Vigil@nce: Wireshark, buffer overflow via dct3trace
February 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to open a DCT3 capture with
Wireshark, in order to create an overflow, leading to a denial of
service or to code execution.
– Severity: 1/4
– Creation date: 16/02/2011
IMPACTED PRODUCTS
– Wireshark
DESCRIPTION OF THE VULNERABILITY
Nokia mobiles generate network capture files in DCT3 format.
The wiretap library of Wireshark implements the support of DCT3 in
the dct3trace.c file.
The dct3trace_seek_read() function of dct3trace.c reads packets
located at a precise offset in the DCT3 file. However, this
function does not check the size of the packet before copying it
in an array of size MAX_PACKET_LEN.
An attacker can therefore invite the victim to open a DCT3 capture
with Wireshark, in order to create an overflow, leading to a
denial of service or to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Wireshark-buffer-overflow-via-dct3trace-10374