* Wireshark version 0.99.5 and prior
* Wireshark version 0.99.6 and newer
A vulnerability in the way Wireshark handles DNP3 data allows an attacker to fool the dissector into thinking a negative value of items has been provided to it as part of the Application Layer's request to read/write objects. This in turn causes the loop found in the code: for (temp16 = 0; temp16 < num_items; temp16++)
To enter into an infinite loop as the temp16 parameter is defined as an unsigned int of a length of 16 bits while the num_items is defined as an unsigned int of a length of 32 bits - which in turn means than a negative value will be casted into a larger than 16 bits value - as the temp16 will not be able to reach the value stored in the num_items parameter.
Proof of Concept:
The vulnerability can be recreated by either using beSTORM with the DNP3 protocol fuzzer and monitoring the traffic generated with Wireshark or by launching the following exploit code:
# Automatically generated by beSTORM(tm)
# Copyright Beyond Security (c) 2003-2007 ($Revision: 3741 $)