Wireshark mailing list archives
External processes in Snort dissector - code execution
From: Peter Wu <peter () lekensteyn nl>
Date: Mon, 28 Aug 2017 17:50:00 +0100
Hi Martin and others, I have noticed that the snort dissector (added in Wireshark 2.4) can be configured to execute external processes, is this desirable? When a new pcap is loaded (or when a live capture starts), it will execute the following init routine: static void snort_start(void) { GIOChannel *channel; /* int snort_output_id; */ const gchar *argv[] = { pref_snort_binary_filename, "-c", pref_snort_config_filename, /* read from stdin */ "-r", "-", /* don't log */ "-N", /* output to console and silence snort */ "-A", "console", "-q", /* normalize time */ "-y", /* -U", */ NULL }; If one is able to set pref_snort_binary_filename=/bin/sh and pref_snort_config_filename to an arbitrary string, one can execute arbitrary shell code. Proof of concept that creates an infinite loop: strace -e execve -f \ tshark -osnort.alerts_source:"From running Snort" \ -osnort.binary:/bin/sh \ -osnort.config:'while :;do :;done' (After killing tshark, don't forget to kill the shell process, e.g. identify PID with "ps u -C sh" then kill it.) This can especially problematic for services like Cloudshark and Webshark (by Jakub). The former is not yet affected since it does not use 2.4 code (yet?) but the latter seems theoretically vulnerable as it has a setconf API function (I was not able to get it to work though as setconf changes are not visible in dumpconf). Another problem occurs when Wireshark profiles are shared, one might expect "just" configuration of a custom port or color filters, but to a lesser extent expect arbitrary code execution. (These are preferences, not plugins.) Perhaps the snort dissector should be configured through an environment variable, or require other changes to work? -- Kind regards, Peter Wu https://lekensteyn.nl ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- External processes in Snort dissector - code execution Peter Wu (Aug 28)
- Re: External processes in Snort dissector - code execution Martin Mathieson via Wireshark-dev (Aug 28)
- Re: External processes in Snort dissector - code execution Jakub Zawadzki (Aug 29)
- Re: External processes in Snort dissector - code execution Peter Wu (Aug 29)