Wireshark-bugs: [Wireshark-bugs] [Bug 8825] New: tshark.c crash
Date: Thu, 20 Jun 2013 08:08:16 +0000
Bug ID 8825
Summary tshark.c crash
Classification Unclassified
Product Wireshark
Version 1.10.0
Hardware x86-64
OS Ubuntu
Status UNCONFIRMED
Severity Major
Priority Low
Component TShark
Assignee bugzilla-admin@wireshark.org
Reporter laurentb@gmail.com

Created attachment 11026 [details]
capture

Build Information:
TShark 1.10.0 (SVN Rev Unknown from unknown)

Copyright 1998-2013 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3.4, without
POSIX capabilities, without libnl, without SMI, without c-ares, without ADNS,
with Lua 5.1, without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT
Kerberos, without GeoIP.

Running on Linux 3.2.0-43-generic, with locale en_US.UTF-8, with libpcap
version
1.1.1, with libz 1.2.3.4.
AMD Athlon(tm) Dual Core Processor 5000B

Built using gcc 4.6.3.
--
Hi,

Here is a PCAP file triggering a SIGSEGV that could enable (at least) a remote
party to trigger a denial of service.

This file was generated thanks to a fuzz testing campaign.

Laurent Butti.

--

Program received signal SIGSEGV, Segmentation fault.
print_hex_data_buffer (stream=<optimized out>, cp=0x18b1000 <Address 0x18b1000
out of bounds>, length=<optimized out>, encoding=<optimized out>)
    at print.c:1005
1005            c = *cp++;
(gdb) bt
#0  print_hex_data_buffer (stream=<optimized out>, cp=0x18b1000 <Address
0x18b1000 out of bounds>, length=<optimized out>, encoding=<optimized out>)
    at print.c:1005
#1  0x000000000040fad7 in print_hex_data (stream=0x172d920, edt=0x7fffffffd620)
at print.c:922
#2  0x0000000000417b5e in print_packet (cf=0x643b00, edt=<optimized out>) at
tshark.c:3663
#3  0x0000000000419126 in process_packet (cf=0x643b00, offset=<optimized out>,
whdr=0x1731120, pd=<optimized out>, filtering_tap_listeners=<optimized out>, 
    tap_flags=<optimized out>) at tshark.c:3268
#4  0x000000000040b519 in load_cap_file (max_byte_count=0,
max_packet_count=-2822, out_file_name_res=0, out_file_type=2, save_file=0x0,
cf=<optimized out>)
    at tshark.c:3046
#5  main (argc=<optimized out>, argv=<optimized out>) at tshark.c:1918
(gdb) python import exploitable
(gdb) exploitable -v
'exploitable' version 1.04
Linux nitro 3.2.0-43-generic #68-Ubuntu SMP Wed May 15 03:33:33 UTC 2013 x86_64
Signal si_signo: 11 Signal si_addr: 0x18b1000
Nearby code:
   0x000000000040e042 <+338>:   mov    QWORD PTR [r12+0x10],rdi
   0x000000000040e047 <+343>:   mov    QWORD PTR [r12+0x18],r11
   0x000000000040e04c <+348>:   mov    QWORD PTR [r12+0x20],rbx
   0x000000000040e051 <+353>:   mov    QWORD PTR [r12+0x38],rax
   0x000000000040e056 <+358>:   mov    WORD PTR [r12+0x40],0x2020
=> 0x000000000040e05e <+366>:   movzx  eax,BYTE PTR [r13+0x0]
   0x000000000040e063 <+371>:   add    r13,0x1
   0x000000000040e067 <+375>:   mov    ebx,eax
   0x000000000040e069 <+377>:   movzx  edi,al
   0x000000000040e06c <+380>:   shr    bl,0x4
Stack trace:
#  0 print_hex_data_buffer at 0x40e05e in
/home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
#  1 print_hex_data at 0x40fad7 in
/home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
#  2 print_packet at 0x417b5e in
/home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
#  3 process_packet at 0x419126 in
/home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
#  4 load_cap_file at 0x40b519 in
/home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
#  5 main at 0x40b519 in /home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
Faulting frame: #  0 print_hex_data_buffer at 0x40e05e in
/home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
Description: Access violation on source operand
Short description: SourceAv (18/21)
Hash: 91718bf0c0ff98d2405adc2e2f884a6e.4eabc166ea36d3ac78439c42fbac8b9e
Exploitability Classification: UNKNOWN
Explanation: The target crashed on an access violation at an address matching
the source operand of the current instruction. This likely indicates a read
access violation.
Other tags: AccessViolation (20/21)
(gdb) Program received signal SIGSEGV, Segmentation fault.


You are receiving this mail because:
  • You are watching all bug changes.