Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 8382] New: MS-MMS dissector crash

Wireshark-bugs: [Wireshark-bugs] [Bug 8382] New: MS-MMS dissector crash

Date: Fri, 22 Feb 2013 14:17:45 +0000

Bug ID	8382
Summary	MS-MMS dissector crash
Classification	Unclassified
Product	Wireshark
Version	1.8.5
Hardware	x86-64
OS	Linux (other)
Status	UNCONFIRMED
Severity	Major
Priority	Low
Component	TShark
Assignee	[email protected]
Reporter	[email protected]

Created attachment 10092 [details]
packet-ms-mss.pcap

Build Information:
TShark 1.8.5 (SVN Rev Unknown from unknown)

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.32.3, with libpcap, with libz 1.2.3.4, without
POSIX capabilities, without SMI, without c-ares, without ADNS, with Lua 5.1,
without Python, with GnuTLS 2.12.14, with Gcrypt 1.5.0, with MIT Kerberos,
without GeoIP.

Running on Linux 3.2.0-30-generic, with locale en_US.UTF-8, with libpcap
version
1.1.1, with libz 1.2.3.4.

Built using gcc 4.6.3.
--
Hi,

Here is a PCAP file triggering a SIGSEGV that could enable (at least) a remote
party to trigger a denial of service.

This file was generated thanks to a fuzz testing campaign.

Laurent Butti.

--

Program received signal SIGSEGV, Segmentation fault.
format_text (string=0x7fffe908d000 "", len=<optimized out>) at strutil.c:188
188     c = *string++;
(gdb) bt
#0  format_text (string=0x7fffe908d000 "", len=<optimized out>) at
strutil.c:188
#1  0x00007ffff5562490 in dissect_server_info (tree=0x0, tvb=0x1d1b400,
pinfo=<optimized out>, offset=<optimized out>) at packet-ms-mms.c:888
#2  dissect_msmms_command (tree=<optimized out>, pinfo=<optimized out>,
tvb=0x1d1b400) at packet-ms-mms.c:546
#3  dissect_msmms_pdu (tvb=0x1d1b400, pinfo=<optimized out>, tree=<optimized
out>) at packet-ms-mms.c:334
#4  0x00007ffff51794eb in call_dissector_through_handle (handle=0x102e150,
tvb=0x1d1b400, pinfo=0x7fffffffd610, tree=0x0) at packet.c:429
#5  0x00007ffff5179b95 in call_dissector_work (handle=0x102e150, tvb=0x1d1b400,
pinfo_arg=0x7fffffffd610, tree=0x0, add_proto_name=1) at packet.c:524
#6  0x00007ffff517a30e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=1755, tvb=0x1d1b400, pinfo=0x7fffffffd610, tree=0x0, 
    add_proto_name=1) at packet.c:943
#7  0x00007ffff5764912 in decode_tcp_ports (tvb=<optimized out>,
offset=<optimized out>, pinfo=0x7fffffffd610, tree=0x0, src_port=1755,
dst_port=51312, 
    tcpd=0x7fffe60f3820) at packet-tcp.c:3874
#8  0x00007ffff5764d4e in process_tcp_payload (tvb=0x1c84cc0, offset=32,
pinfo=0x7fffffffd610, tree=0x0, tcp_tree=0x0, src_port=1755, dst_port=51312,
seq=0, 
    nxtseq=0, is_tcp_segment=0, tcpd=0x7fffe60f3820) at packet-tcp.c:3933
#9  0x00007ffff57652f1 in desegment_tcp (tcpd=0x7fffe60f3820, tcp_tree=0x0,
tree=0x0, dport=51312, sport=1755, nxtseq=145, seq=1, offset=32, 
    pinfo=0x7fffffffd610, tvb=0x1c84cc0) at packet-tcp.c:1799
#10 dissect_tcp_payload (tvb=0x1c84cc0, pinfo=0x7fffffffd610, offset=<optimized
out>, seq=<optimized out>, nxtseq=145, sport=1755, dport=51312, tree=0x0, 
    tcp_tree=0x0, tcpd=0x7fffe60f3820) at packet-tcp.c:4000
#11 0x00007ffff576673f in dissect_tcp (tvb=<optimized out>,
pinfo=0x7fffffffd610, tree=0x0) at packet-tcp.c:4748
#12 0x00007ffff51794b0 in call_dissector_through_handle (handle=0x138bf70,
tvb=0x1c84cc0, pinfo=0x7fffffffd610, tree=0x0) at packet.c:433
#13 0x00007ffff5179b95 in call_dissector_work (handle=0x138bf70, tvb=0x1c84cc0,
pinfo_arg=0x7fffffffd610, tree=0x0, add_proto_name=1) at packet.c:524
#14 0x00007ffff517a30e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=6, tvb=0x1c84cc0, pinfo=0x7fffffffd610, tree=0x0,
add_proto_name=1)
    at packet.c:943
#15 0x00007ffff54bd27b in dissect_ip (tvb=0x1d1ba40, pinfo=<optimized out>,
parent_tree=0x0) at packet-ip.c:2396
#16 0x00007ffff51794b0 in call_dissector_through_handle (handle=0xf19fe0,
tvb=0x1d1ba40, pinfo=0x7fffffffd610, tree=0x0) at packet.c:433
#17 0x00007ffff5179b95 in call_dissector_work (handle=0xf19fe0, tvb=0x1d1ba40,
pinfo_arg=0x7fffffffd610, tree=0x0, add_proto_name=1) at packet.c:524
#18 0x00007ffff517a30e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=33, tvb=0x1d1ba40, pinfo=0x7fffffffd610, tree=0x0, 
    add_proto_name=1) at packet.c:943
#19 0x00007ffff56264e2 in dissect_ppp_common (tvb=<optimized out>,
pinfo=0x7fffffffd610, tree=0x0, fh_tree=0x0, ti=0x0, proto_offset=2) at
packet-ppp.c:3935
#20 0x00007ffff51794b0 in call_dissector_through_handle (handle=0x116e300,
tvb=0x1d209e0, pinfo=0x7fffffffd610, tree=0x0) at packet.c:433
#21 0x00007ffff5179b95 in call_dissector_work (handle=0x116e300, tvb=0x1d209e0,
pinfo_arg=0x7fffffffd610, tree=0x0, add_proto_name=1) at packet.c:524
#22 0x00007ffff517a30e in dissector_try_uint_new (sub_dissectors=<optimized
out>, uint_val=4, tvb=0x1d209e0, pinfo=0x7fffffffd610, tree=0x0,
add_proto_name=1)
    at packet.c:943
#23 0x00007ffff53dc8cb in dissect_frame (tvb=0x1d209e0, pinfo=0x7fffffffd610,
parent_tree=0x0) at packet-frame.c:383
#24 0x00007ffff51794b0 in call_dissector_through_handle (handle=0xdabf40,
tvb=0x1d209e0, pinfo=0x7fffffffd610, tree=0x0) at packet.c:433
#25 0x00007ffff5179b95 in call_dissector_work (handle=0xdabf40, tvb=0x1d209e0,
pinfo_arg=0x7fffffffd610, tree=0x0, add_proto_name=1) at packet.c:524
#26 0x00007ffff517b7e1 in call_dissector (handle=<optimized out>,
tvb=0x1d209e0, pinfo=0x7fffffffd610, tree=0x0) at packet.c:2002
#27 0x00007ffff517bbf4 in dissect_packet (edt=0x7fffffffd600,
pseudo_header=0x0, pd=0x1c5b6b0 "\377\003", fd=0x1cfa570, cinfo=0x0) at
packet.c:364
#28 0x0000000000441481 in add_packet_to_packet_list (fdata=0x1cfa570,
cf=0x7fc5c0, dfcode=0x0, filtering_tap_listeners=0, tap_flags=<optimized out>, 
    pseudo_header=0x1c561c8, buf=0x1c5b6b0 "\377\003", add_to_packet_list=1,
refilter=1) at file.c:1121
#29 0x000000000044198c in read_packet (cf=0x7fc5c0, dfcode=0x0,
filtering_tap_listeners=0, tap_flags=4, offset=<optimized out>) at file.c:1228
#30 0x0000000000441fca in cf_read (cf=0x7fc5c0, reloading=0) at file.c:623
#31 0x0000000000431341 in main (argc=0, argv=0x7fffffffdef8) at main.c:3048
(gdb) python import exploitable
(gdb) exploitable -v
'exploitable' version 1.04
Linux nitro 3.2.0-30-generic #48-Ubuntu SMP Fri Aug 24 16:52:48 UTC 2012 x86_64
Signal si_signo: 11 Signal si_addr: 0x7fffe908d000
Nearby code:
   0x00007ffff51a0489 <+121>:   je     0x7ffff51a0518 <format_text+264>
   0x00007ffff51a048f <+127>:   mov    esi,DWORD PTR [r9+r13*4]
   0x00007ffff51a0493 <+131>:   lea    r14d,[r12+0x4]
   0x00007ffff51a0498 <+136>:   cmp    r14d,esi
   0x00007ffff51a049b <+139>:   jge    0x7ffff51a0538 <format_text+296>
=> 0x00007ffff51a04a1 <+145>:   movzx  eax,BYTE PTR [rbx]
   0x00007ffff51a04a4 <+148>:   add    rbx,0x1
   0x00007ffff51a04a8 <+152>:   lea    ecx,[rax-0x20]
   0x00007ffff51a04ab <+155>:   cmp    cl,0x5e
   0x00007ffff51a04ae <+158>:   jbe    0x7ffff51a0478 <format_text+104>
Stack trace:
#  0 format_text at 0x7ffff51a04a1 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  1 dissect_server_info at 0x7ffff5562490 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  2 dissect_msmms_command at 0x7ffff5562490 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  3 dissect_msmms_pdu at 0x7ffff5562490 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  4 call_dissector_through_handle at 0x7ffff51794eb in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  5 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  6 dissector_try_uint_new at 0x7ffff517a30e in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  7 decode_tcp_ports at 0x7ffff5764912 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  8 process_tcp_payload at 0x7ffff5764d4e in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
#  9 desegment_tcp at 0x7ffff57652f1 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 10 dissect_tcp_payload at 0x7ffff57652f1 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 11 dissect_tcp at 0x7ffff576673f in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 12 call_dissector_through_handle at 0x7ffff51794b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 13 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 14 dissector_try_uint_new at 0x7ffff517a30e in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 15 dissect_ip at 0x7ffff54bd27b in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 16 call_dissector_through_handle at 0x7ffff51794b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 17 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 18 dissector_try_uint_new at 0x7ffff517a30e in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 19 dissect_ppp_common at 0x7ffff56264e2 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 20 call_dissector_through_handle at 0x7ffff51794b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 21 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 22 dissector_try_uint_new at 0x7ffff517a30e in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 23 dissect_frame at 0x7ffff53dc8cb in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 24 call_dissector_through_handle at 0x7ffff51794b0 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 25 call_dissector_work at 0x7ffff5179b95 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 26 call_dissector at 0x7ffff517b7e1 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 27 dissect_packet at 0x7ffff517bbf4 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
# 28 add_packet_to_packet_list at 0x441481 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/bin/wireshark
# 29 read_packet at 0x44198c in
/home/laurent/fuzzing/bin/wireshark-1.8.5/bin/wireshark
# 30 cf_read at 0x441fca in
/home/laurent/fuzzing/bin/wireshark-1.8.5/bin/wireshark
# 31 main at 0x431341 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/bin/wireshark
Faulting frame: #  0 format_text at 0x7ffff51a04a1 in
/home/laurent/fuzzing/bin/wireshark-1.8.5/lib/libwireshark.so.2.0.5
Description: Access violation on source operand
Short description: SourceAv (18/21)
Hash: 83994d27233225301d31a29cf2949922.0ab287d0690b6cc76b825e831fc42c3b
Exploitability Classification: UNKNOWN
Explanation: The target crashed on an access violation at an address matching
the source operand of the current instruction. This likely indicates a read
access violation.
Other tags: AccessViolation (20/21)

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 8381] New: MPLS infinite loop
Next by Date: [Wireshark-bugs] [Bug 8383] New: csnStreamDissector dissector crash
Previous by thread: [Wireshark-bugs] [Bug 8381] MPLS infinite loop
Next by thread: [Wireshark-bugs] [Bug 8382] MS-MMS dissector crash
Index(es):
- Date
- Thread