gdb) exploitable -v
'exploitable' version 1.04
Linux nitro 3.2.0-30-generic #48-Ubuntu SMP Fri Aug 24 16:52:48 UTC 2012 x86_64
Signal si_signo: 5 Signal si_addr: 0x0
Nearby code:
0x00007ffff3bdcfca <+458>: je 0x7ffff3bdcfdb <g_logv+475>
0x00007ffff3bdcfcc <+460>: mov r8d,DWORD PTR [rsp+0x14]
0x00007ffff3bdcfd1 <+465>: test r8d,r8d
0x00007ffff3bdcfd4 <+468>: jne 0x7ffff3bdd118 <g_logv+792>
0x00007ffff3bdcfda <+474>: int3
=> 0x00007ffff3bdcfdb <+475>: lea rdi,[rip+0x2a513e] #
0x7ffff3e82120
0x00007ffff3bdcfe2 <+482>: mov esi,r14d
0x00007ffff3bdcfe5 <+485>: call 0x7ffff3c11980 <g_private_set>
0x00007ffff3bdcfea <+490>: nop WORD PTR [rax+rax*1+0x0]
0x00007ffff3bdcff0 <+496>: test ebx,ebx
Stack trace:
# 0 g_logv at 0x7ffff3bdcfdb in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3
# 1 g_log at 0x7ffff3bdd1b2 in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3
# 2 emem_free_all at 0x7ffff5173401 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/lib/libwireshark.so.2.0.4
# 3 process_packet at 0x41adc1 in
/home/laurent/fuzzing/bin/wireshark-1.8.4/bin/tshark
# 4 load_cap_file at 0x40dc5f in
/home/laurent/fuzzing/bin/wireshark-1.8.4/bin/tshark
# 5 main at 0x40dc5f in /home/laurent/fuzzing/bin/wireshark-1.8.4/bin/tshark
Faulting frame: # 0 g_logv at 0x7ffff3bdcfdb in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.3
Description: Uncategorized signal
Short description: UncategorizedSignal (21/21)
Hash: 47f6dd79e185cf95228e228818ee1a85.30491f48d17275f4e86741ff583f87a7
Exploitability Classification: UNKNOWN
Explanation: The target is stopped on a signal. This may be an exploitable
condition, but this command was unable to categorize it.
You are receiving this mail because:
- You are watching all bug changes.