[CVE 2008-468[1-5] - Wireshark up to 1.0.3 affected by multiple security vulnerabilities

Bug #290716 reported by Stefan Lesicnik on 2008-10-29
272
Affects Status Importance Assigned to Milestone
Debian
Fix Released
Unknown
wireshark (Ubuntu)
Medium
Stefan Lesicnik
Gutsy
Medium
Stefan Lesicnik
Hardy
Medium
Stefan Lesicnik
Intrepid
Medium
Stefan Lesicnik

Bug Description

Binary package hint: wireshark

CVE-2008-4680
packet-usb.c in the USB dissector in Wireshark 0.99.7 through 1.0.3 allows
remote attackers to cause a denial of service (application crash or abort)
via a malformed USB Request Block (URB).
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4680

CVE-2008-4681
Unspecified vulnerability in the Bluetooth RFCOMM dissector in Wireshark
0.99.7 through 1.0.3 allows remote attackers to cause a denial of service
(application crash or abort) via unknown packets.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4681

CVE-2008-4682
wtap.c in Wireshark 0.99.7 through 1.0.3 allows remote attackers to cause a
denial of service (application abort) via a malformed Tamos CommView
capture file (aka .ncf file) with an "unknown/unexpected packet type" that
triggers a failed assertion.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4682

CVE-2008-4683
The dissect_btacl function in packet-bthci_acl.c in the Bluetooth ACL
dissector in Wireshark 0.99.2 through 1.0.3 allows remote attackers to
cause a denial of service (application crash or abort) via a packet with an
invalid length, related to an erroneous tvb_memcpy call.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4683

CVE-2008-4684
packet-frame in Wireshark 0.99.2 through 1.0.3 does not properly handle
exceptions thrown by post dissectors, which allows remote attackers to
cause a denial of service (application crash) via a certain series of
packets, as demonstrated by enabling the (1) PRP or (2) MATE post
dissector.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4684

CVE-2008-4685
Use-after-free vulnerability in the dissect_q931_cause_ie function in
packet-q931.c in the Q.931 dissector in Wireshark 0.10.3 through 1.0.3
allows remote attackers to cause a denial of service (application crash or
abort) via certain packets that trigger an exception.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4685

Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :

As per the CVE's. All releases up to 1.0.3 are affected by these bugs. These POC are taken from the original wireshark bug tracker and just renamed to easier identify which belongs to which CVE.

All of these bugs were always reproducible, except for CVE_2008-4685 which happened intermittently.

I also built a test build to remove wiresharks memory overflow and underflow detection and protection routine as some of these are actually trapped there. More details: http://wiki.wireshark.org/Development/Canary

To reproduce (tested on current Intrepid version 1.0.3 - will test others)

For each test with EP_DEBUG_FREE and SE_DEBUG_FREE defined.

- 2008-4680 - Open the attached .pcap file.
- 2008-4681 - Open the attached .pcap file.
- 2008-4682 - Open the attached .ncf file.
- 2008-4683 - Open the attached .pcap file twice.
- 2008-4684 - Open the attached .pcap file.
                       Click Analyze - Enabled Protocols - Disable all protocols - Apply - Ok
                       Click Analyze - Enabled Protocols - Enable all protocols - Apply - Ok
- 2008-4685 - This crash was intermittent. Ensure packet colourization is on. Open the main .pcap file, open the 1 and 2 version. And then the main again. Sometimes would crash. From the author of the patch - "Still, it's a dangling pointer we're dealing with here, so it may all come down to the specifics of the platform and compiler as to how the bug hits" - More details can be found here - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2870

Stefan Lesicnik (stefanlsd) wrote :

Intrepid debdiff attached.

I am in contact with the Debian maintainer and will forward all relevant patches.

Changed in wireshark:
assignee: nobody → stefanlsd
assignee: nobody → stefanlsd
assignee: nobody → stefanlsd
Kees Cook (kees) on 2008-10-30
Changed in wireshark:
status: New → In Progress
Stefan Lesicnik (stefanlsd) wrote :
Stefan Lesicnik (stefanlsd) wrote :

Gutsy includes 0.99.6 of Wireshark and CVE-2008-4685 should not apply according the CVE description, although using the attached CVE POC exploit, it was possible to segfault Wireshark. After applying the fix for CVE 2008-4685 the segfault no longer occured.

Changed in wireshark:
status: New → In Progress
status: New → In Progress
Xavier Aragon (xarax-lp) wrote :

Could someone please comment on the progress of resolving this bug. I use wireshark in Intrepid and I'm a bit worried about these vulnerabilities. Thanks.

Stefan Lesicnik (stefanlsd) wrote :

Hi.

These patches should be complete. I think Debian has merged them already. I will see if I can get an admin to upload these.

Kees Cook (kees) wrote :

Thanks for these debdiffs! Have the resulting builds been tests on each release as well?

Kees Cook (kees) wrote :

Fixed in Jaunty via Debian merge.

Changed in wireshark:
status: New → Fix Released
importance: Undecided → Medium
Kees Cook (kees) wrote :

I've uploaded these for building in the security queue. Once they are ready, we can put them through -proposed and finally into -security. Thanks again!

https://launchpad.net/~ubuntu-security-proposed/+archive

Changed in wireshark:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Kees Cook (kees) on 2009-01-10
Changed in wireshark:
importance: Undecided → Medium
importance: Undecided → Medium
importance: Undecided → Medium
Jamie Strandboge (jdstrand) wrote :

These are all in proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Jamie Strandboge (jdstrand) wrote :

Can people from motu-swat test these proposed wireshark packages? Thanks in advance!

Rolf Leggewie (r0lf) wrote :

I'd be happy to test the proposed packages, except I would not know how. There is no test-case. I could install the packages and report whether that goes smoothly or not. But I don't think that kind of feedback to be sufficient.

Marking as fix released, as the packages are already copied to -updates and -security.

Changed in wireshark:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Changed in debian:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.