Vulnerabilities > CVE-2010-3133 - Unspecified vulnerability in Wireshark

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

wireshark

critical

nessus

exploit available

NVD

Published: 2010-08-26

Updated: 2017-09-19

Summary

Untrusted search path vulnerability in Wireshark 0.8.4 through 1.0.15 and 1.2.0 through 1.2.10 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse airpcap.dll, and possibly other DLLs, that is located in the same folder as a file that automatically launches Wireshark. Per: http://cwe.mitre.org/data/definitions/426.html CWE-426 - 'Untrusted Search Path Vulnerability'

Vulnerable Configurations

Part	Description	Count
Application	Wireshark Wireshark Wireshark 0.99.2 Wireshark Wireshark 0.99.3 Wireshark Wireshark 0.99.4 Wireshark Wireshark 0.99.5 Wireshark Wireshark 0.99.6 Wireshark Wireshark 0.99.7 Wireshark Wireshark 0.99.8 Wireshark Wireshark 1.0.0 Wireshark Wireshark 1.0.1 Wireshark Wireshark 1.0.2 Wireshark Wireshark 1.0.3 Wireshark Wireshark 1.0.4 Wireshark Wireshark 1.0.5 Wireshark Wireshark 1.0.6 Wireshark Wireshark 1.0.7 Wireshark Wireshark 1.0.8 Wireshark Wireshark 1.0.9 Wireshark Wireshark 1.0.10 Wireshark Wireshark 1.0.11 Wireshark Wireshark 1.0.12 Wireshark Wireshark 1.2.0 Wireshark Wireshark 1.2.1 Wireshark Wireshark 1.2.2 Wireshark Wireshark 1.2.3 Wireshark Wireshark 1.2.4 Wireshark Wireshark 1.2.5 Wireshark Wireshark 1.2.6 Wireshark Wireshark 1.2.7 Wireshark Wireshark 1.2.8 Wireshark Wireshark 1.2.9 Wireshark Wireshark 1.0.13 Wireshark Wireshark 1.0.14 Wireshark Wireshark 1.0.15 Wireshark Wireshark 1.0.16 Wireshark Wireshark 1.2.10	35

Exploit-Db

description	Wireshark <= 1.2.10 DLL Hijacking Exploit (airpcap.dll). CVE-2010-3133. Local exploit for windows platform
file	exploits/windows/local/14721.c
id	EDB-ID:14721
last seen	2016-02-01
modified	2010-08-24
platform	windows
port
published	2010-08-24
reporter	TheLeader
source	https://www.exploit-db.com/download/14721/
title	Wireshark <= 1.2.10 DLL Hijacking Exploit airpcap.dll
type	local

Nessus

NASL family	Windows
NASL id	WIRESHARK_1_2_11.NASL
description	The installed version of Wireshark or Ethereal is 1.2.0 - 1.2.10 or 0.8.4 - 1.0.15. Such versions are affected by the following vulnerability : - The application uses a fixed path to look for specific files or libraries, such as for
last seen	2020-06-01
modified	2020-06-02
plugin id	48943
published	2010-08-31
reporter	This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/48943
title	Wireshark / Ethereal < 1.2.11 / 1.0.16 Path Subversion Arbitrary DLL Injection Code Execution
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(48943); script_version("1.9"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2010-3133"); script_bugtraq_id(42630); script_xref(name:"EDB-ID", value:"14721"); script_name(english:"Wireshark / Ethereal < 1.2.11 / 1.0.16 Path Subversion Arbitrary DLL Injection Code Execution"); script_summary(english:"Does a version check"); script_set_attribute(attribute:"synopsis",value: "The remote Windows host contains an application that allows arbitrary code execution." ); script_set_attribute(attribute:"description",value: "The installed version of Wireshark or Ethereal is 1.2.0 - 1.2.10 or 0.8.4 - 1.0.15. Such versions are affected by the following vulnerability : - The application uses a fixed path to look for specific files or libraries, such as for 'airpcap.dll', and this path includes directories that may not be trusted or under user control. If a malicious DLL with the same name as a required DLL is located in the application's current working directory, the malicious DLL will be loaded. (Bug 5133)" ); script_set_attribute( attribute:"see_also", value:"https://docs.microsoft.com/en-us/windows/desktop/Dlls/dynamic-link-library-security" ); script_set_attribute( attribute:"see_also", value:"http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt" ); script_set_attribute( attribute:"see_also", value:"https://blog.rapid7.com/?p=5325" ); script_set_attribute( attribute:"see_also", value:"https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5133" ); script_set_attribute( attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2010-09.html" ); script_set_attribute( attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2010-10.html" ); script_set_attribute( attribute:"solution", value:"Upgrade to Wireshark version 1.2.11 / 1.0.16 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/08/24"); script_set_attribute(attribute:"patch_publication_date", value:"2010/08/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/08/31"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:wireshark:wireshark"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies("wireshark_installed.nasl"); script_require_keys("SMB/Wireshark/Installed"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); # Check each install. installs = get_kb_list("SMB/Wireshark/"); if (isnull(installs)) exit(0, "The 'SMB/Wireshark/' KB items are missing."); info = ''; info2 = ''; foreach install(keys(installs)) { if ("/Installed" >< install) continue; version = install - "SMB/Wireshark/"; ver = split(version, sep:".", keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); if ( # 0.8.4 up to and including 1.0.15 (wnpa-sec-2010-09) (ver[0] == 0 && ((ver[1] == 8 && ver[2] >= 4) \|\| ver[1] >= 9 )) \|\| (ver[0] == 1 && ver[1] == 0 && ver[2] < 16) \|\| # 1.2.0 up to and including 1.2.10 (wnpa-sec-2010-10) (ver[0] == 1 && ver[1] == 2 && ver[2] < 11) ) info += '\n Path : ' + installs[install] + '\n Installed version : ' + version + '\n Fixed version : 1.2.11 / 1.0.16\n'; else info2 += 'Version '+ version + ', under '+ installs[install] + '. '; } # Report if any were found to be vulnerable if (info) { if (report_verbosity > 0) { if (max_index(split(info)) > 4) s = "s of Wireshark / Ethereal are"; else s = " of Wireshark / Ethereal is"; report = '\n' + 'The following vulnerable instance' + s + ' installed :\n' + '\n' + info; security_hole(port:get_kb_item("SMB/transport"), extra:report); } else security_hole(get_kb_item("SMB/transport")); exit(0); } if (info2) exit(0, "The following instance(s) of Wireshark / Ethereal are installed and are not vulnerable : "+info2);

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201110-02.NASL
description	The remote host is affected by the vulnerability described in GLSA-201110-02 (Wireshark: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Wireshark. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could send specially crafted packets on a network being monitored by Wireshark, entice a user to open a malformed packet trace file using Wireshark, or deploy a specially crafted Lua script for use by Wireshark, possibly resulting in the execution of arbitrary code, or a Denial of Service condition. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	56426
published	2011-10-10
reporter	This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/56426
title	GLSA-201110-02 : Wireshark: Multiple vulnerabilities
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201110-02. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(56426); script_version("1.18"); script_cvs_date("Date: 2018/07/11 17:09:26"); script_cve_id("CVE-2010-2283", "CVE-2010-2284", "CVE-2010-2285", "CVE-2010-2286", "CVE-2010-2287", "CVE-2010-2992", "CVE-2010-2993", "CVE-2010-2994", "CVE-2010-2995", "CVE-2010-3133", "CVE-2010-3445", "CVE-2010-4300", "CVE-2010-4301", "CVE-2010-4538", "CVE-2011-0024", "CVE-2011-0444", "CVE-2011-0445", "CVE-2011-0538", "CVE-2011-0713", "CVE-2011-1138", "CVE-2011-1139", "CVE-2011-1140", "CVE-2011-1141", "CVE-2011-1142", "CVE-2011-1143", "CVE-2011-1590", "CVE-2011-1591", "CVE-2011-1592", "CVE-2011-1956", "CVE-2011-1957", "CVE-2011-1958", "CVE-2011-1959", "CVE-2011-2174", "CVE-2011-2175", "CVE-2011-2597", "CVE-2011-2698", "CVE-2011-3266", "CVE-2011-3360", "CVE-2011-3482", "CVE-2011-3483"); script_xref(name:"GLSA", value:"201110-02"); script_name(english:"GLSA-201110-02 : Wireshark: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201110-02 (Wireshark: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Wireshark. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could send specially crafted packets on a network being monitored by Wireshark, entice a user to open a malformed packet trace file using Wireshark, or deploy a specially crafted Lua script for use by Wireshark, possibly resulting in the execution of arbitrary code, or a Denial of Service condition. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201110-02" ); script_set_attribute( attribute:"solution", value: "All Wireshark users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-analyzer/wireshark-1.4.9'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Wireshark console.lua Pre-Loading Script Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'White_Phosphorus'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:wireshark"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2011/10/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-analyzer/wireshark", unaffected:make_list("ge 1.4.9"), vulnerable:make_list("lt 1.4.9"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Wireshark"); }

Oval

accepted

2013-08-19T04:00:06.415-04:00

class

vulnerability

contributors

name SecPod Team
organization SecPod Technologies
name Preeti Subramanian
organization SecPod Technologies
name Shane Shaffer
organization G2, Inc.
name Shane Shaffer
organization G2, Inc.
name Shane Shaffer
organization G2, Inc.
name Shane Shaffer
organization G2, Inc.

definition_extensions

comment	Wireshark is installed on the system.
oval	oval:org.mitre.oval:def:6589

description

family

windows

oval:org.mitre.oval:def:11498

status

accepted

submitted

2010-09-09T12:48:29

title

Untrusted search path vulnerability in Wireshark 0.8.4 through 1.0.15 and 1.2.0 through 1.2.10

version

Summary

Vulnerable Configurations

Exploit-Db

Nessus

Oval

References