https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5318
Summary: Buffer Overflow in ldss dissector
Product: Wireshark
Version: SVN
Platform: x86
OS/Version: All
Status: NEW
Severity: Major
Priority: Low
Component: Wireshark
AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
ReportedBy: njohnson@xxxxxxxxxxxxxxxxx
Created an attachment (id=5336)
--> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=5336)
used this to test the issue
Build Information:
Version 1.5.0 (SVN Rev 34559 from /trunk)
Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.18.3, (32-bit) with GLib 2.22.3, with libpcap 1.0.0, with
libz 1.2.3.3, without POSIX capabilities, without libpcre, without SMI, without
c-ares, without ADNS, without Lua, without Python, with GnuTLS 2.8.3, with
Gcrypt 1.4.4, with MIT Kerberos, without GeoIP, without PortAudio, without
AirPcap.
Running on Linux 2.6.31-22-generic, with libpcap version 1.0.0, with libz
1.2.3.3, GnuTLS 2.8.3, Gcrypt 1.4.4.
Built using gcc 4.4.1.
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
--
There is a heap-based buffer overflow in the function dissect_ldss_transfer
(epan/dissectors/packet-ldss.c):
457 static int
458 dissect_ldss_transfer (tvbuff_t *tvb, packet_info *pinfo, proto_tree
*tree)
459 {
...
598 if (is_digest_line) {
599 /* Sample digest-type/digest line:
600 * md5:0123456789ABCDEF\n */
601 if (!already_dissected) {
602 GByteArray *digest_bytes;
603
604 digest_bytes = g_byte_array_new();
605 hex_str_to_bytes(
606 tvb_get_ptr(tvb, offset+digest_type_len,
linelen-digest_type_len),
607 digest_bytes, FALSE);
608
609 /* Ensure the digest is zero-padded */
610 transfer_info->file->digest = se_alloc0(DIGEST_LEN);
611 memcpy(transfer_info->file->digest,
digest_bytes->data, digest_bytes->len);
612
613 g_byte_array_free(digest_bytes, TRUE);
614 }
...
626 }
As the comment in the source code says, an incoming digest line will look
something like:
md5:01234568901234567890123456789012\n
On line 610, transfer_info->file->digest is allocated to DIGEST_LEN (32) bytes.
This assumes that the hex form of the digest in the pcap will be <= 64 bytes
in length. Since there are no checks anywhere in the code to enforce this, the
transfer_info->file->digest buffer can be overflowed by having digest lines
with digests > 64 bytes in length.
One of the restrictions on the this is that the amount the buffer can be
overflowed by is limited to the amount of data that can be transported in one
TCP packet, as any following TCP packets are treated as file data and won't be
reassembled as part of the first packet.
This doesn't crash the two versions of wireshark that I've tried (1.4 and 1.2),
although in 1.2 it does get a "Per-session memory corrupted" error (Mac,
Windows, and Linux) and aborts when closing wireshark.
Also, there is no restriction on the number of digests that can be present in
the first tcp packet. I couldn't find the actual protocol specs anywhere, so
I'm not sure if it's supposed to be that way or not. Either way, it might give
someone a greater chance of successfully exploiting this issue, as they will be
able to overflow more than one buffer on the heap.
Attached is a pcap I've made to test the issue-
--Nephi
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
