Heap Buffer Overflow blf_read_apptextmessage Function
Description
A heap buffer overflow vulnerability has been discovered in Wireshark's g_strndup
function, which could potentially lead to remote code execution.
Tested on: Ubuntu 22.04.2 LTS
Details
The vulnerability lies within the blf_read_apptextmessage
function (found in the blf.c file), which is used by the Wireshark BLF (Binary Logging Format) plugin. The Address Sanitizer (ASAN) and GDB backtrace revealed a heap-buffer-overflow when the g_strsplit_set
function is called. This function splits the string on the specified delimiters and creates an array of tokens.
In the provided backtrace, g_strsplit_set
is called with text and ";"
as the input parameters. If this string is carefully crafted, it could lead to arbitrary code execution when the process attempts to read or write to a memory area it doesn't own, which is typical behavior for a heap-buffer-overflow vulnerability.
Steps to reproduce:
Open the trigger file using a Wireshark binary compiled with the -DENABLE_ASAN option:
$ tshark -r trigger
=================================================================
==147490==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000311440 at pc 0x7ffff745be47 bp 0x7fffffffc730 sp 0x7fffffffbed8
READ of size 17 at 0x602000311440 thread T0
#0 0x7ffff745be46 in __interceptor_strncpy ../../../../src/libsanitizer/asan/asan_interceptors.cpp:484
#1 0x7fffdfd3982b in g_strndup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x7382b)
#2 0x7fffdfd3daba in g_strsplit_set (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x77aba)
#3 0x7fffdfa5933f in blf_read_apptextmessage /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/blf.c:1646
#4 0x7fffdfa5933f in blf_read_block /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/blf.c:1820
#5 0x7fffdfa5a79f in blf_read /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/blf.c:1846
#6 0x7fffdfb34583 in wtap_read /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/wtap.c:1555
#7 0x55555558eb8f in process_cap_file_single_pass /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3534
#8 0x55555558eb8f in process_cap_file /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3746
#9 0x55555558eb8f in main /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:2260
#10 0x7fffdf629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#11 0x7fffdf629e3f in __libc_start_main_impl ../csu/libc-start.c:392
#12 0x555555591754 in _start (/home/htejeda/fuzzing/wireshark/wireshark-4.0.5/build-asan/run/tshark+0x3d754)
0x602000311440 is located 0 bytes to the right of 16-byte region [0x602000311430,0x602000311440)
allocated by thread T0 here:
#0 0x7ffff74b4a37 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x7fffdfa592c2 in blf_read_apptextmessage /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/blf.c:1637
#2 0x7fffdfa592c2 in blf_read_block /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/blf.c:1820
#3 0x7fffffffdd2f ([stack]+0x1fd2f)
...
...
I'd also like to request a CVE ID for this vulnerability.
Please let me know if you need any additional information.
Regards,
Huáscar