Bug 1180195 (CVE-2015-0563) - CVE-2015-0563 wireshark: SMTP dissector crash (wnpa-sec-2015-04)
Summary: CVE-2015-0563 wireshark: SMTP dissector crash (wnpa-sec-2015-04)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-0563
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1180196 1245763
Blocks: 1180203 1210268
TreeView+ depends on / blocked
 
Reported: 2015-01-08 15:28 UTC by Martin Prpič
Modified: 2019-09-29 13:26 UTC (History)
6 users (show)

Fixed In Version: Wireshark 1.12.3, Wireshark 1.10.12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-20 04:48:52 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2393 normal SHIPPED_LIVE Moderate: wireshark security, bug fix, and enhancement update 2015-11-19 11:03:11 UTC

Description Martin Prpič 2015-01-08 15:28:38 UTC
It was reported that Wireshark's SMTP dissector could crash. It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

This is reported to affect Wireshark versions 1.12.0 to 1.12.2, and 1.10.0 to 1.10.11. It is fixed in versions 1.12.3 and 1.10.12.

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10823

External References:

https://www.wireshark.org/security/wnpa-sec-2015-04.html

Comment 1 Martin Prpič 2015-01-08 15:29:21 UTC
Created wireshark tracking bugs for this issue:

Affects: fedora-all [bug 1180196]

Comment 4 Siddharth Sharma 2015-01-20 01:01:02 UTC
Analysis
========

In the function dissect_smtp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) of smtp dissector

if ((session_state->auth_state != SMTP_AUTH_STATE_NONE) &&
              (pinfo->fd->num >= session_state->first_auth_frame) &&
              ((session_state->last_auth_frame == 0) || (pinfo->fd->num <= session_state->last_auth_frame))) {
                 decrypt = tvb_get_ephemeral_string(tvb, loffset, linelen);
                    if ((stmp_decryption_enabled) && (epan_base64_decode(decrypt) > 0)) {
                        line = decrypt;
                    } else {
                        line = tvb_get_ptr(tvb, loffset, linelen);
                    }
          } else {
              line = tvb_get_ptr(tvb, loffset, linelen);
          }

          linep = line;
          lineend = line + linelen;

decoding base-64, the result is the length of the decoded result as it would be different , so linelen should be assigned the value of epan_base64_decode(decrypt)

which calculates wrongly the lineend at lineend = line + linelen;

which is used in while loop  which can lead to crash    

while (linep < lineend && *linep != ' ') { 
...
}

Comment 6 errata-xmlrpc 2015-11-19 12:36:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2393 https://rhn.redhat.com/errata/RHSA-2015-2393.html

Comment 7 Huzaifa S. Sidhpurwala 2015-11-20 04:48:52 UTC
Statement:

This issue did not affect the version of wireshark as shipped with Red Hat Enterprise Linux 5 and 6.


Note You need to log in before you can comment on or make changes to this bug.