Wireshark vulnerability research

[HockeyInJune]

http://www.wireshark.org/
http://www.wireshark.org/develop.html
http://www.wireshark.org/docs/wsdg_html_chunked/
https://bugs.wireshark.org/bugzilla/
https://bugs.wireshark.org/bugzilla/buglist.cgi?quicksearch=fuzz

Methodology

This methodology assumes you have already completed the Hack Night curriculum.

• Find a previously patched security vulnerability in the bug tracker.
• Analyze this vulnerability until you understand it completely. This will help you to start understanding the code base and get you familiar with how this type of bug manifests in the target application.
• Exploit this vulnerability or continue onto the next step.
• Choose a method to find new bugs in the target application (Also see Finding Bugs below):
  • Manual source code analysis
  • Program analysis
  • Fuzzing
  • Analyze more old bugs in search to help you find new ones
• Report and/or exploit the bug you found in the target application.

Finding Bugs

Remember always focus on the easiest way to find bugs first. This might change from project to project, but here's a guide.

• Start with a dumb fuzzer. It's easy to set up and it might find low-hanging fruit.
• Search for vulnerable API calls, either through source code analysis or reverse engineering.
• Do an operational review of the target application, find out what libraries it uses and how the application is designed to be used.
• Figure out how the target application is architected and start learning more about where input enters the program and how input is structured.
• Once you start learning about how input is structured, you can use a smarter fuzzer, or build your own fuzzer.
• Keep learning more about the target application to find interesting parts of the program that might have unsafe functionality or hidden bugs.

[moshekaplan]

Reported bugs:

• Wireshark Bug #8337 :DoS (infinite loop) in AMQP dissector (packet-amqp.c) - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8337
• Wireshark Bug #8346 :Memory buffer overrun in CIMD dissector (packet-cimd.c) - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8346
• Wireshark Bug #8359 :DoS (infinite loop) in FC-SP dissector (packet-fcsp.c) - https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8359

[evanpjensen]

Reported:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8364 DOS

Denial of service in a dissector that requires no user interaction and affects all recent versions of Wireshark on all tested operating systems and architectures.

[evanpjensen]

Wireshark developers don't understand how integers work. Examine all integer comparisons and memory allocating/copying functions. In my experience there is at least one integer bug at least every ~3K lines in the dissectors.