Wireshark-bugs: [Wireshark-bugs] [Bug 8382] New: MS-MMS dissector crash
Date: Fri, 22 Feb 2013 14:17:45 +0000
Bug ID | 8382 |
---|---|
Summary | MS-MMS dissector crash |
Classification | Unclassified |
Product | Wireshark |
Version | 1.8.5 |
Hardware | x86-64 |
OS | Linux (other) |
Status | UNCONFIRMED |
Severity | Major |
Priority | Low |
Component | TShark |
Assignee | bugzilla-admin@wireshark.org |
Reporter | laurentb@gmail.com |
Created attachment 10092 [details] packet-ms-mss.pcap Build Information: TShark 1.8.5 (SVN Rev Unknown from unknown) Copyright 1998-2013 Gerald Combs <gerald@wireshark.org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3.4, without POSIX capabilities, without SMI, without c-ares, without ADNS, with Lua 5.1, without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos, without GeoIP. Running on Linux 3.2.0-30-generic, with locale en_US.UTF-8, with libpcap version 1.1.1, with libz 1.2.3.4. Built using gcc 4.6.3. -- Hi, Here is a PCAP file triggering a SIGSEGV that could enable (at least) a remote party to trigger a denial of service. This file was generated thanks to a fuzz testing campaign. Laurent Butti. -- Program received signal SIGSEGV, Segmentation fault. format_text (string=0x7fffe908d000 "", len=<optimized out>) at strutil.c:188 188 c = *string++; (gdb) bt #0 format_text (string=0x7fffe908d000 "", len=<optimized out>) at strutil.c:188 #1 0x00007ffff5562490 in dissect_server_info (tree=0x0, tvb=0x1d1b400, pinfo=<optimized out>, offset=<optimized out>) at packet-ms-mms.c:888 #2 dissect_msmms_command (tree=<optimized out>, pinfo=<optimized out>, tvb=0x1d1b400) at packet-ms-mms.c:546 #3 dissect_msmms_pdu (tvb=0x1d1b400, pinfo=<optimized out>, tree=<optimized out>) at packet-ms-mms.c:334 #4 0x00007ffff51794eb in call_dissector_through_handle (handle=0x102e150, tvb=0x1d1b400, pinfo=0x7fffffffd610, tree=0x0) at packet.c:429 #5 0x00007ffff5179b95 in call_dissector_work (handle=0x102e150, tvb=0x1d1b400, pinfo_arg=0x7fffffffd610, tree=0x0, add_proto_name=1) at packet.c:524 #6 0x00007ffff517a30e in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=1755, tvb=0x1d1b400, pinfo=0x7fffffffd610, tree=0x0, add_proto_name=1) at packet.c:943 #7 0x00007ffff5764912 in decode_tcp_ports (tvb=<optimized out>, offset=<optimized out>, pinfo=0x7fffffffd610, tree=0x0, src_port=1755, dst_port=51312, tcpd=0x7fffe60f3820) at packet-tcp.c:3874 #8 0x00007ffff5764d4e in process_tcp_payload (tvb=0x1c84cc0, offset=32, pinfo=0x7fffffffd610, tree=0x0, tcp_tree=0x0, src_port=1755, dst_port=51312, seq=0, nxtseq=0, is_tcp_segment=0, tcpd=0x7fffe60f3820) at packet-tcp.c:3933 #9 0x00007ffff57652f1 in desegment_tcp (tcpd=0x7fffe60f3820, tcp_tree=0x0, tree=0x0, dport=51312, sport=1755, nxtseq=145, seq=1, offset=32, pinfo=0x7fffffffd610, tvb=0x1c84cc0) at packet-tcp.c:1799 #10 dissect_tcp_payload (tvb=0x1c84cc0, pinfo=0x7fffffffd610, offset=<optimized out>, seq=<optimized out>, nxtseq=145, sport=1755, dport=51312, tree=0x0, tcp_tree=0x0, tcpd=0x7fffe60f3820) at packet-tcp.c:4000 #11 0x00007ffff576673f in dissect_tcp (tvb=<optimized out>, pinfo=0x7fffffffd610, tree=0x0) at packet-tcp.c:4748 #12 0x00007ffff51794b0 in call_dissector_through_handle (handle=0x138bf70, tvb=0x1c84cc0, pinfo=0x7fffffffd610, tree=0x0) at packet.c:433 #13 0x00007ffff5179b95 in call_dissector_work (handle=0x138bf70, tvb=0x1c84cc0, pinfo_arg=0x7fffffffd610, tree=0x0, add_proto_name=1) at packet.c:524 #14 0x00007ffff517a30e in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=6, tvb=0x1c84cc0, pinfo=0x7fffffffd610, tree=0x0, add_proto_name=1) at packet.c:943 #15 0x00007ffff54bd27b in dissect_ip (tvb=0x1d1ba40, pinfo=<optimized out>, parent_tree=0x0) at packet-ip.c:2396 #16 0x00007ffff51794b0 in call_dissector_through_handle (handle=0xf19fe0, tvb=0x1d1ba40, pinfo=0x7fffffffd610, tree=0x0) at packet.c:433 #17 0x00007ffff5179b95 in call_dissector_work (handle=0xf19fe0, tvb=0x1d1ba40, pinfo_arg=0x7fffffffd610, tree=0x0, add_proto_name=1) at packet.c:524 #18 0x00007ffff517a30e in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=33, tvb=0x1d1ba40, pinfo=0x7fffffffd610, tree=0x0, add_proto_name=1) at packet.c:943 #19 0x00007ffff56264e2 in dissect_ppp_common (tvb=<optimized out>, pinfo=0x7fffffffd610, tree=0x0, fh_tree=0x0, ti=0x0, proto_offset=2) at packet-ppp.c:3935 #20 0x00007ffff51794b0 in call_dissector_through_handle (handle=0x116e300, tvb=0x1d209e0, pinfo=0x7fffffffd610, tree=0x0) at packet.c:433 #21 0x00007ffff5179b95 in call_dissector_work (handle=0x116e300, tvb=0x1d209e0, pinfo_arg=0x7fffffffd610, tree=0x0, add_proto_name=1) at packet.c:524 #22 0x00007ffff517a30e in dissector_try_uint_new (sub_dissectors=<optimized out>, uint_val=4, tvb=0x1d209e0, pinfo=0x7fffffffd610, tree=0x0, add_proto_name=1) at packet.c:943 #23 0x00007ffff53dc8cb in dissect_frame (tvb=0x1d209e0, pinfo=0x7fffffffd610, parent_tree=0x0) at packet-frame.c:383 #24 0x00007ffff51794b0 in call_dissector_through_handle (handle=0xdabf40, tvb=0x1d209e0, pinfo=0x7fffffffd610, tree=0x0) at packet.c:433 #25 0x00007ffff5179b95 in call_dissector_work (handle=0xdabf40, tvb=0x1d209e0, pinfo_arg=0x7fffffffd610, tree=0x0, add_proto_name=1) at packet.c:524 #26 0x00007ffff517b7e1 in call_dissector (handle=<optimized out>, tvb=0x1d209e0, pinfo=0x7fffffffd610, tree=0x0) at packet.c:2002 #27 0x00007ffff517bbf4 in dissect_packet (edt=0x7fffffffd600, pseudo_header=0x0, pd=0x1c5b6b0 "\377\003", fd=0x1cfa570, cinfo=0x0) at packet.c:364 #28 0x0000000000441481 in add_packet_to_packet_list (fdata=0x1cfa570, cf=0x7fc5c0, dfcode=0x0, filtering_tap_listeners=0, tap_flags=<optimized out>, pseudo_header=0x1c561c8, buf=0x1c5b6b0 "\377\003", add_to_packet_list=1, refilter=1) at file.c:1121 #29 0x000000000044198c in read_packet (cf=0x7fc5c0, dfcode=0x0, filtering_tap_listeners=0, tap_flags=4, offset=<optimized out>) at file.c:1228 #30 0x0000000000441fca in cf_read (cf=0x7fc5c0, reloading=0) at file.c:623 #31 0x0000000000431341 in main (argc=0, argv=0x7fffffffdef8) at main.c:3048 (gdb) python import exploitable (gdb) exploitable -v 'exploitable' version 1.04 Linux nitro 3.2.0-30-generic #48-Ubuntu SMP Fri Aug 24 16:52:48 UTC 2012 x86_64 Signal si_signo: 11 Signal si_addr: 0x7fffe908d000 Nearby code: 0x00007ffff51a0489 <+121>: je 0x7ffff51a0518 <format_text+264> 0x00007ffff51a048f <+127>: mov esi,DWORD PTR [r9+r13*4] 0x00007ffff51a0493 <+131>: lea r14d,[r12+0x4] 0x00007ffff51a0498 <+136>: cmp r14d,esi 0x00007ffff51a049b <+139>: jge 0x7ffff51a0538 <format_text+296> => 0x00007ffff51a04a1 <+145>: movzx eax,BYTE PTR [rbx] 0x00007ffff51a04a4 <+148>: add rbx,0x1 0x00007ffff51a04a8 <+152>: lea ecx,[rax-0x20] 0x00007ffff51a04ab <+155>: cmp cl,0x5e 0x00007ffff51a04ae <+158>: jbe 0x7ffff51a0478 <format_text+104> Stack trace: # 0 format_text at 0x7ffff51a04a1 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 1 dissect_server_info at 0x7ffff5562490 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 2 dissect_msmms_command at 0x7ffff5562490 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 3 dissect_msmms_pdu at 0x7ffff5562490 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 4 call_dissector_through_handle at 0x7ffff51794eb in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 5 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 6 dissector_try_uint_new at 0x7ffff517a30e in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 7 decode_tcp_ports at 0x7ffff5764912 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 8 process_tcp_payload at 0x7ffff5764d4e in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 9 desegment_tcp at 0x7ffff57652f1 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 10 dissect_tcp_payload at 0x7ffff57652f1 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 11 dissect_tcp at 0x7ffff576673f in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 12 call_dissector_through_handle at 0x7ffff51794b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 13 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 14 dissector_try_uint_new at 0x7ffff517a30e in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 15 dissect_ip at 0x7ffff54bd27b in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 16 call_dissector_through_handle at 0x7ffff51794b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 17 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 18 dissector_try_uint_new at 0x7ffff517a30e in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 19 dissect_ppp_common at 0x7ffff56264e2 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 20 call_dissector_through_handle at 0x7ffff51794b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 21 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 22 dissector_try_uint_new at 0x7ffff517a30e in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 23 dissect_frame at 0x7ffff53dc8cb in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 24 call_dissector_through_handle at 0x7ffff51794b0 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 25 call_dissector_work at 0x7ffff5179b95 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 26 call_dissector at 0x7ffff517b7e1 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 27 dissect_packet at 0x7ffff517bbf4 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 # 28 add_packet_to_packet_list at 0x441481 in /home/laurent/fuzzing/bin/wireshark-1.8.5/bin/wireshark # 29 read_packet at 0x44198c in /home/laurent/fuzzing/bin/wireshark-1.8.5/bin/wireshark # 30 cf_read at 0x441fca in /home/laurent/fuzzing/bin/wireshark-1.8.5/bin/wireshark # 31 main at 0x431341 in /home/laurent/fuzzing/bin/wireshark-1.8.5/bin/wireshark Faulting frame: # 0 format_text at 0x7ffff51a04a1 in /home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5 Description: Access violation on source operand Short description: SourceAv (18/21) Hash: 83994d27233225301d31a29cf2949922.0ab287d0690b6cc76b825e831fc42c3b Exploitability Classification: UNKNOWN Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation. Other tags: AccessViolation (20/21)
You are receiving this mail because:
- You are watching all bug changes.
- Follow-Ups:
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- Prev by Date: [Wireshark-bugs] [Bug 8381] New: MPLS infinite loop
- Next by Date: [Wireshark-bugs] [Bug 8383] New: csnStreamDissector dissector crash
- Previous by thread: [Wireshark-bugs] [Bug 8381] MPLS infinite loop
- Next by thread: [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
- Index(es):