Wireshark-dev: [Wireshark-dev] Fwd: [Wireshark-users] 0day: Wireshark offset_from_real_beginnin

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Tue, 11 May 2010 16:17:00 -0700
Forwarding to wireshark-dev and security, since that's where the people
that can fix the bug reside.

bug free wrote:
> Sharks,
>
> Description: 
> ==
> There is stack overflow vulnerability exist in Wireshark  version
> 1.2.8 or before. More specifically it is cause by lacking of parameter
> check for parameter tvb in function offset_from_real_beginning is
> a infinity function call to exhaust stack resource. The attacker could
> leverage this vulnerability by sending a crafted pcap file to victim
> and a successful attack may lead to remote code execution within the
> privileges of the current logged-in user.
>
> Version: 
> ==
> wireshark 1.2.8 and before
>
> Vulnerability condition
> ==
> User need to use TCP reassemble option (
> Edit->preference->Protocol->TCP->Allow subdissector to reassemble TCP
> streams). 
>
> POC: 
> ==
> no pcap file attached, only attached screen capture file.
>
> Vulnerability Detail:
> ==
> offset_from_real_beginning(const tvbuff_t *tvb, const guint counter)      
> {               
>         tvbuff_t        *member;
>                 
>         switch(tvb->type) {
>                 case TVBUFF_REAL_DATA:
>                         return counter;                          
>                 case TVBUFF_SUBSET:
>                         member = tvb->tvbuffs.subset.tvb;
>                         return offset_from_real_beginning(member,
> counter + tvb->tvbuffs.subset.offset);   /**** need to do parameter
> check for "tvb" before call it again. */
>                 case TVBUFF_COMPOSITE:
>                         member = tvb->tvbuffs.composite.tvbs->data; 
>                         return offset_from_real_beginning(member,
> counter);
>         }                                                        
>         
>         DISSECTOR_ASSERT_NOT_REACHED();
>
>
>
> -- 
> Thanks
> bugfree
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


-- 
Join us for Sharkfest ’10! · Wireshark® Developer and User Conference
Stanford University, June 14-17 · http://www.cacetech.com/sharkfest.10/