Wireshark 2.2.6 - IPv6 Dissector Denial of Service Vulnerability

Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3369-g2e2ba64b72)
 
Copyright 1998-2017 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.
 
Running on Linux 4.10.13-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
 
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1303
 
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
wsutil/inet_ipv6.h:111:15: runtime error: member access within null pointer of type 'const struct e_in6_addr'
    #0 0x7f2b8106b2b8 in in6_is_addr_multicast wsutil/inet_ipv6.h:111:15
    #1 0x7f2b81068247 in dissect_routing6_rpl epan/dissectors/packet-ipv6.c:952:9
    #2 0x7f2b81052227 in dissect_routing6 epan/dissectors/packet-ipv6.c:1217:9
    #3 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
    #4 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
    #5 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
    #6 0x7f2b83a917c9 in dissector_try_uint epan/packet.c:1353:9
    #7 0x7f2b800c8361 in dissect_ayiya epan/dissectors/packet-ayiya.c:134:9
    #8 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
    #9 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
    #10 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
    #11 0x7f2b83a917c9 in dissector_try_uint epan/packet.c:1353:9
    #12 0x7f2b822f9326 in decode_udp_ports epan/dissectors/packet-udp.c:678:7
    #13 0x7f2b8230ee02 in dissect epan/dissectors/packet-udp.c:1131:5
    #14 0x7f2b822fe12f in dissect_udp epan/dissectors/packet-udp.c:1137:3
    #15 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
    #16 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
    #17 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
    #18 0x7f2b80a62252 in dissect_exported_pdu epan/dissectors/packet-exported_pdu.c:307:17
    #19 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
    #20 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
    #21 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
    #22 0x7f2b80b803e7 in dissect_frame epan/dissectors/packet-frame.c:521:11
    #23 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
    #24 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
    #25 0x7f2b83a9fe87 in call_dissector_only epan/packet.c:2992:8
    #26 0x7f2b83a88034 in call_dissector_with_data epan/packet.c:3005:8
    #27 0x7f2b83a87054 in dissect_record epan/packet.c:567:3
    #28 0x7f2b83a1f398 in epan_dissect_run_with_taps epan/epan.c:474:2
    #29 0x561364f21686 in process_packet_single_pass tshark.c:3419:5
    #30 0x561364f1a821 in process_cap_file tshark.c:3250:11
    #31 0x561364f12549 in main tshark.c:1955:17
    #32 0x7f2b754f9510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
    #33 0x561364dff4f9 in _start (run/tshark+0xd44f9)
 
SUMMARY: AddressSanitizer: undefined-behavior wsutil/inet_ipv6.h:111:15 in
 
 
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42123.zip

#  0day.today [2018-03-14]  #