Menu

Search for hundreds of thousands of exploits

"Wireshark - 'get_t61_string' Heap Out-of-Bounds Read"

Author

Exploit author

"Google Security Research"

Platform

Exploit platform

multiple

Release date

Exploit published date

2019-01-08

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of Wireshark, by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file").

--- cut ---
=================================================================
==16936==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000a74da at pc 0x7fb5355e214a bp 0x7ffd922f8f00 sp 0x7ffd922f8ef8
READ of size 1 at 0x6020000a74da thread T0
    #0 0x7fb5355e2149 in get_t61_string wireshark/epan/charsets.c:1379:19
    #1 0x7fb5353367ab in dissect_rtse_T_t61String wireshark/./asn1/rtse/rtse.cnf:122:58
    #2 0x7fb533688315 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2941:21
    #3 0x7fb535336534 in dissect_rtse_CallingSSuserReference wireshark/./asn1/rtse/rtse.cnf:163:12
    #4 0x7fb53368462c in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2425:17
    #5 0x7fb535336267 in dissect_rtse_SessionConnectionIdentifier wireshark/./asn1/rtse/rtse.cnf:111:14
    #6 0x7fb533688315 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2941:21
    #7 0x7fb535335f54 in dissect_rtse_ConnectionData wireshark/./asn1/rtse/rtse.cnf:135:12
    #8 0x7fb533686770 in dissect_ber_set wireshark/epan/dissectors/packet-ber.c:2691:25
    #9 0x7fb535334e11 in dissect_rtse_RTORQapdu wireshark/./asn1/rtse/rtse.cnf:46:14
    #10 0x7fb533686770 in dissect_ber_set wireshark/epan/dissectors/packet-ber.c:2691:25
    #11 0x7fb535153f08 in dissect_ppdu wireshark/./asn1/pres/pres.cnf
    #12 0x7fb535153f08 in dissect_pres wireshark/./asn1/pres/packet-pres-template.c:327
    #13 0x7fb535640be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
    #14 0x7fb535640be0 in call_dissector_work wireshark/epan/packet.c:791
    #15 0x7fb53563ccb8 in call_dissector_only wireshark/epan/packet.c:3141:8
    #16 0x7fb53563ccb8 in call_dissector_with_data wireshark/epan/packet.c:3154
    #17 0x7fb5345f85be in call_pres_dissector wireshark/epan/dissectors/packet-ses.c:349:3
    #18 0x7fb5345f85be in dissect_parameter wireshark/epan/dissectors/packet-ses.c:662
    #19 0x7fb5345f7352 in dissect_parameters wireshark/epan/dissectors/packet-ses.c:862:10
    #20 0x7fb5345f7352 in dissect_spdu wireshark/epan/dissectors/packet-ses.c:972
    #21 0x7fb5345f61d5 in dissect_ses wireshark/epan/dissectors/packet-ses.c:1068:12
    #22 0x7fb5345f65b4 in dissect_ses_heur wireshark/epan/dissectors/packet-ses.c:1136:2
    #23 0x7fb535647a43 in dissector_try_heuristic wireshark/epan/packet.c:2750:9
    #24 0x7fb53434b3ed in ositp_decode_DT wireshark/epan/dissectors/packet-ositp.c:1150:9
    #25 0x7fb53434b3ed in dissect_ositp_internal wireshark/epan/dissectors/packet-ositp.c:2111
    #26 0x7fb535640be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
    #27 0x7fb535640be0 in call_dissector_work wireshark/epan/packet.c:791
    #28 0x7fb53563ccb8 in call_dissector_only wireshark/epan/packet.c:3141:8
    #29 0x7fb53563ccb8 in call_dissector_with_data wireshark/epan/packet.c:3154
    #30 0x7fb53388cd21 in dissect_clnp wireshark/epan/dissectors/packet-clnp.c:237:9
    #31 0x7fb535640be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
    #32 0x7fb535640be0 in call_dissector_work wireshark/epan/packet.c:791
    #33 0x7fb535641289 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
    #34 0x7fb535641289 in dissector_try_uint wireshark/epan/packet.c:1407
    #35 0x7fb534347d07 in dissect_osi wireshark/epan/dissectors/packet-osi.c:451:7
    #36 0x7fb535640be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
    #37 0x7fb535640be0 in call_dissector_work wireshark/epan/packet.c:791
    #38 0x7fb535641289 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
    #39 0x7fb535641289 in dissector_try_uint wireshark/epan/packet.c:1407
    #40 0x7fb5343f2637 in dissect_ppp_common wireshark/epan/dissectors/packet-ppp.c:4788:10
    #41 0x7fb5343df7a4 in dissect_ppp_hdlc wireshark/epan/dissectors/packet-ppp.c:5848:5
    #42 0x7fb535640be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
    #43 0x7fb535640be0 in call_dissector_work wireshark/epan/packet.c:791
    #44 0x7fb535640610 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
    #45 0x7fb533bc1a28 in dissect_frame wireshark/epan/dissectors/packet-frame.c:579:11
    #46 0x7fb535640be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
    #47 0x7fb535640be0 in call_dissector_work wireshark/epan/packet.c:791
    #48 0x7fb53563ccb8 in call_dissector_only wireshark/epan/packet.c:3141:8
    #49 0x7fb53563ccb8 in call_dissector_with_data wireshark/epan/packet.c:3154
    #50 0x7fb53563c1ee in dissect_record wireshark/epan/packet.c:580:3
    #51 0x7fb53561f068 in epan_dissect_run_with_taps wireshark/epan/epan.c:547:2
    #52 0x55e97abc7917 in process_packet_single_pass wireshark/tshark.c:3572:5
    #53 0x55e97abc2d12 in process_cap_file wireshark/tshark.c:3403:11
    #54 0x55e97abc2d12 in real_main wireshark/tshark.c:2046
    #55 0x7fb5291612b0 in __libc_start_main
    #56 0x55e97aac4a49 in _start

0x6020000a74da is located 0 bytes to the right of 10-byte region [0x6020000a74d0,0x6020000a74da)
allocated by thread T0 here:
    #0 0x55e97ab7a0c0 in malloc
    #1 0x7fb529d71588 in g_malloc

SUMMARY: AddressSanitizer: heap-buffer-overflow wireshark/epan/charsets.c:1379:19 in get_t61_string
Shadow bytes around the buggy address:
  0x0c048000ce40: fa fa 00 01 fa fa 07 fa fa fa 05 fa fa fa 00 00
  0x0c048000ce50: fa fa 00 fa fa fa 00 00 fa fa fd fa fa fa fd fa
  0x0c048000ce60: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c048000ce70: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 05
  0x0c048000ce80: fa fa 00 05 fa fa 00 00 fa fa fd fa fa fa 00 00
=>0x0c048000ce90: fa fa fd fa fa fa fd fa fa fa 00[02]fa fa fa fa
  0x0c048000cea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048000ceb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048000cec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048000ced0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c048000cee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16936==ABORTING
--- cut ---

The bug was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15373. Attached are three files which trigger the crash.


Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46096.zip
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2020-02-10 "usersctp - Out-of-Bounds Reads in sctp_load_addresses_from_init" dos linux "Google Security Research"
2020-02-10 "iOS/macOS - Out-of-Bounds Timestamp Write in IOAccelCommandQueue2::processSegmentKernelCommand()" dos multiple "Google Security Research"
2020-01-28 "macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image" dos multiple "Google Security Research"
2020-01-14 "WeChat - Memory Corruption in CAudioJBM::InputAudioFrameToJBM" dos android "Google Security Research"
2020-01-14 "Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN" dos android "Google Security Research"
2019-12-18 "macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()" dos macos "Google Security Research"
2019-12-16 "Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds" local linux "Google Security Research"
2019-12-11 "Adobe Acrobat Reader DC - Heap-Based Memory Corruption due to Malformed TTF Font" dos windows "Google Security Research"
2019-11-22 "macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache" local macos "Google Security Research"
2019-11-22 "Internet Explorer - Use-After-Free in JScript Arguments During toJSON Callback" dos windows "Google Security Research"
2019-11-20 "Ubuntu 19.10 - ubuntu-aufs-modified mmap_region() Breaks Refcounting in overlayfs/shiftfs Error Path" dos linux "Google Security Research"
2019-11-20 "Ubuntu 19.10 - Refcount Underflow and Type Confusion in shiftfs" dos linux "Google Security Research"
2019-11-20 "iOS 12.4 - Sandbox Escape due to Integer Overflow in mediaserverd" dos ios "Google Security Research"
2019-11-11 "iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address" dos multiple "Google Security Research"
2019-11-11 "Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed OTF Font (CFF Table)" dos windows "Google Security Research"
2019-11-11 "Adobe Acrobat Reader DC for Windows - Use of Uninitialized Pointer due to Malformed JBIG2Globals Stream" dos windows "Google Security Research"
2019-11-05 "macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common()" dos macos "Google Security Research"
2019-11-05 "JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects" dos multiple "Google Security Research"
2019-11-05 "WebKit - Universal XSS in JSObject::putInlineSlow and JSValue::putToPrimitive" dos multiple "Google Security Research"
2019-10-30 "JavaScriptCore - GetterSetter Type Confusion During DFG Compilation" dos multiple "Google Security Research"
2019-10-28 "WebKit - Universal XSS in HTMLFrameElementBase::isURLAllowed" dos multiple "Google Security Research"
2019-10-21 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream (2)" dos windows "Google Security Research"
2019-10-10 "Windows Kernel - win32k.sys TTF Font Processing Pool Corruption in win32k!ulClearTypeFilter" dos windows "Google Security Research"
2019-10-10 "Windows Kernel - NULL Pointer Dereference in nt!MiOffsetToProtos While Parsing Malformed PE File" dos windows "Google Security Research"
2019-10-10 "Windows Kernel - Out-of-Bounds Read in nt!MiParseImageLoadConfig While Parsing Malformed PE File" dos windows "Google Security Research"
2019-10-10 "Windows Kernel - Out-of-Bounds Read in CI!HashKComputeFirstPageHash While Parsing Malformed PE File" dos windows "Google Security Research"
2019-10-10 "Windows Kernel - Out-of-Bounds Read in nt!MiRelocateImage While Parsing Malformed PE File" dos windows "Google Security Research"
2019-10-10 "Windows Kernel - Out-of-Bounds Read in CI!CipFixImageType While Parsing Malformed PE File" dos windows "Google Security Research"
2019-10-09 "XNU - Remote Double-Free via Data Race in IPComp Input Path" dos macos "Google Security Research"
2019-10-04 "Android - Binder Driver Use-After-Free" local android "Google Security Research" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected