Wireshark-bugs: [Wireshark-bugs] [Bug 12633] New: Wireshark DLL Hijacking Vulnerability

Date: Tue, 19 Jul 2016 14:23:07 +0000
Bug ID 12633
Summary Wireshark DLL Hijacking Vulnerability
Product Wireshark
Version 2.0.0
Hardware x86-64
OS Windows 7
Status UNCONFIRMED
Severity Major
Priority Low
Component Extras
Assignee [email protected]
Reporter [email protected]

Created attachment 14744 [details]
POC

Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
Aloha,

Summary
Wireshark contains a DLL hijacking vulnerability that could allow an
unauthenticated, remote attacker to execute arbitrary code on the targeted
system. The vulnerability exists due to some DLL file is loaded by
'Wireshark-win64-2.0.0.exe' improperly. And it allows an attacker to load this
DLL file of the attacker’s choosing that could execute arbitrary code without
the user's knowledge.

Affected Product:
Wireshark 2.0.0 (tested) and other versions

Impact
Attacker can exploit this vulnerability to load a DLL file of the attacker's
choosing that could execute arbitrary code. This may help attacker to
Successful exploit the system if user creates shell as a DLL.

More Details:
For software downloaded with a web browser the application directory is
typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about
this well-known and well-documented vulnerability.

If an attacker places malicious DLL in the user's "Downloads" directory (for
example per "drive-by download" or "social engineering") this vulnerability
becomes a remote code execution.

Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. Create a malicious SHFOLDER.dll file and save it in your "Downloads"
directory.

2. Download 'Wireshark-win64-2.0.0.exe' and save it in your "Downloads"
directory.

3. Execute .exe from your "Downloads" directory.

4. Malicious dll file gets executed.

Chao!!
Himanshu Mehta


You are receiving this mail because:
  • You are watching all bug changes.