Vulners
Lucene search
Wireshark - dissct_rsl_ipaccess_msg Static Out-of-Bounds Read
| Reporter | Title | Published | Views | Family All 43 |
|---|---|---|---|---|
 | wireshark-cli: denial of service | 9 Jan 201600:00 | – | archlinux |
| wireshark-gtk: denial of service | 9 Jan 201600:00 | – | archlinux |
| wireshark-qt: denial of service | 9 Jan 201600:00 | – | archlinux |
 | CVE-2015-8731 | 16 Dec 201500:00 | – | circl |
 | Wireshark RSL File Parser Denial of Service Vulnerability | 5 Jan 201600:00 | – | cnvd |
 | CVE-2015-8731 | 4 Jan 201602:00 | – | cve |
 | CVE-2015-8731 | 4 Jan 201602:00 | – | cvelist |
 | [SECURITY] [DSA 3516-1] wireshark security update | 13 Mar 201620:52 | – | debian |
 | CVE-2015-8731 | 4 Jan 201602:00 | – | debiancve |
 | Debian DSA-3516-1 : wireshark - security update | 14 Mar 201600:00 | – | nessus |
10
Source: https://code.google.com/p/google-security-research/issues/detail?id=660
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==7557==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7ff755ab5a18 at pc 0x7ff74b48f257 bp 0x7ffc467efe50 sp 0x7ffc467efe48
READ of size 4 at 0x7ff755ab5a18 thread T0
#0 0x7ff74b48f256 in dissct_rsl_ipaccess_msg wireshark/epan/dissectors/packet-rsl.c:3055:23
#1 0x7ff74b48a788 in dissct_rsl_msg wireshark/epan/dissectors/packet-rsl.c:3181:18
#2 0x7ff74b4951cb in dissect_rsl_ie_err_msg wireshark/epan/dissectors/packet-rsl.c:2206:14
#3 0x7ff74b48bf1b in dissct_rsl_msg wireshark/epan/dissectors/packet-rsl.c:3383:22
#4 0x7ff74b48a477 in dissect_rsl wireshark/epan/dissectors/packet-rsl.c:3847:14
#5 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#6 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#7 0x7ff7499e32be in call_dissector_only wireshark/epan/packet.c:2662:8
#8 0x7ff7499d4ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#9 0x7ff7499e3344 in call_dissector wireshark/epan/packet.c:2692:9
#10 0x7ff74a88a7ee in dissect_ipa wireshark/epan/dissectors/packet-gsm_ipa.c:365:5
#11 0x7ff74a889dab in dissect_ipa_tcp wireshark/epan/dissectors/packet-gsm_ipa.c:376:2
#12 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#13 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#14 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#15 0x7ff74b98a9dd in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4615:9
#16 0x7ff74b990043 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13
#17 0x7ff74b98b39c in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4743:9
#18 0x7ff74b9a07a3 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13
#19 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#20 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#21 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#22 0x7ff74aae688b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#23 0x7ff74aaf12b9 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#24 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#25 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#26 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#27 0x7ff7499d9964 in dissector_try_uint wireshark/epan/packet.c:1174:9
#28 0x7ff74a5f848d in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#29 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#30 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#31 0x7ff7499e32be in call_dissector_only wireshark/epan/packet.c:2662:8
#32 0x7ff7499d4ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#33 0x7ff74a5f4725 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#34 0x7ff74a5ecf33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#35 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#36 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#37 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#38 0x7ff74a6e85f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#39 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#40 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#41 0x7ff7499e32be in call_dissector_only wireshark/epan/packet.c:2662:8
#42 0x7ff7499d4ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#43 0x7ff7499d433b in dissect_record wireshark/epan/packet.c:501:3
#44 0x7ff7499823c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#45 0x5264eb in process_packet wireshark/tshark.c:3728:5
#46 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#47 0x515daf in main wireshark/tshark.c:2197:13
0x7ff755ab5a18 is located 0 bytes to the right of global variable 'rsl_att_tlvdef' defined in 'packet-rsl.c:685:30' (0x7ff755ab5220) of size 2040
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-rsl.c:3055:23 in dissct_rsl_ipaccess_msg
Shadow bytes around the buggy address:
0x0fff6ab4eaf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff6ab4eb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff6ab4eb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff6ab4eb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff6ab4eb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fff6ab4eb40: 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fff6ab4eb50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fff6ab4eb60: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fff6ab4eb70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fff6ab4eb80: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0fff6ab4eb90: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7557==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11829. Attached are three files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38996.zip
# 0day.today [2018-03-06] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Dec 2015 00:00Current
5.8Medium risk
Vulners AI Score5.8
EPSS0.01042