Wireshark - dissect_zcl_pwr_prof_pwrprofstatersp Static Out-of-Bounds Read

EDB-ID:

38995

CVE:

2015-8732

EDB Verified:

Author:

Google Security Research

Type:

dos

Exploit:   /  

Platform:

Multiple

Date:

2015-12-16

Vulnerable App: 
Source: https://code.google.com/p/google-security-research/issues/detail?id=661

The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):

--- cut ---
==7849==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f8e33764094 at pc 0x7f8e29788726 bp 0x7ffe27806640 sp 0x7ffe27806638
READ of size 4 at 0x7f8e33764094 thread T0
    #0 0x7f8e29788725 in dissect_zcl_pwr_prof_pwrprofstatersp wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21
    #1 0x7f8e2977f2be in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3494:21
    #2 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #3 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
    #4 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #5 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #6 0x7f8e297738ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
    #7 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #8 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
    #9 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #10 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #11 0x7f8e2974de40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21
    #12 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #13 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
    #14 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #15 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #16 0x7f8e29757897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
    #17 0x7f8e297518aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
    #18 0x7f8e29752ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
    #19 0x7f8e271ab417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
    #20 0x7f8e2826863b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
    #21 0x7f8e2825e35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5
    #22 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #23 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
    #24 0x7f8e271a2dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #25 0x7f8e27eb25f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #26 0x7f8e271b0cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #27 0x7f8e271a35ea in call_dissector_work wireshark/epan/packet.c:691:9
    #28 0x7f8e271ad2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #29 0x7f8e2719eccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #30 0x7f8e2719e33b in dissect_record wireshark/epan/packet.c:501:3
    #31 0x7f8e2714c3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #32 0x5264eb in process_packet wireshark/tshark.c:3728:5
    #33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
    #34 0x515daf in main wireshark/tshark.c:2197:13

0x7f8e33764094 is located 44 bytes to the left of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' (0x7f8e337640c0) of size 64
0x7f8e33764094 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_pwrprofiles' defined in 'packet-zbee-zcl-general.c:3328:13' (0x7f8e33764080) of size 20
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:3847:21 in dissect_zcl_pwr_prof_pwrprofstatersp
Shadow bytes around the buggy address:
  0x0ff2466e47c0: 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
  0x0ff2466e47d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff2466e47e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0ff2466e47f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2466e4800: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
=>0x0ff2466e4810: 00 00[04]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff2466e4820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2466e4830: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ff2466e4840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2466e4850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2466e4860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7849==ABORTING
--- cut ---

The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11830. Attached are three files which trigger the crash.

Update: there is also a similar crash due to out-of-bounds access to the global "ett_zbee_zcl_pwr_prof_enphases" array, see the report below.

Attached is a file which triggers the crash.

--- cut ---
==8228==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f0d4f321100 at pc 0x7f0d45344cd5 bp 0x7fff69e4e4a0 sp 0x7fff69e4e498
READ of size 4 at 0x7f0d4f321100 thread T0
    #0 0x7f0d45344cd4 in dissect_zcl_pwr_prof_enphsschednotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25
    #1 0x7f0d4533bd04 in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:3463:21
    #2 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #3 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #4 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #5 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #6 0x7f0d453308ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
    #7 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #8 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #9 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #10 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #11 0x7f0d4530b750 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1680:9
    #12 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #13 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #14 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #15 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #16 0x7f0d4530aee1 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1033:13
    #17 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #18 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #19 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #20 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #21 0x7f0d45314897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
    #22 0x7f0d4530e8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
    #23 0x7f0d4530fef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
    #24 0x7f0d42d68417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
    #25 0x7f0d43e2563b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
    #26 0x7f0d43e1b40a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:594:5
    #27 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #28 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #29 0x7f0d42d5fdbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #30 0x7f0d43a6f5f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #31 0x7f0d42d6dcc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #32 0x7f0d42d605ea in call_dissector_work wireshark/epan/packet.c:691:9
    #33 0x7f0d42d6a2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #34 0x7f0d42d5bccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #35 0x7f0d42d5b33b in dissect_record wireshark/epan/packet.c:501:3
    #36 0x7f0d42d093c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #37 0x5264eb in process_packet wireshark/tshark.c:3728:5
    #38 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
    #39 0x515daf in main wireshark/tshark.c:2197:13

0x7f0d4f321100 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:4460:13' (0x7f0d4f321120) of size 128
0x7f0d4f321100 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:3329:13' (0x7f0d4f3210c0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:3685:25 in dissect_zcl_pwr_prof_enphsschednotif
Shadow bytes around the buggy address:
  0x0fe229e5c1d0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0fe229e5c1e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0fe229e5c1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe229e5c200: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x0fe229e5c210: 00 00 04 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0fe229e5c220:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe229e5c230: 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0fe229e5c240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe229e5c250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe229e5c260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe229e5c270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8228==ABORTING
--- cut ---

Furthermore, there is yet another similar condition in a somewhat related area of code, see the attached file and report below:

--- cut ---
==8856==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f148fad2900 at pc 0x7f1485afc15d bp 0x7ffd41dc3de0 sp 0x7ffd41dc3dd8
READ of size 4 at 0x7f148fad2900 thread T0
    #0 0x7f1485afc15c in dissect_zcl_appl_evtalt_get_alerts_rsp wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21
    #1 0x7f1485afab0f in dissect_zbee_zcl_appl_evtalt wireshark/epan/dissectors/packet-zbee-zcl-ha.c:818:21
    #2 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #3 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
    #4 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #5 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #6 0x7f1485ae18ac in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:887:13
    #7 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #8 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
    #9 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #10 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #11 0x7f1485abbe40 in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1029:21
    #12 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #13 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
    #14 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #15 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #16 0x7f1485ac5897 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:665:9
    #17 0x7f1485abf8aa in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:701:9
    #18 0x7f1485ac0ef7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:337:5
    #19 0x7f1483519417 in dissector_try_heuristic wireshark/epan/packet.c:2329:7
    #20 0x7f14845d663b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1139:17
    #21 0x7f14845cc35e in dissect_ieee802154 wireshark/epan/dissectors/packet-ieee802154.c:561:5
    #22 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #23 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
    #24 0x7f1483510dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #25 0x7f14842205f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #26 0x7f148351ecc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #27 0x7f14835115ea in call_dissector_work wireshark/epan/packet.c:691:9
    #28 0x7f148351b2be in call_dissector_only wireshark/epan/packet.c:2662:8
    #29 0x7f148350cccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #30 0x7f148350c33b in dissect_record wireshark/epan/packet.c:501:3
    #31 0x7f14834ba3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #32 0x5264eb in process_packet wireshark/tshark.c:3728:5
    #33 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
    #34 0x515daf in main wireshark/tshark.c:2197:13

0x7f148fad2900 is located 32 bytes to the left of global variable 'ett' defined in 'packet-zbee-zcl-ha.c:1391:18' (0x7f148fad2920) of size 136
0x7f148fad2900 is located 0 bytes to the right of global variable 'ett_zbee_zcl_appl_evtalt_alerts_struct' defined in 'packet-zbee-zcl-ha.c:698:13' (0x7f148fad28e0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-ha.c:889:21 in dissect_zcl_appl_evtalt_get_alerts_rsp
Shadow bytes around the buggy address:
  0x0fe311f524d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f524e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f524f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f52500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f52510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe311f52520:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f52530: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0fe311f52540: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0fe311f52550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f52560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe311f52570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8856==ABORTING
--- cut ---


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38995.zip
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services