Wireshark - dissect_ber_integer Static Out-of-Bounds Write

2016-03-23T00:00:00
ID EDB-ID:39604
Type exploitdb
Reporter Google Security Research
Modified 2016-03-23T00:00:00

Description

Wireshark - dissect_ber_integer Static Out-of-Bounds Write. Dos exploits for multiple platform

                                        
                                            Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=750

The following crash due to a static memory out-of-bounds write can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):

--- cut ---
==28209==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fde2f36bfc4 at pc 0x7fde25b1332c bp 0x7fffe48bc670 sp 0x7fffe48bc668
WRITE of size 4 at 0x7fde2f36bfc4 thread T0
    #0 0x7fde25b1332b in dissect_ber_integer epan/dissectors/packet-ber.c:2001:16
    #1 0x7fde27f46621 in dissect_kerberos_ADDR_TYPE epan/dissectors/../../asn1/kerberos/kerberos.cnf:351:12
    #2 0x7fde25b1959a in dissect_ber_sequence epan/dissectors/packet-ber.c:2415:17
    #3 0x7fde27f4656f in dissect_kerberos_HostAddress epan/dissectors/../../asn1/kerberos/kerberos.cnf:233:12
    #4 0x7fde25b1959a in dissect_ber_sequence epan/dissectors/packet-ber.c:2415:17
    #5 0x7fde27f4badf in dissect_kerberos_EncKrbPrivPart epan/dissectors/../../asn1/kerberos/kerberos.cnf:407:12
    #6 0x7fde25b040f7 in dissect_ber_tagged_type epan/dissectors/packet-ber.c:695:18
    #7 0x7fde27f42384 in dissect_kerberos_ENC_KRB_PRIV_PART epan/dissectors/../../asn1/kerberos/kerberos.cnf:417:12
    #8 0x7fde25b1f100 in dissect_ber_choice epan/dissectors/packet-ber.c:2917:21
    #9 0x7fde27f4139a in dissect_kerberos_Applications epan/dissectors/../../asn1/kerberos/kerberos.cnf:185:12
    #10 0x7fde27f3f7b2 in dissect_kerberos_common epan/dissectors/../../asn1/kerberos/packet-kerberos-template.c:2103:10
    #11 0x7fde27f3e22f in dissect_kerberos_main epan/dissectors/../../asn1/kerberos/packet-kerberos-template.c:2134:10
    #12 0x7fde26f3c34f in dissect_pktc_mtafqdn epan/dissectors/packet-pktc.c:566:15
    #13 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8
    #14 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9
    #15 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9
    #16 0x7fde256072b4 in dissector_try_uint epan/packet.c:1186:9
    #17 0x7fde277709e5 in decode_udp_ports epan/dissectors/packet-udp.c:583:7
    #18 0x7fde2777fa80 in dissect epan/dissectors/packet-udp.c:1081:5
    #19 0x7fde27773840 in dissect_udplite epan/dissectors/packet-udp.c:1094:3
    #20 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8
    #21 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9
    #22 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9
    #23 0x7fde267660bb in ip_try_dissect epan/dissectors/packet-ip.c:1978:7
    #24 0x7fde26770de8 in dissect_ip_v4 epan/dissectors/packet-ip.c:2472:10
    #25 0x7fde26766819 in dissect_ip epan/dissectors/packet-ip.c:2495:5
    #26 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8
    #27 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9
    #28 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9
    #29 0x7fde256072b4 in dissector_try_uint epan/packet.c:1186:9
    #30 0x7fde26f6e380 in dissect_ppp_common epan/dissectors/packet-ppp.c:4344:10
    #31 0x7fde26f6db3c in dissect_ppp_hdlc_common epan/dissectors/packet-ppp.c:5337:5
    #32 0x7fde26f65df5 in dissect_ppp_hdlc epan/dissectors/packet-ppp.c:5378:5
    #33 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8
    #34 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9
    #35 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9
    #36 0x7fde2634fe55 in dissect_frame epan/dissectors/packet-frame.c:493:11
    #37 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8
    #38 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9
    #39 0x7fde25610a7e in call_dissector_only epan/packet.c:2674:8
    #40 0x7fde2560243f in call_dissector_with_data epan/packet.c:2687:8
    #41 0x7fde25601814 in dissect_record epan/packet.c:509:3
    #42 0x7fde255b4bb9 in epan_dissect_run_with_taps epan/epan.c:376:2
    #43 0x52f11b in process_packet tshark.c:3748:5
    #44 0x52840c in load_cap_file tshark.c:3504:11
    #45 0x51e71c in main tshark.c:2213:13

0x7fde2f36bfc4 is located 4 bytes to the right of global variable 'cb' defined in 'packet-pktc.c:539:27' (0x7fde2f36bfa0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow epan/dissectors/packet-ber.c:2001:16 in dissect_ber_integer
Shadow bytes around the buggy address:
  0x0ffc45e657a0: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0ffc45e657b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0ffc45e657c0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ffc45e657d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc45e657e0: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
=>0x0ffc45e657f0: f9 f9 f9 f9 00 00 00 00[f9]f9 f9 f9 00 00 00 00
  0x0ffc45e65800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc45e65810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc45e65820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc45e65830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffc45e65840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28209==ABORTING
--- cut ---

The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12206. Attached is a file which triggers the crash.


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39604.zip