Wireshark-dev: [Wireshark-dev] External processes in Snort dissector - code execution
From: Peter Wu <peter@xxxxxxxxxxxxx>
Date: Mon, 28 Aug 2017 17:50:00 +0100
Hi Martin and others,

I have noticed that the snort dissector (added in Wireshark 2.4) can be
configured to execute external processes, is this desirable?

When a new pcap is loaded (or when a live capture starts), it will
execute the following init routine:

    static void snort_start(void)
    {
        GIOChannel *channel;
        /* int snort_output_id; */
        const gchar *argv[] = {
            pref_snort_binary_filename, "-c", pref_snort_config_filename,
            /* read from stdin */
            "-r", "-",
            /* don't log */
            "-N",
            /* output to console and silence snort */
            "-A", "console", "-q",
            /* normalize time */
            "-y", /* -U", */
            NULL
        };

If one is able to set pref_snort_binary_filename=/bin/sh and
pref_snort_config_filename to an arbitrary string, one can execute
arbitrary shell code. Proof of concept that creates an infinite loop:

    strace -e execve -f \
    tshark -osnort.alerts_source:"From running Snort" \
        -osnort.binary:/bin/sh \
        -osnort.config:'while :;do :;done'

(After killing tshark, don't forget to kill the shell process, e.g.
identify PID with "ps u -C sh" then kill it.)

This can especially problematic for services like Cloudshark and
Webshark (by Jakub). The former is not yet affected since it does not
use 2.4 code (yet?) but the latter seems theoretically vulnerable as it
has a setconf API function (I was not able to get it to work though as
setconf changes are not visible in dumpconf).

Another problem occurs when Wireshark profiles are shared, one might
expect "just" configuration of a custom port or color filters, but to a
lesser extent expect arbitrary code execution. (These are preferences,
not plugins.)

Perhaps the snort dissector should be configured through an environment
variable, or require other changes to work?
-- 
Kind regards,
Peter Wu
https://lekensteyn.nl