Wireshark gets its wires crossed
The developers of Wireshark have reported a number of vulnerabilities in the popular network protocol analysis tool. Remote attackers can exploit the bugs to cause the software to enter an infinite loop or crash, or possibly to inject arbitrary code. Their security advisory announces a bug-fixed version, however this is not yet available.
Wireshark can be made to crash when analysing crafted MP3 files or NCP, HTTP and RCP packets. Crafted packets can likewise be used to send the analysis modules for DNP, Firebird/Interbase, MEGACO, DCP-ETSI and Bluetooth SDP into infinite loops and thus cause them to crash or fully utilise system resources. The Wireshark development team are keeping their own counsel with regard to the effects of buffer overflows in the modules for analysing SSL, ANSI-MAP and PPP traffic and iSeries (OS/400) communications. FrSIRT, however, suspects that attackers can exploit these buffer overflows to compromise vulnerable systems.
Ethereal and Wireshark versions 0.8.16 to 0.99.6(a) are affected. Although the development team has announced an updated version of the application in their security advisory, this is as yet unavailable. It is therefore advisable to deactivate analysis with the affected modules in the Wireshark configuration until the advent of version 0.99.7. Pre-release versions, which have not yet been subjected to exhaustive testing and are thus not yet marked as stable, have since appeared on the Wireshark server. It is also unclear whether the bugs have been properly ironed out in these versions. Users choosing to try these versions thus run the risk that the software may be unstable or may still contain vulnerabilities.
- Multiple problems in Wireshark® (formerly Ethereal®) versions 0.8.16 to 0.99.5, security advisory from the Wireshark development team
- Download pre-release versions of Wireshark