xorl %eax, %eax

CVE-2009-1829: Wireshark PCNFSD Incorrect Parsing

leave a comment »

This bug affects Wireshark 0.8.20 up to and including 1.0.7 according to their official advisory. The bug was discovered by Wireshark development team and it is located at the PCNFSD dissector. Specifically, its code can be found at epan/dissectors/packet-pcnfsd.c. Here is the buggy routine:

2  * Routines for PCNFSD dissection
3  *
4  * $Id: packet-pcnfsd.c 24643 2008-03-15 22:41:57Z morriss $
5  *
6  * Wireshark - Network traffic analyzer
7  * By Gerald Combs <gerald@wireshark.org>
8  * Copyright 1998 Gerald Combs
 ...
29 Protocol information comes from the book
30         "NFS Illustrated" by Brent Callaghan, ISBN 0-201-32570-5
 ...
184 /* "NFS Illustrated" 14.7.13 */
185 static int
186 dissect_pcnfsd2_auth_call(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
187         proto_tree *tree)
188 {
189         int     newoffset;
190         char    *ident = NULL;
 ...
193         char    *password = NULL;
 ...
213         if (ident) {
214                 pcnfsd_decode_obscure(ident, strlen(ident));
215                 if (ident_tree)
216                         proto_tree_add_string(ident_tree,
217                                 hf_pcnfsd_auth_ident_clear,
218                                 tvb, offset+4, strlen(ident), ident);
219         }
 ...
240         if (password) {
241                 pcnfsd_decode_obscure(password, strlen(password));
242                 if (password_tree)
243                         proto_tree_add_string(password_tree,
244                                 hf_pcnfsd_auth_password_clear,
245                                 tvb, offset+4, strlen(password), password);
246         }
 ...
258 }

The bug is that a PCNFSD authorization RPC doesn’t necessarily need to contain either an IDENT or a password field. In both cases incorrect parsing takes place since the above dissector assumes that there is always IDENT and password fields. I don’t know how this could be exploited but there should be ways if you spend enough time studying it. To patch this they simply added the following checks:

 if (ident) {
-               pcnfsd_decode_obscure(ident, strlen(ident));
+               /* Only attempt to decode the ident if it has been specified */
+               if (strcmp(ident, RPC_STRING_EMPTY))
+                       pcnfsd_decode_obscure(ident, (int)strlen(ident));
+

And for the password field:

 if (password) {
-               pcnfsd_decode_obscure(password, strlen(password));
+               /* Only attempt to decode the password if it has been specified */
+               if (strcmp(password, RPC_STRING_EMPTY))
+                       pcnfsd_decode_obscure(password, (int)strlen(password));
+

Simple to understand and trigger, difficult to exploit.

Written by xorl

May 29, 2009 at 23:37

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s