Wireshark-bugs: [Wireshark-bugs] [Bug 5318] New: Buffer Overflow in ldss dissector
Date: Tue, 19 Oct 2010 15:59:08 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5318

           Summary: Buffer Overflow in ldss dissector
           Product: Wireshark
           Version: SVN
          Platform: x86
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: njohnson@xxxxxxxxxxxxxxxxx


Created an attachment (id=5336)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=5336)
used this to test the issue

Build Information:
Version 1.5.0 (SVN Rev 34559 from /trunk)

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.18.3, (32-bit) with GLib 2.22.3, with libpcap 1.0.0, with
libz 1.2.3.3, without POSIX capabilities, without libpcre, without SMI, without
c-ares, without ADNS, without Lua, without Python, with GnuTLS 2.8.3, with
Gcrypt 1.4.4, with MIT Kerberos, without GeoIP, without PortAudio, without
AirPcap.

Running on Linux 2.6.31-22-generic, with libpcap version 1.0.0, with libz
1.2.3.3, GnuTLS 2.8.3, Gcrypt 1.4.4.

Built using gcc 4.4.1.

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
There is a heap-based buffer overflow in the function dissect_ldss_transfer
(epan/dissectors/packet-ldss.c):

 457 static int
 458 dissect_ldss_transfer (tvbuff_t *tvb, packet_info *pinfo, proto_tree
*tree)
 459 {
 ...
 598             if (is_digest_line) {
 599                 /* Sample digest-type/digest line:
 600                  * md5:0123456789ABCDEF\n */
 601                 if (!already_dissected) {
 602                     GByteArray *digest_bytes;
 603 
 604                     digest_bytes = g_byte_array_new();
 605                     hex_str_to_bytes(
 606                         tvb_get_ptr(tvb, offset+digest_type_len,
linelen-digest_type_len),
 607                         digest_bytes, FALSE);
 608 
 609                     /* Ensure the digest is zero-padded */
 610                     transfer_info->file->digest = se_alloc0(DIGEST_LEN);
 611                     memcpy(transfer_info->file->digest,
digest_bytes->data, digest_bytes->len);
 612 
 613                     g_byte_array_free(digest_bytes, TRUE);
 614                 }
 ...
 626             }


As the comment in the source code says, an incoming digest line will look
something like:

md5:01234568901234567890123456789012\n

On line 610, transfer_info->file->digest is allocated to DIGEST_LEN (32) bytes.
 This assumes that the hex form of the digest in the pcap will be <= 64 bytes
in length.  Since there are no checks anywhere in the code to enforce this, the
transfer_info->file->digest buffer can be overflowed by having digest lines
with digests > 64 bytes in length.

One of the restrictions on the this is that the amount the buffer can be
overflowed by is limited to the amount of data that can be transported in one
TCP packet, as any following TCP packets are treated as file data and won't be
reassembled as part of the first packet.

This doesn't crash the two versions of wireshark that I've tried (1.4 and 1.2),
although in 1.2 it does get a "Per-session memory corrupted" error (Mac,
Windows, and Linux) and aborts when closing wireshark.

Also, there is no restriction on the number of digests that can be present in
the first tcp packet.  I couldn't find the actual protocol specs anywhere, so
I'm not sure if it's supposed to be that way or not.  Either way, it might give
someone a greater chance of successfully exploiting this issue, as they will be
able to overflow more than one buffer on the heap.

Attached is a pcap I've made to test the issue-

--Nephi

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.