Wireshark ERF File Parser Buffer Overflow Vulnerability

http://www.securityfocus.com/bid/50486

Security Info

Bugtraq ID:	50486
Class:	Boundary Condition Error
CVE:	CVE-2011-4102
Remote:	Yes
Local:	No
Published:	Nov 01 2011 12:00AM
Updated:	Apr 23 2012 06:20PM
Credit:	Huzaifa Sidhpurwala of Red Hat Security Response Team
Vulnerable:	Wireshark Wireshark 1.6.2 Wireshark Wireshark 1.6.1 Wireshark Wireshark 1.6 Wireshark Wireshark 1.4.9 Wireshark Wireshark 1.4.8 Wireshark Wireshark 1.4.7 Wireshark Wireshark 1.4.6 Wireshark Wireshark 1.4.5 Wireshark Wireshark 1.4.4 Wireshark Wireshark 1.4.3 Wireshark Wireshark 1.4.2 Wireshark Wireshark 1.4.1 Wireshark Wireshark 1.4.1 Wireshark Wireshark 1.4.0 Red Hat Fedora 16 Red Hat Fedora 15 Red Hat Fedora 14 Red Hat Enterprise Linux Workstation Optional 6 Red Hat Enterprise Linux Workstation 6 Red Hat Enterprise Linux Server Optional 6 Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux Desktop Optional 6 Red Hat Enterprise Linux Desktop 6 Mandriva Linux Mandrake 2011 x86_64 Mandriva Linux Mandrake 2011 Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64

Not Vulnerable:	Wireshark Wireshark 1.6.3

Security Discussion

Wireshark is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input.

Exploiting this issue may allow attackers to execute arbitrary code in the context of the affected application. Failed exploits may result in a denial-of-service condition.

Wireshark versions 1.4.0 through 1.4.9 and versions 1.6.0 through 1.6.2 are affected.

Proof of Concept and Security Exploits

A working commercial exploit is available through VUPEN Security - Exploit and PoCs Service. This exploit is not otherwise publicly available or known to be circulating in the wild.

Security Solution(s)

Solution:
Updates are available. Please see the references for more information.

Mandriva Linux Mandrake 2011 x86_64

Mandriva dumpcap-1.6.3-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva lib64wireshark-devel-1.6.3-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva lib64wireshark1-1.6.3-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva rawshark-1.6.3-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva tshark-1.6.3-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva wireshark-1.6.3-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva wireshark-tools-1.6.3-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva Linux Mandrake 2011

Mandriva dumpcap-1.6.3-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva libwireshark-devel-1.6.3-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva libwireshark1-1.6.3-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva rawshark-1.6.3-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva tshark-1.6.3-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva wireshark-1.6.3-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva wireshark-tools-1.6.3-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Security References(s)

References:

Bug 6479 - ERF file reader buffer overflow (Wireshark)
Wireshark Homepage (Wireshark)
Wireshark ERF file parser vulnerability (Wireshark)

Emagined Security Blog featuring Dr. Eugene Schultz

Secure Web Programming
by Vizual Services