Vulnerabilities > CVE-2009-0601 - USE of Externally-Controlled Format String vulnerability in Wireshark
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Format string vulnerability in Wireshark 0.99.8 through 1.0.5 on non-Windows platforms allows local users to cause a denial of service (application crash) via format string specifiers in the HOME environment variable. Per http://www.vupen.com/english/advisories/2009/0370: "Multiple vulnerabilities have been identified in Wireshark, which could be exploited by local or remote attackers to cause a denial of service or compromise a vulnerable system."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 7 | |
| OS | 1 | |
| OS | 1 | |
| OS | 1 | |
| OS | 1 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_F6F19735924549188A6087948EBB4907.NASL description Vendor reports : On non-Windows systems Wireshark could crash if the HOME environment variable contained sprintf-style string formatting characters. Wireshark could crash while reading a malformed NetScreen snoop file. Wireshark could crash while reading a Tektronix K12 text capture file. last seen 2020-06-01 modified 2020-06-02 plugin id 35990 published 2009-03-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/35990 title FreeBSD : wireshark -- multiple vulnerabilities (f6f19735-9245-4918-8a60-87948ebb4907) NASL family SuSE Local Security Checks NASL id SUSE_11_1_WIRESHARK-090218.NASL description wireshark: fixed crashes while reading capture files containing NetScreen data (CVE-2009-0599), Tektronix K12 capture files (CVE-2009-0600) and and a format string vulnerability (CVE-2009-0601). last seen 2020-06-01 modified 2020-06-02 plugin id 40322 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40322 title openSUSE Security Update : wireshark (wireshark-539) NASL family SuSE Local Security Checks NASL id SUSE_WIRESHARK-6007.NASL description wireshark: fixed crashes while reading capture files containing NetScreen data (CVE-2009-0599), Tektronix K12 capture files (CVE-2009-0600) and and a format string vulnerability (CVE-2009-0601). last seen 2020-06-01 modified 2020-06-02 plugin id 35729 published 2009-02-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/35729 title openSUSE 10 Security Update : wireshark (wireshark-6007) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-058.NASL description Buffer overflow in wiretap/netscreen.c in Wireshark 0.99.7 through 1.0.5 allows user-assisted remote attackers to cause a denial of service (application crash) via a malformed NetScreen snoop file. (CVE-2009-0599) Wireshark 0.99.6 through 1.0.5 allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted Tektronix K12 text capture file, as demonstrated by a file with exactly one frame. (CVE-2009-0600) Format string vulnerability in Wireshark 0.99.8 through 1.0.5 on non-Windows platforms allows local users to cause a denial of service (application crash) via format string specifiers in the HOME environment variable. (CVE-2009-0601) This update provides Wireshark 1.0.6, which is not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37419 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37419 title Mandriva Linux Security Advisory : wireshark (MDVSA-2009:058) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200906-05.NASL description The remote host is affected by the vulnerability described in GLSA-200906-05 (Wireshark: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Wireshark: David Maciejak discovered a vulnerability in packet-usb.c in the USB dissector via a malformed USB Request Block (URB) (CVE-2008-4680). Florent Drouin and David Maciejak reported an unspecified vulnerability in the Bluetooth RFCOMM dissector (CVE-2008-4681). A malformed Tamos CommView capture file (aka .ncf file) with an last seen 2020-06-01 modified 2020-06-02 plugin id 39580 published 2009-07-01 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39580 title GLSA-200906-05 : Wireshark: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_11_0_WIRESHARK-090218.NASL description wireshark: fixed crashes while reading capture files containing NetScreen data (CVE-2009-0599), Tektronix K12 capture files (CVE-2009-0600) and and a format string vulnerability (CVE-2009-0601). last seen 2020-06-01 modified 2020-06-02 plugin id 40153 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40153 title openSUSE Security Update : wireshark (wireshark-539)
Statements
| contributor | Tomas Hoger |
| lastmodified | 2009-02-17 |
| organization | Red Hat |
| statement | Red Hat does not consider this to be a security issue. For further details, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0601#c3 |
References
- http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00000.html
- http://secunia.com/advisories/34264
- http://wiki.rpath.com/Advisories:rPSA-2009-0040
- http://www.securityfocus.com/archive/1/501763/100/0/threaded
- http://www.securityfocus.com/bid/33690
- http://www.securitytracker.com/id?1021697
- http://www.vupen.com/english/advisories/2009/0370
- http://www.wireshark.org/security/wnpa-sec-2009-01.html
- https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3150
- https://issues.rpath.com/browse/RPL-2984