Vulnerabilities > CVE-2011-3360 - Unspecified vulnerability in Wireshark

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
wireshark
critical
nessus
exploit available
metasploit

Summary

Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path'

Exploit-Db

descriptionWireshark console.lua pre-loading vulnerability. CVE-2011-3360. Remote exploit for windows platform
idEDB-ID:18125
last seen2016-02-02
modified2011-11-19
published2011-11-19
reportermetasploit
sourcehttps://www.exploit-db.com/download/18125/
titleWireshark console.lua pre-loading Vulnerability

Metasploit

descriptionThis module exploits a vulnerability in Wireshark 1.6 or less. When opening a pcap file, Wireshark will actually check if there's a 'console.lua' file in the same directory, and then parse/execute the script if found. Versions affected by this vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8
idMSF:EXPLOIT/WINDOWS/MISC/WIRESHARK_LUA
last seen2020-06-04
modified2017-09-14
published2011-11-19
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/wireshark_lua.rb
titleWireshark console.lua Pre-Loading Script Execution

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_3_WIRESHARK-111013.NASL
    descriptionThis update of wireshark fixes the following vulnerabilities : - CVE-2011-3266: Wireshark IKE dissector vulnerability - CVE-2011-3360: Wireshark Lua script execution vulnerability - CVE-2011-3483: Wireshark buffer exception handling vulnerability - CVE-2011-2597: Lucent/Ascend file parser susceptible to infinite loop - CVE-2011-2698: ANSI MAP dissector susceptible to infinite loop - CVE-2011-1957: Large/infinite loop in the DICOM dissector - CVE-2011-1959: A corrupted snoop file could crash Wireshark - CVE-2011-2174: Malformed compressed capture data could crash Wireshark - CVE-2011-2175: A corrupted Visual Networks file could crash Wireshark - CVE-2011-1958: dereferene a NULL pointer if we had a corrupted Diameter dictionary
    last seen2020-06-01
    modified2020-06-02
    plugin id75774
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75774
    titleopenSUSE Security Update : wireshark (openSUSE-SU-2011:1142-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_4_WIRESHARK-111013.NASL
    descriptionThis update of wireshark fixes the following vulnerabilities : - CVE-2011-3266: Wireshark IKE dissector vulnerability - CVE-2011-3360: Wireshark Lua script execution vulnerability - CVE-2011-3483: Wireshark buffer exception handling vulnerability - CVE-2011-2597: Lucent/Ascend file parser susceptible to infinite loop - CVE-2011-2698: ANSI MAP dissector susceptible to infinite loop - CVE-2011-1957: Large/infinite loop in the DICOM dissector - CVE-2011-1959: A corrupted snoop file could crash Wireshark - CVE-2011-2174: Malformed compressed capture data could crash Wireshark - CVE-2011-2175: A corrupted Visual Networks file could crash Wireshark - CVE-2011-1958: dereferene a NULL pointer if we had a corrupted Diameter dictionary
    last seen2020-06-01
    modified2020-06-02
    plugin id76045
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/76045
    titleopenSUSE Security Update : wireshark (openSUSE-SU-2011:1142-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_WIRESHARK-7796.NASL
    descriptionThis update of wireshark fixes the following vulnerabilities : - Wireshark IKE dissector vulnerability. (CVE-2011-3266) - Wireshark Lua script execution vulnerability. (CVE-2011-3360) - Wireshark buffer exception handling vulnerability. (CVE-2011-3483) - Lucent/Ascend file parser susceptible to infinite loop. (CVE-2011-2597) - ANSI MAP dissector susceptible to infinite loop. (CVE-2011-2698) - Large/infinite loop in the DICOM dissector. (CVE-2011-1957) - A corrupted snoop file could crash Wireshark. (CVE-2011-1959) - Malformed compressed capture data could crash Wireshark. (CVE-2011-2174) - A corrupted Visual Networks file could crash Wireshark. (CVE-2011-2175) - dereferene a NULL pointer if we had a corrupted Diameter dictionary. (CVE-2011-1958)
    last seen2020-06-01
    modified2020-06-02
    plugin id57263
    published2011-12-13
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/57263
    titleSuSE 10 Security Update : wireshark (ZYPP Patch Number 7796)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2324.NASL
    descriptionThe Microsoft Vulnerability Research group discovered that insecure load path handling could lead to execution of arbitrary Lua script code.
    last seen2020-03-17
    modified2011-10-21
    plugin id56571
    published2011-10-21
    reporterThis script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/56571
    titleDebian DSA-2324-1 : wireshark - programming error
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS11_WIRESHARK_20111205.NASL
    descriptionThe remote Solaris system is missing necessary patches to address security updates : - The proto_tree_add_item function in Wireshark 1.6.0 through 1.6.1 and 1.4.0 through 1.4.8, when the IKEv1 protocol dissector is used, allows user-assisted remote attackers to cause a denial of service (infinite loop) via vectors involving a malformed IKE packet and many items in a tree. (CVE-2011-3266) - Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory. (CVE-2011-3360) - The dissect_infiniband_common function in epan/dissectors/packet-infiniband.c in the Infiniband dissector in Wireshark 1.4.0 through 1.4.9 and 1.6.x before 1.6.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed packet. (CVE-2011-4101)
    last seen2020-06-01
    modified2020-06-02
    plugin id80800
    published2015-01-19
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80800
    titleOracle Solaris Third-Party Patch Update : wireshark (denial_of_service_vulnerability_in)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_WIRESHARK-111013.NASL
    descriptionThis update of wireshark fixes the following vulnerabilities : - Wireshark IKE dissector vulnerability. (CVE-2011-3266) - Wireshark Lua script execution vulnerability. (CVE-2011-3360) - Wireshark buffer exception handling vulnerability. (CVE-2011-3483) - Lucent/Ascend file parser susceptible to infinite loop. (CVE-2011-2597) - ANSI MAP dissector susceptible to infinite loop. (CVE-2011-2698) - Large/infinite loop in the DICOM dissector. (CVE-2011-1957) - A corrupted snoop file could crash Wireshark. (CVE-2011-1959) - Malformed compressed capture data could crash Wireshark. (CVE-2011-2174) - A corrupted Visual Networks file could crash Wireshark. (CVE-2011-2175) - dereferene a NULL pointer if we had a corrupted Diameter dictionary. (CVE-2011-1958)
    last seen2020-06-01
    modified2020-06-02
    plugin id57136
    published2011-12-13
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/57136
    titleSuSE 11.1 Security Update : wireshark (SAT Patch Number 5281)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201110-02.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201110-02 (Wireshark: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Wireshark. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could send specially crafted packets on a network being monitored by Wireshark, entice a user to open a malformed packet trace file using Wireshark, or deploy a specially crafted Lua script for use by Wireshark, possibly resulting in the execution of arbitrary code, or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id56426
    published2011-10-10
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56426
    titleGLSA-201110-02 : Wireshark: Multiple vulnerabilities
  • NASL familyWindows
    NASL idWIRESHARK_1_4_9.NASL
    descriptionThe installed version of Wireshark is 1.4.x before 1.4.9. This version is affected by the following vulnerabilities : - An error exists in IKE dissector that can allow denial of service attacks when processing certain malformed packets. (CVE-2011-3266) - A buffer exception handling vulnerability exists that can allow denial of service attacks when processing certain malformed packets. (Issue #6135) - It may be possible to make Wireshark execute Lua scripts using a method similar to DLL hijacking. (Issue #6136)
    last seen2020-06-01
    modified2020-06-02
    plugin id56163
    published2011-09-12
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56163
    titleWireshark 1.4.x < 1.4.9 Multiple Vulnerabilities
  • NASL familyWindows
    NASL idWIRESHARK_1_6_2.NASL
    descriptionThe installed version of Wireshark is 1.6.x before 1.6.2. This version is affected by the following vulnerabilities : - An error exists in IKE dissector that can allow denial of service attacks when processing certain malformed packets. (CVE-2011-3266) - A buffer exception handling vulnerability exists that can allow denial of service attacks when processing certain malformed packets. (Issue #6135) - It may be possible to make Wireshark execute Lua scripts using a method similar to DLL hijacking. (Issue #6136) - An error exists in OpenSafety dissector that can allow denial of service attacks when processing certain malformed packets. (Issue #6138) - An error exists in CSN.1 dissector that can allow denial of service attacks when processing certain malformed packets. (Issue #6139)
    last seen2020-06-01
    modified2020-06-02
    plugin id56164
    published2011-09-12
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56164
    titleWireshark 1.6.x < 1.6.2 Multiple Vulnerabilities
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2011-138.NASL
    descriptionThis advisory updates wireshark to the latest version (1.6.2), fixing several security issues : The proto_tree_add_item function in Wireshark 1.6.1, when the IKEv1 protocol dissector is used, allows user-assisted remote attackers to cause a denial of service (infinite loop) via vectors involving a malformed IKE packet and many items in a tree (CVE-2011-3266). Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory (CVE-2011-3360). The csnStreamDissector function in epan/dissectors/packet-csn1.c in the CSN.1 dissector in Wireshark 1.6.x before 1.6.2 does not initialize a certain structure member, which allows remote attackers to cause a denial of service (application crash) via a malformed packet (CVE-2011-3482). Wireshark 1.6.x before 1.6.2 allows remote attackers to cause a denial of service (application crash) via a malformed capture file that leads to an invalid root tvbuff, related to a buffer exception handling vulnerability. (CVE-2011-3483). The unxorFrame function in epan/dissectors/packet-opensafety.c in the OpenSafety dissector in Wireshark 1.6.x before 1.6.2 does not properly validate a certain frame size, which allows remote attackers to cause a denial of service (loop and application crash) via a malformed packet (CVE-2011-3484). The updated packages have been upgraded to the latest 1.6.x version (1.6.2) which is not vulnerable to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id61928
    published2012-09-06
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/61928
    titleMandriva Linux Security Advisory : wireshark (MDVSA-2011:138)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_WIRESHARK-7795.NASL
    descriptionThis update of wireshark fixes the following vulnerabilities : - Wireshark IKE dissector vulnerability. (CVE-2011-3266) - Wireshark Lua script execution vulnerability. (CVE-2011-3360) - Wireshark buffer exception handling vulnerability. (CVE-2011-3483) - Lucent/Ascend file parser susceptible to infinite loop. (CVE-2011-2597) - ANSI MAP dissector susceptible to infinite loop. (CVE-2011-2698) - Large/infinite loop in the DICOM dissector. (CVE-2011-1957) - A corrupted snoop file could crash Wireshark. (CVE-2011-1959) - Malformed compressed capture data could crash Wireshark. (CVE-2011-2174) - A corrupted Visual Networks file could crash Wireshark. (CVE-2011-2175) - dereferene a NULL pointer if we had a corrupted Diameter dictionary. (CVE-2011-1958)
    last seen2020-06-01
    modified2020-06-02
    plugin id56617
    published2011-10-24
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56617
    titleSuSE 10 Security Update : wireshark (ZYPP Patch Number 7795)

Oval

accepted2013-08-19T04:00:56.291-04:00
classvulnerability
contributors
  • nameShane Shaffer
    organizationG2, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
definition_extensions
commentWireshark is installed on the system.
ovaloval:org.mitre.oval:def:6589
descriptionUntrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory.
familywindows
idoval:org.mitre.oval:def:15059
statusaccepted
submitted2012-02-27T15:34:33.178-04:00
titleUntrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2
version8

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/107159/wireshark_lua.rb.txt
idPACKETSTORM:107159
last seen2016-12-05
published2011-11-20
reportersinn3r
sourcehttps://packetstormsecurity.com/files/107159/Wireshark-1.6-console.lua-Pre-Load-Execution.html
titleWireshark 1.6 console.lua Pre-Load / Execution

Saint

bid49528
descriptionWireshark Lua Untrusted Search Path vulnerability
osvdb75347
titlewireshark_lua_search_path
typeclient