Wireshark mailing list archives
Fwd: [Wireshark-users] 0day: Wireshark offset_from_real_beginning stack overflow vulnerability
From: Gerald Combs <gerald () wireshark org>
Date: Tue, 11 May 2010 16:17:00 -0700
Forwarding to wireshark-dev and security, since that's where the people that can fix the bug reside. bug free wrote:
Sharks, Description: == There is stack overflow vulnerability exist in Wireshark version 1.2.8 or before. More specifically it is cause by lacking of parameter check for parameter tvb in function offset_from_real_beginning is a infinity function call to exhaust stack resource. The attacker could leverage this vulnerability by sending a crafted pcap file to victim and a successful attack may lead to remote code execution within the privileges of the current logged-in user. Version: == wireshark 1.2.8 and before Vulnerability condition == User need to use TCP reassemble option ( Edit->preference->Protocol->TCP->Allow subdissector to reassemble TCP streams). POC: == no pcap file attached, only attached screen capture file. Vulnerability Detail: == offset_from_real_beginning(const tvbuff_t *tvb, const guint counter) { tvbuff_t *member; switch(tvb->type) { case TVBUFF_REAL_DATA: return counter; case TVBUFF_SUBSET: member = tvb->tvbuffs.subset.tvb; return offset_from_real_beginning(member, counter + tvb->tvbuffs.subset.offset); /**** need to do parameter check for "tvb" before call it again. */ case TVBUFF_COMPOSITE: member = tvb->tvbuffs.composite.tvbs->data; return offset_from_real_beginning(member, counter); } DISSECTOR_ASSERT_NOT_REACHED(); -- Thanks bugfree ------------------------------------------------------------------------ ------------------------------------------------------------------------ ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
-- Join us for Sharkfest ’10! · Wireshark® Developer and User Conference Stanford University, June 14-17 · http://www.cacetech.com/sharkfest.10/ ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- 0day: Wireshark offset_from_real_beginning stack overflow vulnerability bug free (May 11)
- Fwd: [Wireshark-users] 0day: Wireshark offset_from_real_beginning stack overflow vulnerability Gerald Combs (May 11)