Heap Buffer Overflow in nstrace_read_v10 Function

May 26, 2023

CVE Number

CVE-2023-2858

Credits

Huascar Tejeda of Pentraze Cybersecurity

Summary

A heap buffer overflow vulnerability has been discovered in Wireshark’s nstrace_read_v10 function. This vulnerability may allow an attacker to execute arbitrary code, or cause a denial of service by crashing the application.

CVSS

9.0 (Critical) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

The offending code resides in pint.h and netscaler.c files of the Wireshark application. The faulty logic in netscaler.c appears to be due to improper bounds checking before using the pletoh16 function on fp->nsprRecordSize (netscaler.c:1220). The pletoh16 function defined in pint.h attempts to read 16 bits of data from the pointer p passed to it (pint.h:91).

However, if the pointer p is too close to the end of the allocated heap buffer, reading 16 bits of data might surpass the boundaries of the allocated buffer space. This is precisely what occurs in this case, where fp->nsprRecordSize is located only one byte away from the end of an 8192-byte allocated heap buffer, causing a heap buffer overflow when pletoh16 attempts to read two bytes from fp->nsprRecordSize.

Steps to reproduce:

Open the trigger file using a Wireshark binary compiled with the -DENABLE_ASAN option:

$ tshark -r trigger
=================================================================
==528223==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000101100 at pc 0x7fffdfab1bd6 bp 0x7fffffffcd20 sp 0x7fffffffcd10
READ of size 2 at 0x625000101100 thread T0
    #0 0x7fffdfab1bd5 in pletoh32 /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wsutil/pint.h:106
    #1 0x7fffdfab1bd5 in nstrace_read_v10 /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/netscaler.c:1181
    #2 0x7fffdfb34583 in wtap_read /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/wtap.c:1555
    #3 0x55555558eb8f in process_cap_file_single_pass /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3534
    #4 0x55555558eb8f in process_cap_file /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3746
    #5 0x55555558eb8f in main /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:2260
    #6 0x7fffdf629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #7 0x7fffdf629e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #8 0x555555591754 in _start (/home/htejeda/fuzzing/wireshark/wireshark-4.0.5/build-asan/run/tshark+0x3d754)

0x625000101100 is located 0 bytes to the right of 8192-byte region [0x6250000ff100,0x625000101100)
allocated by thread T0 here:
    #0 0x7ffff74b4867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7fffdfd24738 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e738)
...
...

ASAN

=================================================================
==528223==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000101100 at pc 0x7fffdfab1bd6 bp 0x7fffffffcd20 sp 0x7fffffffcd10
READ of size 2 at 0x625000101100 thread T0
    #0 0x7fffdfab1bd5 in pletoh32 /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wsutil/pint.h:106
    #1 0x7fffdfab1bd5 in nstrace_read_v10 /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/netscaler.c:1181
    #2 0x7fffdfb34583 in wtap_read /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/wtap.c:1555
    #3 0x55555558eb8f in process_cap_file_single_pass /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3534
    #4 0x55555558eb8f in process_cap_file /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3746
    #5 0x55555558eb8f in main /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:2260
    #6 0x7fffdf629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #7 0x7fffdf629e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #8 0x555555591754 in _start (/home/htejeda/fuzzing/wireshark/wireshark-4.0.5/build-asan/run/tshark+0x3d754)

0x625000101100 is located 0 bytes to the right of 8192-byte region [0x6250000ff100,0x625000101100)
allocated by thread T0 here:
    #0 0x7ffff74b4867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7fffdfd24738 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5e738)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wsutil/pint.h:106 in pletoh32
Shadow bytes around the buggy address:
  0x0c4a800181d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a800181e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a800181f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80018200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80018210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a80018220:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80018230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80018240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80018250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80018260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80018270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==528223==ABORTING

Crash context:
Execution stopped here ==> 0x00007fffdf696a7c: mov    r13d,eax

Register info:
   rax - 0x0000000000000000 (0)
   rbx - 0x00007ffff72d5a80 (140737340332672)
   rcx - 0x00007fffdf696a7c (140736941615740)
   rdx - 0x0000000000000006 (6)
   rsi - 0x0000000000080f5f (528223)
   rdi - 0x0000000000080f5f (528223)
   rbp - 0x0000000000080f5f (0x80f5f)
   rsp - 0x00007fffffffbd50 (0x7fffffffbd50)
    r8 - 0x00007fffffffbe20 (140737488338464)
    r9 - 0x0000000000000000 (0)
   r10 - 0x0000000000000008 (8)
   r11 - 0x0000000000000246 (582)
   r12 - 0x0000000000000006 (6)
   r13 - 0x0000000000000016 (22)
   r14 - 0x00007fffc6612000 (140736521641984)
   r15 - 0x0000000000010000 (65536)
   rip - 0x00007fffdf696a7c (0x7fffdf696a7c <__GI___pthread_kill+300>)
eflags - 0x00000246 ([ PF ZF IF ])
    cs - 0x00000033 (51)
    ss - 0x0000002b (43)
    ds - 0x00000000 (0)
    es - 0x00000000 (0)
    fs - 0x00000000 (0)
    gs - 0x00000000 (0)

GDB Backtrace

#0  0x00007fffdf696a7c in __pthread_kill_implementation (/lib/x86_64-linux-gnu/libc.so.6)
                       at ./nptl/pthread_kill.c:44

#1  0x00007fffdf696a7c in __pthread_kill_internal (/lib/x86_64-linux-gnu/libc.so.6)
                       at ./nptl/pthread_kill.c:78

#2  0x00007fffdf696a7c in __GI___pthread_kill (/lib/x86_64-linux-gnu/libc.so.6)
                       at ./nptl/pthread_kill.c:89

#3  0x00007fffdf642476 in __GI_raise (/lib/x86_64-linux-gnu/libc.so.6)
                       at ../sysdeps/posix/raise.c:26

#4  0x00007fffdf6287f3 in __GI_abort (/lib/x86_64-linux-gnu/libc.so.6)
                       at ./stdlib/abort.c:79

#5  0x00007ffff74d26f2 in __sanitizer::Abort (/lib/x86_64-linux-gnu/libasan.so.6)
                       at ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cpp:151

#6  0x00007ffff74de2ac in __sanitizer::Die (/lib/x86_64-linux-gnu/libasan.so.6)
                       at ../../../../src/libsanitizer/sanitizer_common/sanitizer_termination.cpp:58

#7  0x00007ffff74bd75c in __asan::ScopedInErrorReport::~ScopedInErrorReport (/lib/x86_64-linux-gnu/libasan.so.6)
                       at ../../../../src/libsanitizer/asan/asan_report.cpp:190

#8  0x00007ffff74bcff5 in __asan::ReportGenericError (/lib/x86_64-linux-gnu/libasan.so.6)
                       at ../../../../src/libsanitizer/asan/asan_report.cpp:478

#9  0x00007ffff74be618 in __asan::__asan_report_load_n (/lib/x86_64-linux-gnu/libasan.so.6)
                       at ../../../../src/libsanitizer/asan/asan_rtl.cpp:146

#10 0x00007fffdfab1bd6 in pletoh32 (/home/htejeda/fuzzing/wireshark/wireshark-4.0.5/build-asan/run/libwiretap.so.13)
                       ???: guint32 pletoh32(p = (const void *)<optimized out>) {
                       |||:
                       |||: /* Local reference: const void * p = <optimized out>; */
                       104:     return (guint32)*((const guint8 *)(p)+3)<<24|
                       105:            (guint32)*((const guint8 *)(p)+2)<<16|
                       106:            (guint32)*((const guint8 *)(p)+1)<<8|
                       |||:
                       ---: }
                       at /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wsutil/pint.h:106

#11 0x00007fffdfab1bd6 in nstrace_read_v10 (/home/htejeda/fuzzing/wireshark/wireshark-4.0.5/build-asan/run/libwiretap.so.13)
                       1150: gboolean nstrace_read_v10(wth = (wtap *)0x60f000001030, rec = (wtap_rec *)0x7fffffffdd20, buf = (Buffer *)0x7fffffffd490, err = (int *)0x7fffffffd020, err_info = (gchar **)0x7fffffffd310, data_offset = (gint64 *)0x7fffffffd3b0) {
                       ||||:
                       ||||: /* Local reference: gchar * nstrace_buf = 0x6250000ff100 "00\001\001", '\060' <repeats 196 times>...; */
                       ||||: /* Local reference: guint32 nstrace_buf_offset = <optimized out>; */
                       ||||: /* Local reference: wtap_rec * rec = 0x7fffffffdd20; */
                       ||||: /* Local reference: Buffer * buf = 0x7fffffffd490; */
                       1179:             switch (pletoh16(&(( nspr_header_v10_t*)&nstrace_buf[nstrace_buf_offset])->ph_RecordType))
                       1180:             {
                       1181:                 GENERATE_CASE_FULL(rec,buf,10,100)
                       ||||:
                       ----: }
                       at /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/netscaler.c:1181

#12 0x00007fffdfb34584 in wtap_read (/home/htejeda/fuzzing/wireshark/wireshark-4.0.5/build-asan/run/libwiretap.so.13)
                       1545: gboolean wtap_read(wth = (wtap *)0x60f000001030, rec = (wtap_rec *)0x7fffffffdd20, buf = (Buffer *)0x7fffffffd490, err = (int *)0x7fffffffd020, err_info = (gchar **)0x7fffffffd310, offset = (gint64 *)0x7fffffffd3b0) {
                       ||||:
                       ||||: /* Local reference: int * err = 0x7fffffffd020; */
                       ||||: /* Local reference: gchar ** err_info = 0x7fffffffd310; */
                       ||||: /* Local reference: wtap * wth = 0x60f000001030; */
                       ||||: /* Local reference: wtap_rec * rec = 0x7fffffffdd20; */
                       ||||: /* Local reference: Buffer * buf = 0x7fffffffd490; */
                       ||||: /* Local reference: gint64 * offset = 0x7fffffffd3b0; */
                       1553: 	*err = 0;
                       1554: 	*err_info = NULL;
                       1555: 	if (!wth->subtype_read(wth, rec, buf, err, err_info, offset)) {
                       ||||:
                       ----: }
                       at /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/wiretap/wtap.c:1555

#13 0x000055555558eb90 in process_cap_file_single_pass (/home/htejeda/fuzzing/wireshark/wireshark-4.0.5/build-asan/run/tshark)
                       ????: pass_status_t process_cap_file_single_pass(cf = (capture_file *)0x55555563d000 <cfile>, err_framenum = (volatile guint32 *)0x7fffffffd040, err_info = (gchar **)0x7fffffffd310, err = (int *)0x7fffffffd020, max_write_packet_count = (int)0, max_byte_count = (gint64)0, max_packet_count = (int)0, pdh = (wtap_dumper *)0x0) {
                       ||||:
                       ||||: /* Local reference: int * err = 0x7fffffffd020; */
                       ||||: /* Local reference: capture_file * cf = 0x55555563d000 <cfile>; */
                       ||||: /* Local reference: gchar ** err_info = 0x7fffffffd310; */
                       3532: 
                       3533:     *err = 0;
                       3534:     while (wtap_read(cf->provider.wth, &rec, &buf, err, err_info, &data_offset)) {
                       ||||:
                       ----: }
                       at /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3534

#14 0x000055555558eb90 in process_cap_file (/home/htejeda/fuzzing/wireshark/wireshark-4.0.5/build-asan/run/tshark)
                       ????: process_file_status_t process_cap_file(cf = (capture_file *)0x55555563d000 <cfile>, max_write_packet_count = (int)0, max_byte_count = (gint64)0, max_packet_count = (int)0, out_file_name_res = (gboolean)0, out_file_type = (int)0, save_file = (char *)0x0) {
                       ||||:
                       ||||: /* Local reference: pass_status_t first_pass_status = PASS_SUCCEEDED; */
                       ||||: /* Local reference: pass_status_t second_pass_status = <optimized out>; */
                       ||||: /* Local reference: wtap_dumper * pdh = 0x0; */
                       ||||: /* Local reference: capture_file * cf = 0x55555563d000 <cfile>; */
                       3744: 
                       3745:         first_pass_status = PASS_SUCCEEDED; /* There is no first pass */
                       3746:         second_pass_status = process_cap_file_single_pass(cf, pdh,
                       ||||:
                       ----: }
                       at /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:3746

#15 0x000055555558eb90 in main (/home/htejeda/fuzzing/wireshark/wireshark-4.0.5/build-asan/run/tshark)
                        789: int main(argc = (int)<optimized out>, argv = (char **)<optimized out>) {
                       ||||:
                       2258:         ws_debug("tshark: invoking process_cap_file() to process the packets");
                       2259:         TRY {
                       2260:             status = process_cap_file(&cfile, output_file_name, out_file_type, out_file_name_res,
                       ||||:
                       ----: }
                       at /home/htejeda/fuzzing/wireshark/wireshark-4.0.5/tshark.c:2260

Services

Penetration Testing

Proactive assessment using tactics, techniques, and procedures of actual attackers to identify security flaws, incorrect configurations, and vulnerabilities.

Learn more

Application Security Testing

Comprehensive application protection, ensuring robust security throughout the entire software development lifecycle.

Learn more

Red Team Exercises

Simulate and emulate advanced cyber attacks to pinpoint vulnerabilities and test your organization's defense mechanisms, ensuring robust resilience against real-world threats.

Learn more

Vulnerability Management

Proactive process to identify, prioritize, and address security vulnerabilities in systems and software, enhancing an organization's defense against evolving cyber threats.

Learn more