wnpa-sec-2006-03 · Multiple problems in Wireshark (formerly Ethereal)


Name: Multiple problems in Wireshark (formerly Ethereal)

Docid: wnpa-sec-2006-03

Date: October 31, 2006

Affected versions: 0.9.8 up to and including 0.99.3

Fixed versions: 0.99.4



Wireshark 0.99.4 fixes the following vulnerabilities:

  • The HTTP dissector could crash. (Bugs and )
    Versions affected: 0.99.3.
  • The LDAP dissector (and possibly others) could crash. (Bug )
    Versions affected: 0.99.3.
  • The XOT dissector could attempt to allocate a large amount of memory and crash. (Bug )
    Versions affected: 0.9.8 to 0.99.3.
  • The WBXML dissector could crash. (Bug )
    Versions affected: 0.10.11 to 0.99.3.
  • The MIME Multipart dissector was susceptible to an off-by-one error. (Bug )
    Versions affected: 0.10.1 to 0.99.3.
  • If AirPcap support was enabled, parsing a WEP key could sometimes cause a crash.
    Versions affected: 0.99.3.


It may be possible to make Wireshark or Ethereal crash or use up available memory by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file.


Upgrade to Wireshark 0.99.4.

If are running Wireshark 0.99.3 or Ethereal 0.99.0 or earlier and cannot upgrade, you can work around each of the problems listed above by doing the following:

  • Disable the HTTP, LDAP, XOT, WBXML, and MIME multipart dissectors.
    • Select Analyze→Enabled Protocols... from the menu.
    • Make sure "HTTP", "LDAP", "XOT", "WBXML", and "MIME multipart" are un-checked.
    • Click "Save", then click "OK".