CVE-2014-2299: Wireshark MPEG file parser buffer overflow

Around the 6th of March 2014 i reported a security issue (CVE-2014-2299) to the developers of Wireshark-logoWireshark. I discovered the vulnerability in Wireshark using file fuzzing. The versions 1.10.0 to 1.10.5 and 1.8.0 to 1.8.12 of Wireshark are affected by the vulnerability.

The vulnerability is present in the wiretap/mpeg.c file. The maximum packed size was not checked correctly, so the vulnerability could lead to a Denial of Service (DoS) or arbitrary code execution. The exact modification which is done by the developers of Wireshark to fix the problem, can be found here:

https://code.wireshark.org/review/#/c/533/2/wiretap/mpeg.c

After reporting the issue to the Wireshark team, the developers fixed the issue very quickly and they slowed down the next release of Wireshark, so they could fix the vulnerability first. I’ve send my proof-of-concept samples to Wireshark which trigger the vulnerability, so they could investigate the vulnerability closely. These proof of concepts are written for the Windows XP Service Pack 3 English operating system. The second proof of concept includes ASLR/DEP bypass. The samples  can be found here:

Sample 1: https://bugs.wireshark.org/bugzilla/attachment.cgi?id=12607
Sample 2 (ASLR/DEP bypass): https://bugs.wireshark.org/bugzilla/attachment.cgi?id=12608

The following exploits i wrote, in order to generate the proof of concept samples:
Exploit 1: exploit.py
Exploit 2 (ASLR/DEP bypass): exploit_DEP.py

Please note: the proof of concept files are starting a bind_tcp shell listener on port 4444.

J0sm1 developed a Metasploit module in order to exploit the vulnerability easily using metasploit:

http://www.rapid7.com/db/modules/exploit/windows/fileformat/wireshark_mpeg_overflow

Leave a Reply

Your email address will not be published. Required fields are marked *