Heap Buffer Overflow in nstrace_read_v10 Function
Description
A heap buffer overflow vulnerability has been discovered in Wireshark's nstrace_read_v10
function. This vulnerability may allow an attacker to execute arbitrary code, or cause a denial of service by crashing the application.
Tested on: Ubuntu 22.04.2 LTS
Details
The offending code resides in pint.h
and netscaler.c
files of the Wireshark application. The faulty logic in netscaler.c
appears to be due to improper bounds checking before using the pletoh16
function on fp->nsprRecordSize
(netscaler.c:1220). The pletoh16
function defined in pint.h
attempts to read 16 bits of data from the pointer p
passed to it (pint.h:91).
However, if the pointer p
is too close to the end of the allocated heap buffer, reading 16 bits of data might surpass the boundaries of the allocated buffer space. This is precisely what occurs in this case, where fp->nsprRecordSize
is located only one byte away from the end of an 8192-byte allocated heap buffer, causing a heap buffer overflow when pletoh16
attempts to read two bytes from fp->nsprRecordSize
.
Steps to reproduce:
Open the trigger file using a Wireshark binary compiled with the -DENABLE_ASAN option:
$ tshark -r trigger
=================================================================
==528223==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000101100 at pc 0x7fffdfab1bd6 bp 0x7fffffffcd20 sp 0x7fffffffcd10
READ of size 2 at 0x625000101100 thread T0
#0 0x7fffdfab1bd5 in pletoh32 /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wsutil/pint.h:106
#1 0x7fffdfab1bd5 in nstrace_read_v10 /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/netscaler.c:1181
#2 0x7fffdfb34583 in wtap_read /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/wtap.c:1555
#3 0x55555558eb8f in process_cap_file_single_pass /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3534
#4 0x55555558eb8f in process_cap_file /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3746
#5 0x55555558eb8f in main /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:2260
#6 0x7fffdf629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7fffdf629e3f in __libc_start_main_impl ../csu/libc-start.c:392
#8 0x555555591754 in _start (/home/htejeda/fuzzing/wireshark/wireshark-4.0.5/build-asan/run/tshark+0x3d754)
0x625000101100 is located 0 bytes to the right of 8192-byte region [0x6250000ff100,0x625000101100)
allocated by thread T0 here:
#0 0x7ffff74b4867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7fffdfd24738 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e738)
...
...
I'd also like to request a CVE ID for this vulnerability.
Please let me know if you need any additional information.
Regards,
Huáscar