Skip to content

WBXML dissector inf loop - 100% cpu - denial of service

Summary

It is possible to reach an infinite loop in the WBXML dissector by generating a specifically crafted WBXML packet due to int overflow vulnerability in the WBXML OPAQUE (0xc3) parsing part of the dissector. The packet will consume 100% core cpu, which eventually lead to a denial of service via packet injection or crafted capture file.

It issue resides in the WBXML OPAQUE 0xc3 parsing due to an integer overflow. a guint32 length is read from the packet and added to guint32 offset, if the result overflow, offset will "go back" and keep on reading the same part over and over again.

In parse_wbxml_tag_defined see parseing 0xc3 --> off += 1 + len;

Screen_Shot_2022-02-05_at_16_57_56

A simple solution would be to limit len to 0x7fffffff - 1.

Steps to reproduce

Run the provided pcap poc_wbxml_udp_dos.pcap

Sample capture file

Attached poc_wbxml_udp_dos.pcap

Build information

TShark (Wireshark) 3.7.0 (v3.7.0rc0-844-g14a1dfbe1083)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information