Wireshark-bugs: [Wireshark-bugs] [Bug 11023] New: Infinite loop DoS in TNEF dissector
Date: Sun, 01 Mar 2015 23:01:53 +0000
Bug ID 11023
Summary Infinite loop DoS in TNEF dissector
Product Wireshark
Version 1.99.x (Experimental)
Hardware x86
OS Mac OS X 10.9
Status UNCONFIRMED
Severity Normal
Priority Low
Component Dissection engine (libwireshark)
Assignee bugzilla-admin@wireshark.org
Reporter vlad902+wireshark@gmail.com

Created attachment 13484 [details]
TNEF DoS

Build Information:
Version 1.99.2 (v1.99.2-0-gb2db3bf from master)

Copyright 1998-2015 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with Qt 4.8.6, with libpcap, without POSIX capabilities, with
libz 1.2.3, with GLib 2.16.3, with SMI 0.4.8, without c-ares, without ADNS,
with
Lua 5.2, with GnuTLS 2.12.19, with Gcrypt 1.4.3, with MIT Kerberos, with GeoIP,
without PortAudio, with AirPcap.

Running on Mac OS X 10.9.5, build 13F34 (Darwin 13.4.0), with locale C, with
libpcap version 1.3.0 - Apple version 41, with libz 1.2.5, with GnuTLS 2.12.19,
with Gcrypt 1.4.3, without AirPcap.

Built using gcc 4.2.1 (Apple Inc. build 5666) (dot 3).

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
Hello, there is an infinite loop condition in the TNEF dissector in
epan/dissectors/packet-tnef.c:dissect_tnef() on 32-bit platforms. Specifically,
the length variable is user-controlled and added to the offset variable if the
tag is set to ATT_OWNER or ATT_SENT_FOR (other paths exercise bound checks)
allowing an attacker to cause an infinite loop. I've attached a packet capture
exercising this bug.


You are receiving this mail because:
  • You are watching all bug changes.