Created attachment 11026 [details]
capture
Build Information:
TShark 1.10.0 (SVN Rev Unknown from unknown)
Copyright 1998-2013 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3.4, without
POSIX capabilities, without libnl, without SMI, without c-ares, without ADNS,
with Lua 5.1, without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT
Kerberos, without GeoIP.
Running on Linux 3.2.0-43-generic, with locale en_US.UTF-8, with libpcap
version
1.1.1, with libz 1.2.3.4.
AMD Athlon(tm) Dual Core Processor 5000B
Built using gcc 4.6.3.
--
Hi,
Here is a PCAP file triggering a SIGSEGV that could enable (at least) a remote
party to trigger a denial of service.
This file was generated thanks to a fuzz testing campaign.
Laurent Butti.
--
Program received signal SIGSEGV, Segmentation fault.
print_hex_data_buffer (stream=<optimized out>, cp=0x18b1000 <Address 0x18b1000
out of bounds>, length=<optimized out>, encoding=<optimized out>)
at print.c:1005
1005 c = *cp++;
(gdb) bt
#0 print_hex_data_buffer (stream=<optimized out>, cp=0x18b1000 <Address
0x18b1000 out of bounds>, length=<optimized out>, encoding=<optimized out>)
at print.c:1005
#1 0x000000000040fad7 in print_hex_data (stream=0x172d920, edt=0x7fffffffd620)
at print.c:922
#2 0x0000000000417b5e in print_packet (cf=0x643b00, edt=<optimized out>) at
tshark.c:3663
#3 0x0000000000419126 in process_packet (cf=0x643b00, offset=<optimized out>,
whdr=0x1731120, pd=<optimized out>, filtering_tap_listeners=<optimized out>,
tap_flags=<optimized out>) at tshark.c:3268
#4 0x000000000040b519 in load_cap_file (max_byte_count=0,
max_packet_count=-2822, out_file_name_res=0, out_file_type=2, save_file=0x0,
cf=<optimized out>)
at tshark.c:3046
#5 main (argc=<optimized out>, argv=<optimized out>) at tshark.c:1918
(gdb) python import exploitable
(gdb) exploitable -v
'exploitable' version 1.04
Linux nitro 3.2.0-43-generic #68-Ubuntu SMP Wed May 15 03:33:33 UTC 2013 x86_64
Signal si_signo: 11 Signal si_addr: 0x18b1000
Nearby code:
0x000000000040e042 <+338>: mov QWORD PTR [r12+0x10],rdi
0x000000000040e047 <+343>: mov QWORD PTR [r12+0x18],r11
0x000000000040e04c <+348>: mov QWORD PTR [r12+0x20],rbx
0x000000000040e051 <+353>: mov QWORD PTR [r12+0x38],rax
0x000000000040e056 <+358>: mov WORD PTR [r12+0x40],0x2020
=> 0x000000000040e05e <+366>: movzx eax,BYTE PTR [r13+0x0]
0x000000000040e063 <+371>: add r13,0x1
0x000000000040e067 <+375>: mov ebx,eax
0x000000000040e069 <+377>: movzx edi,al
0x000000000040e06c <+380>: shr bl,0x4
Stack trace:
# 0 print_hex_data_buffer at 0x40e05e in
/home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
# 1 print_hex_data at 0x40fad7 in
/home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
# 2 print_packet at 0x417b5e in
/home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
# 3 process_packet at 0x419126 in
/home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
# 4 load_cap_file at 0x40b519 in
/home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
# 5 main at 0x40b519 in /home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
Faulting frame: # 0 print_hex_data_buffer at 0x40e05e in
/home/laurent/fuzzing/bin/wireshark-1.10.0/bin/tshark
Description: Access violation on source operand
Short description: SourceAv (18/21)
Hash: 91718bf0c0ff98d2405adc2e2f884a6e.4eabc166ea36d3ac78439c42fbac8b9e
Exploitability Classification: UNKNOWN
Explanation: The target crashed on an access violation at an address matching
the source operand of the current instruction. This likely indicates a read
access violation.
Other tags: AccessViolation (20/21)
(gdb) Program received signal SIGSEGV, Segmentation fault.