NetScreen File Parsing Heap-based Buffer Overflow
Trend Micro's Zero Day Initiative reported the following:
ZDI-CAN-22164: Wireshark NetScreen File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
-- CVSS -----------------------------------------
7.8: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
-- ABSTRACT -------------------------------------
Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Wireshark - Wireshark
-- VULNERABILITY DETAILS ------------------------
- Version tested: 4.0.8
- Installer file: Wireshark-win64-4.0.8.exe
- Platform tested: windows 2H22 22621.2283
Analysis
The vulnerability is inside the `netscreen` packet capture parser, the vulnerability will be triggered when a victim will open up a packet capture of type `netscreen`.
`cf_read -> wtap_read -> netscreen_read`.
The first function handle opening of a file, and then all the `netscreen` parsing function will be called.
The vulnerability is placed inside the `parse_netscreen_packet` function, this function will try to parse each and every netscreen packet.
It will read from the file a line containing metadata of the packet:
if (sscanf(line, "%9d.%9d: %15[a-z0-9/:.-](%1[io]) len=%9d:%12s->%12s/",
&sec, &dsec, cap_int, direction, &pkt_len, cap_src, cap_dst) < 5) {
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup("netscreen: Can't parse packet-header");
return -1;
}
Here we can see that we read the pkt_len, this will be important later on.
Then we are going to enlarge the packet buffer to the pkt_len:
ws_buffer_assure_space(buf, pkt_len);
pd = ws_buffer_start_ptr(buf);
Then we are having a loop that will read each line of a packet data until the end of the packet, and each iteration we are going to call to the `parse_single_hex_dump_line`:
n = parse_single_hex_dump_line(p, pd, offset);
Then in the function of `parse_single_hex_dump_line`, we are going to try to extract 16 hex dumped bytes and insert them into the buffer.
buf[byte_offset + num_items_scanned] = byte;
The `byte_offset` is the offset from the function, and the `num_items_scanned` is an iterator from 0 - 16.
The vulnerability is that the parser does not have proper bound check, the function check in the end of the loop if the `offset` is not in bound of the `pkt_size`.
if (offset > pkt_len) {
*err = WTAP_ERR_BAD_FILE;
*err_info = g_strdup("netscreen: too much hex-data");
return FALSE;
}
but... the function `parse_single_hex_dump_line` will try to parse 16 bytes without checking inside it for any bounds! so what will happen if we hit the `parse_single_hex_dump_line` with the following conditions:
`offset == 2047`
`line == 00 11 22 33 44 55 66 77`
What will happen is that we will write all the line bytes(from index 1) out bounded on the `buf` object!
POC is to set the offset to 2047 and the line to size of 16 bytes, this will trigger the overflow.
Debug
Turn on page heap.
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wireshark.exe" /v "GlobalFlag" /t REG_SZ /d "0x02000000" /f
Then open pcap file with wireshark.
0:000> .exr -1
ExceptionAddress: 00007ffd22c76577 (libwiretap+0x0000000000026577)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 000001ec28373000
Attempt to write to address 000001ec28373000
0:000> k
# Child-SP RetAddr Call Site
00 000000d7`7f8f9ef8 00007ffd`22c763a2 libwiretap+0x26577
01 000000d7`7f8f9f00 00007ffd`22c75fb8 libwiretap+0x263a2
02 000000d7`7f8fa000 00007ffd`22c9d09f libwiretap+0x25fb8
03 000000d7`7f8fa100 00007ff6`5d026f01 libwiretap!wtap_read+0x4f
04 000000d7`7f8fa150 00007ff6`5d1e0518 Wireshark+0x6f01
05 000000d7`7f8fa710 00007ff6`5d1bb1a7 Wireshark+0x1c0518
06 000000d7`7f8fa880 00007ff6`5d315920 Wireshark+0x19b1a7
07 000000d7`7f8fa8e0 00007ffc`e1761da7 Wireshark+0x2f5920
08 000000d7`7f8fa960 00007ff6`5d33f803 Qt5Core!QObject::qt_static_metacall+0x1467
09 000000d7`7f8faab0 00007ff6`5d1a890d Wireshark+0x31f803
0a 000000d7`7f8faaf0 00007ffc`e1761da7 Wireshark+0x18890d
0b 000000d7`7f8fab30 00007ffc`e246a0fb Qt5Core!QObject::qt_static_metacall+0x1467
0c 000000d7`7f8fac80 00007ffc`e1761da7 Qt5Widgets!QListWidget::qt_static_metacall+0x3cb
0d 000000d7`7f8face0 00007ffc`e242b4ca Qt5Core!QObject::qt_static_metacall+0x1467
0e 000000d7`7f8fae30 00007ffc`e24315f6 Qt5Widgets!QAbstractItemView::activated+0x2a
0f 000000d7`7f8fae70 00007ffc`e22379c8 Qt5Widgets!QAbstractItemView::mouseDoubleClickEvent+0x166
10 000000d7`7f8fafb0 00007ffc`e22d8ee0 Qt5Widgets!QWidget::event+0x148
11 000000d7`7f8fb040 00007ffc`e2438378 Qt5Widgets!QFrame::event+0x30
12 000000d7`7f8fb070 00007ffc`e1744b5a Qt5Widgets!QAbstractItemView::viewportEvent+0x308
13 000000d7`7f8fb1c0 00007ffc`e221497c Qt5Core!QCoreApplicationPrivate::sendThroughObjectEventFilters+0xda
14 000000d7`7f8fb220 00007ffc`e22128b0 Qt5Widgets!QApplicationPrivate::notify_helper+0xfc
15 000000d7`7f8fb250 00007ffc`e1742aca Qt5Widgets!QApplication::notify+0x750
16 000000d7`7f8fb790 00007ffc`e2215b95 Qt5Core!QCoreApplication::notifyInternal2+0xba
17 000000d7`7f8fb800 00007ffc`e226040a Qt5Widgets!QApplicationPrivate::sendMouseEvent+0x3c5
18 000000d7`7f8fb8c0 00007ffc`e225e38e Qt5Widgets!QSizePolicy::QSizePolicy+0x2d3a
19 000000d7`7f8fbc50 00007ffc`e2214990 Qt5Widgets!QSizePolicy::QSizePolicy+0xcbe
1a 000000d7`7f8fbd20 00007ffc`e2213a13 Qt5Widgets!QApplicationPrivate::notify_helper+0x110
1b 000000d7`7f8fbd50 00007ffc`e1742aca Qt5Widgets!QApplication::notify+0x18b3
1c 000000d7`7f8fc290 00007ffc`e1b83896 Qt5Core!QCoreApplication::notifyInternal2+0xba
1d 000000d7`7f8fc300 00007ffc`e1b6ecb0 Qt5Gui!QGuiApplicationPrivate::processMouseEvent+0xf16
1e 000000d7`7f8fc7b0 00007ffc`e178ba5a Qt5Gui!QWindowSystemInterface::sendWindowSystemEvents+0x90
1f 000000d7`7f8fc7e0 00007ffc`e0c32dd9 Qt5Core!QEventDispatcherWin32::processEvents+0x6a
20 000000d7`7f8ff910 00007ffc`e173ef2c qwindows!qt_plugin_query_metadata+0x1f99
21 000000d7`7f8ff940 00007ffc`e1741a94 Qt5Core!QEventLoop::exec+0x1bc
22 000000d7`7f8ff9a0 00007ff6`5d103c0f Qt5Core!QCoreApplication::exec+0x154
23 000000d7`7f8ffa00 00007ff6`5d3877c7 Wireshark+0xe3c0f
24 000000d7`7f8ffbf0 00007ff6`5d381276 Wireshark+0x3677c7
25 000000d7`7f8ffc80 00007ffd`ae2e257d Wireshark+0x361276
26 000000d7`7f8ffcc0 00007ffd`af32aa68 KERNEL32!BaseThreadInitThunk+0x1d
27 000000d7`7f8ffcf0 00000000`00000000 ntdll!RtlUserThreadStart+0x28
-- CREDIT --------------------------------------- This vulnerability was discovered by: Anonymous working with Trend Micro Zero Day Initiative
-- FURTHER DETAILS ------------------------------
Supporting files:
If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.
Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:
Zero Day Initiative zdi-disclosures@trendmicro.com
The PGP key used for all ZDI vendor communications is available from:
http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc
-- INFORMATION ABOUT THE ZDI -------------------- Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.
Please contact us for further details or refer to:
http://www.zerodayinitiative.com
-- DISCLOSURE POLICY ----------------------------
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/