Sharks,
Description:
==
There is stack overflow vulnerability exist in Wireshark version 1.2.8 or before. More specifically it is cause by lacking of parameter check for parameter tvb in function offset_from_real_beginning is a infinity function call to exhaust stack resource. The attacker could leverage this vulnerability by sending a crafted pcap file to victim and a successful attack may lead to remote code execution within the privileges of the current logged-in user.
Version:
==
wireshark 1.2.8 and before
Vulnerability condition
==
User need to use TCP reassemble option ( Edit->preference->Protocol->TCP->Allow subdissector to reassemble TCP streams).
POC:
==
no pcap file attached, only attached screen capture file.
Vulnerability Detail:
==
offset_from_real_beginning(const tvbuff_t *tvb, const guint counter)
{
tvbuff_t *member;
switch(tvb->type) {
case TVBUFF_REAL_DATA:
return counter;
case TVBUFF_SUBSET:
member = tvb->tvbuffs.subset.tvb;
return offset_from_real_beginning(member, counter + tvb->tvbuffs.subset.offset); /**** need to do parameter check for "tvb" before call it again. */
case TVBUFF_COMPOSITE:
member = tvb->tvbuffs.composite.tvbs->data;
return offset_from_real_beginning(member, counter);
}
DISSECTOR_ASSERT_NOT_REACHED();
--
Thanks
bugfree
Attachment:
wiresahrk.JPG
Description: JPEG image
