CVE-2014-2299: Wireshark MPEG file parser buffer overflowwesley
Around the 6th of March 2014 i reported a security issue (CVE-2014-2299) to the developers of Wireshark. I discovered the vulnerability in Wireshark using file fuzzing. The versions 1.10.0 to 1.10.5 and 1.8.0 to 1.8.12 of Wireshark are affected by the vulnerability.
The vulnerability is present in the wiretap/mpeg.c file. The maximum packed size was not checked correctly, so the vulnerability could lead to a Denial of Service (DoS) or arbitrary code execution. The exact modification which is done by the developers of Wireshark to fix the problem, can be found here:
After reporting the issue to the Wireshark team, the developers fixed the issue very quickly and they slowed down the next release of Wireshark, so they could fix the vulnerability first. I’ve send my proof-of-concept samples to Wireshark which trigger the vulnerability, so they could investigate the vulnerability closely. These proof of concepts are written for the Windows XP Service Pack 3 English operating system. The second proof of concept includes ASLR/DEP bypass. The samples can be found here:
Sample 1: https://bugs.wireshark.org/bugzilla/attachment.cgi?id=12607
Sample 2 (ASLR/DEP bypass): https://bugs.wireshark.org/bugzilla/attachment.cgi?id=12608
I wrote the following exploits, in order to generate the proof of concept samples:
Exploit 2 (ASLR/DEP bypass):
Please note: the proof of concept files are starting a bind_tcp shell listener on port 4444.
J0sm1 developed a Metasploit module in order to exploit the vulnerability easily using metasploit: