0day: Wireshark offset_from_real_beginning stack overflow vulnerability

[bug free <bugfree () gmail com>]

Sharks,

Description:
==
There is stack overflow vulnerability exist in Wireshark  version 1.2.8 or
before. More specifically it is cause by lacking of parameter check for
parameter tvb in function offset_from_real_beginning is a infinity function
call to exhaust stack resource. The attacker could leverage this
vulnerability by sending a crafted pcap file to victim and a successful
attack may lead to remote code execution within the privileges of the
current logged-in user.

Version:
==
wireshark 1.2.8 and before

Vulnerability condition
==
User need to use TCP reassemble option (
Edit->preference->Protocol->TCP->Allow subdissector to reassemble TCP
streams).

POC:
==
no pcap file attached, only attached screen capture file.

Vulnerability Detail:
==
offset_from_real_beginning(const tvbuff_t *tvb, const guint counter)
{
        tvbuff_t        *member;

        switch(tvb->type) {
                case TVBUFF_REAL_DATA:
                        return counter;
                case TVBUFF_SUBSET:
                        member = tvb->tvbuffs.subset.tvb;
                        return offset_from_real_beginning(member, counter +
tvb->tvbuffs.subset.offset);   /**** need to do parameter check for "tvb"
before call it again. */
                case TVBUFF_COMPOSITE:
                        member = tvb->tvbuffs.composite.tvbs->data;
                        return offset_from_real_beginning(member, counter);
        }

        DISSECTOR_ASSERT_NOT_REACHED();



-- 
Thanks
bugfree

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe