Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 23 Nov 2008 02:18:19 +0300 (MSK)
From:      Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        freebsd-security@FreeBSD.org
Subject:   ports/129077: [patch] [vuxml] net/wireshark: fix DoS in SMTP dissector
Message-ID:  <20081122231819.50846F181F@phoenix.codelabs.ru>
Resent-Message-ID: <200811222320.mAMNK1GV018485@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         129077
>Category:       ports
>Synopsis:       [patch] [vuxml] net/wireshark: fix DoS in SMTP dissector
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 22 23:20:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.1-PRERELEASE i386
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.1-PRERELEASE i386

>Description:

Today the DoS possibility for Wireshark was disclosed via BugTraq
list: http://www.securityfocus.com/archive/1/498562/30/0/threaded
Vendor acknowledged the existence of this issue and had already
patched it in Subversion repository:
----- http://wiki.wireshark.org/Development/Roadmap
Complete:

* Rev 24989 & Rev 24994 - Support for RFC 2920 SMTP Command Pipelining,
which also happens to fix a DoS found by researchers at Bkis
-----

>How-To-Repeat:

Look at http://www.securityfocus.com/archive/1/498562/30/0/threaded
and http://wiki.wireshark.org/Development/Roadmap

>Fix:

The following patch will apply the vendor fix from the trunk to the
1.0.4:
--- fix-DoS-in-SMTP-dissector.diff begins here ---
>From 676903bce0030930fa99ce4a9692057c2020c319 Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
Date: Sun, 23 Nov 2008 02:04:51 +0300

See http://www.securityfocus.com/archive/1/498562/30/0/threaded for the
description of the vulnerability.  The patch was taken from the
Subversion repository of wireshark.

Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
---
 net/wireshark/Makefile                       |    2 +-
 net/wireshark/files/patch-fix-SMTP-DoS-1.0.4 |  356 ++++++++++++++++++++++++++
 2 files changed, 357 insertions(+), 1 deletions(-)
 create mode 100644 net/wireshark/files/patch-fix-SMTP-DoS-1.0.4

diff --git a/net/wireshark/Makefile b/net/wireshark/Makefile
index 49de12c..2e21104 100644
--- a/net/wireshark/Makefile
+++ b/net/wireshark/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME?=	wireshark
 PORTVERSION=	1.0.4
-PORTREVISION?=	0
+PORTREVISION?=	1
 CATEGORIES=	net ipv6
 MASTER_SITES=	http://www.wireshark.org/download/src/ \
     		http://wireshark.osmirror.nl/download/src/ \
diff --git a/net/wireshark/files/patch-fix-SMTP-DoS-1.0.4 b/net/wireshark/files/patch-fix-SMTP-DoS-1.0.4
new file mode 100644
index 0000000..e5d2e9e
--- /dev/null
+++ b/net/wireshark/files/patch-fix-SMTP-DoS-1.0.4
@@ -0,0 +1,356 @@
+Fix for the SMTP dissector DoS
+
+See: http://www.securityfocus.com/archive/1/498562/30/0/threaded
+Obtained from: http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-smtp.c?r1=24989&r2=24988&pathrev=24989&view=patch
+Obtained from: http://anonsvn.wireshark.org/viewvc/trunk/epan/dissectors/packet-smtp.c?r1=24994&r2=24993&pathrev=24994&view=patch
+
+--- epan/dissectors/packet-smtp.c	2008/04/13 16:21:22	24988
++++ epan/dissectors/packet-smtp.c	2008/04/13 16:33:44	24989
+@@ -97,10 +97,6 @@
+ 	"DATA fragments"
+ };
+ 
+-/* Define media_type/Content type table */
+-static dissector_table_t media_type_dissector_table;
+-
+-
+ static  dissector_handle_t imf_handle = NULL;
+ 
+ /*
+@@ -175,6 +171,7 @@
+     gint                    length_remaining;
+     gboolean                eom_seen = FALSE;
+     gint                    next_offset;
++    gint                    loffset;
+     gboolean                is_continuation_line;
+     int                     cmdlen;
+     fragment_data           *frag_msg = NULL;
+@@ -217,21 +214,6 @@
+      * longer than what's in the buffer, so the "tvb_get_ptr()" call
+      * won't throw an exception.
+      */
+-    linelen = tvb_find_line_end(tvb, offset, -1, &next_offset,
+-      smtp_desegment && pinfo->can_desegment);
+-    if (linelen == -1) {
+-      /*
+-       * We didn't find a line ending, and we're doing desegmentation;
+-       * tell the TCP dissector where the data for this message starts
+-       * in the data it handed us, and tell it we need one more byte
+-       * (we may need more, but we'll try again if what we get next
+-       * isn't enough), and return.
+-       */
+-      pinfo->desegment_offset = offset;
+-      pinfo->desegment_len = 1;
+-      return;
+-    }
+-    line = tvb_get_ptr(tvb, offset, linelen);
+ 
+     frame_data = p_get_proto_data(pinfo->fd, proto_smtp);
+ 
+@@ -267,6 +249,42 @@
+ 
+       }
+ 
++      if(request) {
++	frame_data = se_alloc(sizeof(struct smtp_proto_data));
++
++	frame_data->conversation_id = conversation->index;
++	frame_data->more_frags = TRUE;
++
++	p_add_proto_data(pinfo->fd, proto_smtp, frame_data);	
++
++      }
++
++    loffset = offset;
++    while (tvb_offset_exists(tvb, loffset)) {
++
++    linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset,
++      smtp_desegment && pinfo->can_desegment);
++    if (linelen == -1) {
++
++      if(offset == loffset) {
++      /*
++       * We didn't find a line ending, and we're doing desegmentation;
++       * tell the TCP dissector where the data for this message starts
++       * in the data it handed us, and tell it we need one more byte
++       * (we may need more, but we'll try again if what we get next
++       * isn't enough), and return.
++       */
++      pinfo->desegment_offset = loffset;
++      pinfo->desegment_len = 1;
++      return;
++      }
++      else {
++	linelen = tvb_length_remaining(tvb, loffset);
++	next_offset = loffset + linelen;
++      }
++    }
++    line = tvb_get_ptr(tvb, loffset, linelen);
++
+       /*
+        * Check whether or not this packet is an end of message packet
+        * We should look for CRLF.CRLF and they may be split.
+@@ -282,16 +300,16 @@
+ 	 * .CRLF at the begining of the same packet.
+ 	 */
+ 
+-	if ((request_val->crlf_seen && tvb_strneql(tvb, offset, ".\r\n", 3) == 0) ||
+-	    tvb_strneql(tvb, offset, "\r\n.\r\n", 5) == 0) {
++	if ((request_val->crlf_seen && tvb_strneql(tvb, loffset, ".\r\n", 3) == 0) ||
++	    tvb_strneql(tvb, loffset, "\r\n.\r\n", 5) == 0) {
+ 
+ 	  eom_seen = TRUE;
+ 
+-	}
++	} 
+ 
+-	length_remaining = tvb_length_remaining(tvb, offset);
+-	if (length_remaining == tvb_reported_length_remaining(tvb, offset) &&
+-	    tvb_strneql(tvb, offset + length_remaining - 2, "\r\n", 2) == 0) {
++	length_remaining = tvb_length_remaining(tvb, loffset);
++	if (length_remaining == tvb_reported_length_remaining(tvb, loffset) &&
++	    tvb_strneql(tvb, loffset + length_remaining - 2, "\r\n", 2) == 0) {
+ 
+ 	  request_val->crlf_seen = TRUE;
+ 
+@@ -310,11 +328,6 @@
+ 
+       if (request) {
+ 
+-	frame_data = se_alloc(sizeof(struct smtp_proto_data));
+-
+-	frame_data->conversation_id = conversation->index;
+-	frame_data->more_frags = TRUE;
+-
+ 	if (request_val->reading_data) {
+ 	  /*
+ 	   * This is message data.
+@@ -329,6 +342,9 @@
+ 	     */
+ 	    frame_data->pdu_type = SMTP_PDU_EOM;
+ 	    request_val->reading_data = FALSE;
++	    
++	    break;
++	    
+ 	  } else {
+ 	    /*
+ 	     * Message data with no EOM.
+@@ -340,7 +356,7 @@
+ 	       * We are handling a BDAT message.
+ 	       * Check if we have reached end of the data chunk.
+ 	       */
+-	      request_val->msg_read_len += tvb_length_remaining(tvb, offset);
++	      request_val->msg_read_len += tvb_length_remaining(tvb, loffset);
+ 
+               if (request_val->msg_read_len == request_val->msg_tot_len) {
+ 		/* 
+@@ -356,6 +372,8 @@
+ 		   */
+ 		  frame_data->more_frags = FALSE;
+ 		}
++		
++		break; /* no need to go through the remaining lines */
+ 	      }
+ 	    }
+ 	  }
+@@ -446,12 +464,15 @@
+ 	    frame_data->pdu_type = request_val->data_seen ? SMTP_PDU_MESSAGE : SMTP_PDU_CMD;
+ 
+ 	  }
+-
+ 	}
++      }
+ 
+-	p_add_proto_data(pinfo->fd, proto_smtp, frame_data);
++      /*
++       * Step past this line.
++       */
++      loffset = next_offset;
+ 
+-      }
++    }
+     }
+ 
+     /*
+@@ -463,6 +484,7 @@
+       col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMTP");
+ 
+     if (check_col(pinfo->cinfo, COL_INFO)) {  /* Add the appropriate type here */
++      col_clear(pinfo->cinfo, COL_INFO);
+ 
+       /*
+        * If it is a request, we have to look things up, otherwise, just
+@@ -477,21 +499,38 @@
+ 	case SMTP_PDU_MESSAGE:
+ 
+ 	  length_remaining = tvb_length_remaining(tvb, offset);
+-	  col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "DATA fragment" : "Message Body");
++	  col_set_str(pinfo->cinfo, COL_INFO, smtp_data_desegment ? "C: DATA fragment" : "C: Message Body");
+ 	  col_append_fstr(pinfo->cinfo, COL_INFO, ", %d byte%s", length_remaining,
+ 			  plurality (length_remaining, "", "s"));
+ 	  break;
+ 
+ 	case SMTP_PDU_EOM:
+ 
+-	  col_add_fstr(pinfo->cinfo, COL_INFO, "EOM: %s",
+-	      format_text(line, linelen));
++	  col_set_str(pinfo->cinfo, COL_INFO, "C: .");
++
+ 	  break;
+ 
+ 	case SMTP_PDU_CMD:
+ 
+-	  col_add_fstr(pinfo->cinfo, COL_INFO, "Command: %s",
+-	      format_text(line, linelen));
++	  loffset = offset;
++	  while (tvb_offset_exists(tvb, loffset)) {
++	    /*
++	     * Find the end of the line.
++	     */
++	    linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
++	    line = tvb_get_ptr(tvb, loffset, linelen);
++
++	    if(loffset == offset) 
++	      col_append_fstr(pinfo->cinfo, COL_INFO, "C: %s",
++			   format_text(line, linelen));
++	    else {
++	      col_append_fstr(pinfo->cinfo, COL_INFO, " | %s",
++			   format_text(line, linelen));
++	    }
++
++	    loffset = next_offset;
++
++	  }
+ 	  break;
+ 
+ 	}
+@@ -499,9 +538,24 @@
+       }
+       else {
+ 
+-	col_add_fstr(pinfo->cinfo, COL_INFO, "Response: %s",
+-	    format_text(line, linelen));
++	  loffset = offset;
++	  while (tvb_offset_exists(tvb, loffset)) {
++	    /*
++	     * Find the end of the line.
++	     */
++	    linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
++	    line = tvb_get_ptr(tvb, loffset, linelen);
++
++	    if(loffset == offset) 
++	      col_append_fstr(pinfo->cinfo, COL_INFO, "S: %s",
++			   format_text(line, linelen));
++	    else {
++	      col_append_fstr(pinfo->cinfo, COL_INFO, " | %s",
++			   format_text(line, linelen));
++	    }
+ 
++	    loffset = next_offset;
++	  }
+       }
+     }
+ 
+@@ -556,8 +610,7 @@
+ 	   * DATA command this terminates before sending another
+ 	   * request, but we should probably handle it.
+ 	   */
+-	  proto_tree_add_text(smtp_tree, tvb, offset, linelen,
+-	      "EOM: %s", format_text(line, linelen));
++	  proto_tree_add_text(smtp_tree, tvb, offset, linelen, "C: .");
+ 
+ 	  if(smtp_data_desegment) {
+ 
+@@ -578,6 +631,15 @@
+ 	   * previous command before sending another request, but we
+ 	   * should probably handle it.
+ 	   */
++
++	  loffset = offset;
++	while (tvb_offset_exists(tvb, loffset)) {
++
++	  /*
++	   * Find the end of the line.
++	   */
++	  linelen = tvb_find_line_end(tvb, loffset, -1, &next_offset, FALSE);
++
+ 	  if (linelen >= 4)
+ 	    cmdlen = 4;
+ 	  else
+@@ -587,16 +649,16 @@
+ 	  /*
+ 	   * Put the command line into the protocol tree.
+ 	   */
+-	  ti = proto_tree_add_text(smtp_tree, tvb, offset, next_offset - offset,
++	  ti = proto_tree_add_text(smtp_tree, tvb, loffset, next_offset - loffset,
+ 	        "Command: %s",
+-		tvb_format_text(tvb, offset, next_offset - offset));
++		tvb_format_text(tvb, loffset, next_offset - loffset));
+ 	  cmdresp_tree = proto_item_add_subtree(ti, ett_smtp_cmdresp);
+ 
+ 	  proto_tree_add_item(cmdresp_tree, hf_smtp_req_command, tvb,
+-			      offset, cmdlen, FALSE);
++			      loffset, cmdlen, FALSE);
+ 	  if (linelen > 5) {
+ 	    proto_tree_add_item(cmdresp_tree, hf_smtp_req_parameter, tvb,
+-				offset + 5, linelen - 5, FALSE);
++				loffset + 5, linelen - 5, FALSE);
+ 	  }
+ 
+ 	  if (smtp_data_desegment && !frame_data->more_frags) {
+@@ -605,6 +667,13 @@
+ 	    frag_msg = fragment_end_seq_next (pinfo, frame_data->conversation_id, smtp_data_segment_table,
+ 					      smtp_data_reassembled_table);
+ 	  }
++
++	  /*
++	   * Step past this line.
++	   */
++	  loffset = next_offset;
++	  
++	}
+ 	}
+ 
+ 	if (smtp_data_desegment) {
+@@ -689,8 +758,8 @@
+ 	  /*
+ 	   * If it's not a continuation line, quit.
+ 	   */
+-	  if (!is_continuation_line)
+-	    break;
++	  /* if (!is_continuation_line)
++	     break; */
+ 
+ 	}
+ 
+@@ -771,7 +840,6 @@
+   };
+   module_t *smtp_module;
+ 
+-
+   proto_smtp = proto_register_protocol("Simple Mail Transfer Protocol",
+ 				       "SMTP", "smtp");
+ 
+@@ -808,11 +876,6 @@
+   dissector_add("tcp.port", TCP_PORT_SMTP, smtp_handle);
+   dissector_add("tcp.port", TCP_PORT_SUBMISSION, smtp_handle);
+ 
+-  /*
+-   * Get the content type and Internet media type table
+-   */
+-  media_type_dissector_table = find_dissector_table("media_type");
+-
+   /* find the IMF dissector */
+   imf_handle = find_dissector("imf");
+ 
+--- epan/dissectors/packet-smtp.c	2008/04/13 16:55:56	24993
++++ epan/dissectors/packet-smtp.c	2008/04/13 16:58:57	24994
+@@ -167,7 +167,7 @@
+     struct smtp_request_val *request_val;
+     const guchar            *line;
+     guint32                 code;
+-    int                     linelen;
++    int                     linelen = 0;
+     gint                    length_remaining;
+     gboolean                eom_seen = FALSE;
+     gint                    next_offset;
-- 
1.6.0.4
--- fix-DoS-in-SMTP-dissector.diff ends here ---
I had briefly tested it and it works for me.

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="">
    <topic>wireshark -- DoS in the SMTP dissector module</topic>
    <affects>
      <package>
	<name>wireshark</name>
	<name>wireshark-lite</name>
	<range><lt>1.0.4_1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">;
	<p>Bach Khoa from Internetwork Security Center reports:</p>
	<blockquote cite="http://www.securityfocus.com/archive/1/498562/30/0/threaded">;
	<p>On Nov 2008, Security Vulnerability Research Team of
	Bkis (SVRT-Bkis) has detected a vulnerability underlying
	WireShark 1.0.4 (lastest version).</p>
	<p>The flaw is in the function processing SMTP protocol and
	enables hacker to perform a DoS attack by sending a SMTP
	request with large content to port 25. The application then
	enter a large loop and cannot do anything else.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <url>http://www.securityfocus.com/archive/1/498562/30/0/threaded</url>;
      <url>http://wiki.wireshark.org/Development/Roadmap</url>;
    </references>
    <dates>
      <discovery>2008-11-22</discovery>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081122231819.50846F181F>