Wireshark Stack Overflow in ASN.1/BER Dissector Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1024428 |
|
SecurityTracker URL: http://securitytracker.com/id/1024428
|
|
CVE Reference:
CVE-2010-3445
(Links to External Site)
|
Updated: Nov 30 2010
|
Original Entry Date: Sep 13 2010
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 1.2.0 - 1.2.11
|
Description:
A vulnerability was reported in Wireshark. A remote user can cause denial of service conditions.
A remote user can send a specially crafted SNMP v1 packet to trigger a stack overflow in the ASN.1/BER dissector and cause the the target service to crash.
Other protocols that use the ASN.1/BER dissector may be affected.
The penetration test team Of NCNIPC (China) reported this vulnerability.
|
Impact:
A remote user can cause the target application to crash.
|
Solution:
The vendor has issued a fix (1.2.12).
The vendor's advisory is available at:
http://www.wireshark.org/security/wnpa-sec-2010-11.html
|
Vendor URL: www.wireshark.org/security/wnpa-sec-2010-11.html (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 13 Sep 2010 05:42:10 +0000
Subject: Wireshark 1.4.0 Malformed SNMP V1 Packet Denial of Service
|
Wireshark 1.4.0 Malformed SNMP V1 Packet Denial of Service
------------------------------------------------------------------
I. Summary
A flaw has been identified in Wireshark 1.4.0 concerning the ASN.1/BER dissector that will cause a denial of service (stack overflow and null pointer dereference in exception handling code).
------------------------------------------------------------------
II. Description
Wireshark makes use of protocol dissectors to parse packet data and organize its contents into a meaningful representation. Upon encountering an SNMP v1 packet, the ASN.1/BER dissector, as implemented in $SRC_ROOT/epan/dissectors/packet-ber.c, will be invoked to process the BER encoded content, i.e. variable bindings in the SNMP PDU. If this field is filled with an extremely long string, e.g. a sequence of 14000 'A's, a recursive call in function dissect_unknown_ber() would consume too much stack space, causing stack overflow in most configurations and later a null pointer deference in the exception handling code.
------------------------------------------------------------------
III. Impact
Denial of service (null pointer deference and application crash)
------------------------------------------------------------------
IV. Affected
Wireshark 1.4.0, tested with Windows XP SP2. Previous versions may also be affected due to code reuse.
------------------------------------------------------------------
V. Solution
Since the ASN.1/BER dissector is used by several protocol dissectors, it may be inadequate to disable SNMP protocol dissection only. There is no known workaround at this time.
------------------------------------------------------------------
VI. Credit
The penetration test team Of NCNIPC (China) is credited for this vulnerability.
|
|
