Wireshark-dev: [Wireshark-dev] Fwd: [Wireshark-users] 0day: Wireshark offset_from_real_beginnin
From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Tue, 11 May 2010 16:17:00 -0700
Forwarding to wireshark-dev and security, since that's where the people that can fix the bug reside. bug free wrote: > Sharks, > > Description: > == > There is stack overflow vulnerability exist in Wireshark version > 1.2.8 or before. More specifically it is cause by lacking of parameter > check for parameter tvb in function offset_from_real_beginning is > a infinity function call to exhaust stack resource. The attacker could > leverage this vulnerability by sending a crafted pcap file to victim > and a successful attack may lead to remote code execution within the > privileges of the current logged-in user. > > Version: > == > wireshark 1.2.8 and before > > Vulnerability condition > == > User need to use TCP reassemble option ( > Edit->preference->Protocol->TCP->Allow subdissector to reassemble TCP > streams). > > POC: > == > no pcap file attached, only attached screen capture file. > > Vulnerability Detail: > == > offset_from_real_beginning(const tvbuff_t *tvb, const guint counter) > { > tvbuff_t *member; > > switch(tvb->type) { > case TVBUFF_REAL_DATA: > return counter; > case TVBUFF_SUBSET: > member = tvb->tvbuffs.subset.tvb; > return offset_from_real_beginning(member, > counter + tvb->tvbuffs.subset.offset); /**** need to do parameter > check for "tvb" before call it again. */ > case TVBUFF_COMPOSITE: > member = tvb->tvbuffs.composite.tvbs->data; > return offset_from_real_beginning(member, > counter); > } > > DISSECTOR_ASSERT_NOT_REACHED(); > > > > -- > Thanks > bugfree > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ > > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe -- Join us for Sharkfest ’10! · Wireshark® Developer and User Conference Stanford University, June 14-17 · http://www.cacetech.com/sharkfest.10/
- Prev by Date: Re: [Wireshark-dev] tshark (Windows) not working
- Next by Date: Re: [Wireshark-dev] tshark (Windows) not working
- Previous by thread: Re: [Wireshark-dev] compiling multiple versions of ESP
- Next by thread: [Wireshark-dev] Wireshark 1.4
- Index(es):