Wireshark · Wireshark-users: [Wireshark-users] 0day: Wireshark offset_from_real

Wireshark-users: [Wireshark-users] 0day: Wireshark offset_from_real_beginning stack overflow vuln

Date: Tue, 11 May 2010 16:01:10 -0700

Sharks,

Description:

There is stack overflow vulnerability exist in Wireshark version 1.2.8 or before. More specifically it is cause by lacking of parameter check for parameter tvb in function offset_from_real_beginning is a infinity function call to exhaust stack resource. The attacker could leverage this vulnerability by sending a crafted pcap file to victim and a successful attack may lead to remote code execution within the privileges of the current logged-in user.

Version:

wireshark 1.2.8 and before

Vulnerability condition

User need to use TCP reassemble option ( Edit->preference->Protocol->TCP->Allow subdissector to reassemble TCP streams).

POC:

no pcap file attached, only attached screen capture file.

Vulnerability Detail:

offset_from_real_beginning(const tvbuff_t *tvb, const guint counter)

{

tvbuff_t *member;

switch(tvb->type) {

case TVBUFF_REAL_DATA:

return counter;

case TVBUFF_SUBSET:

member = tvb->tvbuffs.subset.tvb;

return offset_from_real_beginning(member, counter + tvb->tvbuffs.subset.offset); /**** need to do parameter check for "tvb" before call it again. */

case TVBUFF_COMPOSITE:

member = tvb->tvbuffs.composite.tvbs->data;

return offset_from_real_beginning(member, counter);

}

DISSECTOR_ASSERT_NOT_REACHED();

--
Thanks
bugfree

Attachment: wiresahrk.JPG
Description: JPEG image

Prev by Date: Re: [Wireshark-users] Plugging decoder scripts into Wireshark
Next by Date: [Wireshark-users] Windows 7 x64 and localhost (loopback) capture issues
Previous by thread: Re: [Wireshark-users] The capturefile appears to be damaged orcorrupt. (pcap: Fileshas 109736-byte packet, bigger than maximum of 65535)
Next by thread: [Wireshark-users] Windows 7 x64 and localhost (loopback) capture issues
Index(es):
- Date
- Thread