0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Wireshark infer_pkt_encap - Heap Based Out-of-Bounds Read
Author
Risk
[
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
Source: https://code.google.com/p/google-security-research/issues/detail?id=658 The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): --- cut --- ==6473==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x7f391e585d1e bp 0x7ffc0ff625c0 sp 0x7ffc0ff625b8 READ of size 1 at 0x61b00001335c thread T0 #0 0x7f391e585d1d in infer_pkt_encap wireshark/wiretap/ngsniffer.c:1767:27 #1 0x7f391e582ac7 in fix_pseudo_header wireshark/wiretap/ngsniffer.c:1805:11 #2 0x7f391e57d07e in ngsniffer_process_record wireshark/wiretap/ngsniffer.c:1299:20 #3 0x7f391e576418 in ngsniffer_read wireshark/wiretap/ngsniffer.c:1034:9 #4 0x7f391e62429b in wtap_read wireshark/wiretap/wtap.c:1309:7 #5 0x51f7ea in load_cap_file wireshark/tshark.c:3479:12 #6 0x515daf in main wireshark/tshark.c:2197:13 0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c) allocated by thread T0 here: #0 0x4c0bc8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 #1 0x7f390a251610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610) #2 0x7f391e48d0e5 in wtap_open_offline wireshark/wiretap/file_access.c:1105:2 #3 0x51bd1d in cf_open wireshark/tshark.c:4195:9 #4 0x51584e in main wireshark/tshark.c:2188:9 SUMMARY: AddressSanitizer: heap-buffer-overflow wireshark/wiretap/ngsniffer.c:1767:27 in infer_pkt_encap Shadow bytes around the buggy address: 0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa 0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6473==ABORTING --- cut --- The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11827. Attached are two files which trigger the crash. Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39076.zip # 0day.today [2024-12-25] #