Fwd: [Wireshark-users] 0day: Wireshark offset_from_real_beginning stack overflow vulnerability

[Gerald Combs <gerald () wireshark org>]

Forwarding to wireshark-dev and security, since that's where the people
that can fix the bug reside.

bug free wrote:
> Sharks,
>
> Description: 
> ==
> There is stack overflow vulnerability exist in Wireshark  version
> 1.2.8 or before. More specifically it is cause by lacking of parameter
> check for parameter tvb in function offset_from_real_beginning is
> a infinity function call to exhaust stack resource. The attacker could
> leverage this vulnerability by sending a crafted pcap file to victim
> and a successful attack may lead to remote code execution within the
> privileges of the current logged-in user.
>
> Version: 
> ==
> wireshark 1.2.8 and before
>
> Vulnerability condition
> ==
> User need to use TCP reassemble option (
> Edit->preference->Protocol->TCP->Allow subdissector to reassemble TCP
> streams). 
>
> POC: 
> ==
> no pcap file attached, only attached screen capture file.
>
> Vulnerability Detail:
> ==
> offset_from_real_beginning(const tvbuff_t *tvb, const guint counter)      
> {               
>         tvbuff_t        *member;
>                 
>         switch(tvb->type) {
>                 case TVBUFF_REAL_DATA:
>                         return counter;                          
>                 case TVBUFF_SUBSET:
>                         member = tvb->tvbuffs.subset.tvb;
>                         return offset_from_real_beginning(member,
> counter + tvb->tvbuffs.subset.offset);   /**** need to do parameter
> check for "tvb" before call it again. */
>                 case TVBUFF_COMPOSITE:
>                         member = tvb->tvbuffs.composite.tvbs->data; 
>                         return offset_from_real_beginning(member,
> counter);
>         }                                                        
>         
>         DISSECTOR_ASSERT_NOT_REACHED();
>
>
>
> -- 
> Thanks
> bugfree
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request () wireshark org?subject=unsubscribe


-- 
Join us for Sharkfest ’10! · Wireshark® Developer and User Conference
Stanford University, June 14-17 · http://www.cacetech.com/sharkfest.10/

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe