CVE-2015-8739
medium
CVSS v3
5.5
CVSS v4 NEW
โ
VIR risk
6.5
Description
The ipmi_fmt_udpport function in epan/dissectors/packet-ipmi.c in the IPMI dissector in Wireshark 2.0.x before 2.0.1 improperly attempts to access a packet scope, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted packet.
Predictions
Exploit likelihood
55%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Wireshark - wmem_alloc Assertion Failure
Source: https://code.google.com/p/google-security-research/issues/detail?id=662
The following crash due to an asserion failure can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
ERROR:wmem_core.c:50:wmem_alloc: assertion failed: (allocator->in_scope)
Program received signal SIGABRT, Aborted.
0x00007fffe1c70cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) where
#0 0x00007fffe1c70cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007fffe1c740d8 in __GI_abort () at abort.c:89
#2 0x00007fffe3707165 in g_assertion_message () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00007fffe37071fa in g_assertion_message_expr () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4 0x00007fffee6b49f5 in wmem_alloc (allocator=<optimized out>, size=<optimized out>) at wmem_core.c:50
#5 0x00007fffeb0f7d40 in wmem_utoa (allocator=0x60700000bd90, port=512) at addr_resolv.c:604
#6 0x00007fffeb0f7c70 in udp_port_to_display (allocator=0x60700000bd90, port=512) at addr_resolv.c:2901
#7 0x00007fffec2e1998 in ipmi_fmt_udpport (s=0x7ffffffface0 "\030\366!\364\377\177", v=512)
at packet-ipmi.c:1283
#8 0x00007fffeb25d6ff in fill_label_number (fi=0x7ffe90b4c2c0,
label_str=0x7fffffffb5e0 "1111 11.. = Sequence Number: 0x3f", is_signed=0) at proto.c:7083
#9 0x00007fffeb2505e2 in proto_item_fill_label (fi=0x7ffe90b4c2c0,
label_str=0x7fffffffb5e0 "1111 11.. = Sequence Number: 0x3f") at proto.c:6651
#10 0x00007fffeb1f1799 in proto_tree_print_node (node=0x7ffe90b4c330, data=0x7fffffffc480) at print.c:164
#11 0x00007fffeb207927 in proto_tree_children_foreach (tree=0x7ffe90b4bd70,
func=0x7fffeb1f10e0 <proto_tree_print_node>, data=0x7fffffffc480) at proto.c:655
#12 0x00007fffeb1f2d93 in proto_tree_print_node (node=0x7ffe90b4bd70, data=0x7fffffffc480) at print.c:219
#13 0x00007fffeb207927 in proto_tree_children_foreach (tree=0x7ffe90b4b0e0,
func=0x7fffeb1f10e0 <proto_tree_print_node>, data=0x7fffffffc480) at proto.c:655
#14 0x00007fffeb1f2d93 in proto_tree_print_node (node=0x7ffe90b4b0e0, data=0x7fffffffc480) at print.c:219
#15 0x00007fffeb207927 in proto_tree_children_foreach (tree=0x619000152ef0,
func=0x7fffeb1f10e0 <proto_tree_print_node>, data=0x7fffffffc480) at proto.c:655
#16 0x00007fffeb1f1013 in proto_tree_print (print_args=0x7fffffffc6a0, edt=0x61300000de80,
output_only_tables=0x0, stream=0x602000340c10) at print.c:133
#17 0x000000000052b913 in print_packet (cf=0x14ac0c0 <cfile>, edt=0x61300000de80) at tshark.c:4132
#18 0x00000000005266ff in process_packet (cf=0x14ac0c0 <cfile>, edt=0x61300000de80, offset=24,
whdr=0x61400000f060, pd=0x61b000012d80 "", tap_flags=0) at tshark.c:3742
#19 0x000000000051f961 in load_cap_file (cf=0x14ac0c0 <cfile>, save_file=0x0, out_file_type=2,
out_file_name_res=0, max_packet_count=0, max_byte_count=0) at tshark.c:3484
#20 0x0000000000515db0 in main (argc=3, argv=0x7fffffffe248) at tshark.c:2197
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11831. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38994.zipOS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.0.1+g59ea380-1 |
| sid | Fixed | 2.0.1+g59ea380-1 |
| forky | Fixed | 2.0.1+g59ea380-1 |
| bullseye | Fixed | 2.0.1+g59ea380-1 |
| bookworm | Fixed | 2.0.1+g59ea380-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| wireshark | wireshark | 2.0.0 | |
References
- http://www.securityfocus.com/bid/79382
- http://www.securitytracker.com/id/1034551
- http://www.wireshark.org/security/wnpa-sec-2015-57.html
- https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11831
- https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=96bf82ced0b58c7a4c2a6c300efeebe4f05c0ff4
- https://security.gentoo.org/glsa/201604-05
- https://security-tracker.debian.org/tracker/CVE-2015-8739
CWEs
CWE-20
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.