Wireshark mailing list archives
0day: Wireshark offset_from_real_beginning stack overflow vulnerability
From: bug free <bugfree () gmail com>
Date: Tue, 11 May 2010 16:01:10 -0700
Sharks, Description: == There is stack overflow vulnerability exist in Wireshark version 1.2.8 or before. More specifically it is cause by lacking of parameter check for parameter tvb in function offset_from_real_beginning is a infinity function call to exhaust stack resource. The attacker could leverage this vulnerability by sending a crafted pcap file to victim and a successful attack may lead to remote code execution within the privileges of the current logged-in user. Version: == wireshark 1.2.8 and before Vulnerability condition == User need to use TCP reassemble option ( Edit->preference->Protocol->TCP->Allow subdissector to reassemble TCP streams). POC: == no pcap file attached, only attached screen capture file. Vulnerability Detail: == offset_from_real_beginning(const tvbuff_t *tvb, const guint counter) { tvbuff_t *member; switch(tvb->type) { case TVBUFF_REAL_DATA: return counter; case TVBUFF_SUBSET: member = tvb->tvbuffs.subset.tvb; return offset_from_real_beginning(member, counter + tvb->tvbuffs.subset.offset); /**** need to do parameter check for "tvb" before call it again. */ case TVBUFF_COMPOSITE: member = tvb->tvbuffs.composite.tvbs->data; return offset_from_real_beginning(member, counter); } DISSECTOR_ASSERT_NOT_REACHED(); -- Thanks bugfree
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- 0day: Wireshark offset_from_real_beginning stack overflow vulnerability bug free (May 11)