Vulnerabilities > CVE-2016-6513 - Resource Management Errors vulnerability in Wireshark

047910
CVSS 5.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
high complexity
wireshark
CWE-399
nessus

Summary

epan/dissectors/packet-wbxml.c in the WBXML dissector in Wireshark 2.x before 2.0.5 does not restrict the recursion depth, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyWindows
    NASL idWIRESHARK_2_0_5.NASL
    descriptionThe version of Wireshark installed on the remote Windows host is 2.0.x prior to 2.0.5. It is, therefore, affected by multiple denial of service vulnerabilities : - A denial of service vulnerability exists in the CORBA IDL dissector due to improper handling of packets. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause an application crash. Note that this vulnerability only affects 64-bit versions of Windows. (CVE-2016-6503) - A denial of service vulnerability exists due to a divide-by-zero flaw in the dissect_pbb_tlvblock() function in packet-packetbb.c. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause an application crash. (CVE-2016-6505) - A flaw exists in the add_headers() function in packet_wsp.c that is triggered when an offset of zero is returned by the wkh_content_disposition() function. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause an infinite loop, resulting in a denial of service condition. (CVE-2016-6506) - A denial of service vulnerability exists due to an incorrect integer data type used in the rlc_decode_li() function in packet-rlc.c. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause a long loop and excessive CPU resource consumption, resulting in a denial of service condition. (CVE-2016-6508) - A denial of service vulnerability exists in the dissect_ldss_transfer() function in packet-ldss.c that is triggered when recreating a conversation that already exists. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause an application crash. (CVE-2016-6509) - An overflow condition exists in the rlc_decode_li() function in packet-rlc.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause a stack-based buffer overflow, resulting in a denial of service condition. (CVE-2016-6510) - A denial of service vulnerability exists in the proto_tree_add_text_valist_internal() function in proto.c due to improper handling of packets. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause a long loop and excessive CPU resource consumption. (CVE-2016-6511) - Multiple flaws exist in the MMSE, WAP, WBXML, and WSP dissectors due to improper handling of packets. An unauthenticated, remote attacker can exploit these issues, via a specially crafted packet or packet trace file, to cause an infinite loop, resulting in a denial of service condition. (CVE-2016-6512) - A denial of service vulnerability exists in the parse_wbxml_tag_defined() function in packet-wbxml.c due to improper handling of packets. An unauthenticated, remote attacker can exploit this, via a specially crafted packet or packet trace file, to cause an application crash. (CVE-2016-6513) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id92817
    published2016-08-09
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92817
    titleWireshark 2.0.x < 2.0.5 Multiple DoS
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92817);
      script_version("1.5");
      script_cvs_date("Date: 2019/11/14");
    
      script_cve_id(
        "CVE-2016-6503",
        "CVE-2016-6505",
        "CVE-2016-6506",
        "CVE-2016-6508",
        "CVE-2016-6509",
        "CVE-2016-6510",
        "CVE-2016-6511",
        "CVE-2016-6512",
        "CVE-2016-6513"
      );
      script_bugtraq_id(
        92162,
        92163,
        92165,
        92166,
        92168,
        92169,
        92172,
        92173,
        92174
      );
      script_xref(name:"EDB-ID", value:"40195");
      script_xref(name:"EDB-ID", value:"40196");
      script_xref(name:"EDB-ID", value:"40197");
      script_xref(name:"EDB-ID", value:"40198");
      script_xref(name:"EDB-ID", value:"40199");
    
      script_name(english:"Wireshark 2.0.x < 2.0.5 Multiple DoS");
      script_summary(english:"Checks the version of Wireshark.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host has an application installed that is affected
    by multiple denial of service vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Wireshark installed on the remote Windows host is 2.0.x
    prior to 2.0.5. It is, therefore, affected by multiple denial of
    service vulnerabilities :
    
      - A denial of service vulnerability exists in the CORBA
        IDL dissector due to improper handling of packets. An
        unauthenticated, remote attacker can exploit this, via a
        specially crafted packet or packet trace file, to cause
        an application crash. Note that this vulnerability only
        affects 64-bit versions of Windows. (CVE-2016-6503)
    
      - A denial of service vulnerability exists due to a
        divide-by-zero flaw in the dissect_pbb_tlvblock()
        function in packet-packetbb.c. An unauthenticated,
        remote attacker can exploit this, via a specially
        crafted packet or packet trace file, to cause an
        application crash. (CVE-2016-6505)
    
      - A flaw exists in the add_headers() function in
        packet_wsp.c that is triggered when an offset of zero is
        returned by the wkh_content_disposition() function. An
        unauthenticated, remote attacker can exploit this, via a 
        specially crafted packet or packet trace file, to cause
        an infinite loop, resulting in a denial of service
        condition. (CVE-2016-6506)
    
      - A denial of service vulnerability exists due to an
        incorrect integer data type used in the rlc_decode_li()
        function in packet-rlc.c. An unauthenticated, remote
        attacker can exploit this, via a specially crafted
        packet or packet trace file, to cause a long loop and
        excessive CPU resource consumption, resulting in a
        denial of service condition. (CVE-2016-6508)
    
      - A denial of service vulnerability exists in the
        dissect_ldss_transfer() function in packet-ldss.c that
        is triggered when recreating a conversation that already
        exists. An unauthenticated, remote attacker can exploit
        this, via a specially crafted packet or packet trace
        file, to cause an application crash. (CVE-2016-6509)
    
      - An overflow condition exists in the rlc_decode_li()
        function in packet-rlc.c due to improper validation of
        user-supplied input. An unauthenticated, remote attacker
        can exploit this, via a specially crafted packet or
        packet trace file, to cause a stack-based buffer
        overflow, resulting in a denial of service condition.
        (CVE-2016-6510)
    
      - A denial of service vulnerability exists in the
        proto_tree_add_text_valist_internal() function in
        proto.c due to improper handling of packets. An
        unauthenticated, remote attacker can exploit this, via a
        specially crafted packet or packet trace file, to cause
        a long loop and excessive CPU resource consumption.
        (CVE-2016-6511)
    
      - Multiple flaws exist in the MMSE, WAP, WBXML, and WSP
        dissectors due to improper handling of packets. An
        unauthenticated, remote attacker can exploit these
        issues, via a specially crafted packet or packet trace
        file, to cause an infinite loop, resulting in a denial
        of service condition. (CVE-2016-6512)
    
      - A denial of service vulnerability exists in the
        parse_wbxml_tag_defined() function in packet-wbxml.c due
        to improper handling of packets. An unauthenticated,
        remote attacker can exploit this, via a specially
        crafted packet or packet trace file, to cause an
        application crash. (CVE-2016-6513)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2016-39.html");
      script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2016-41.html");
      script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2016-42.html");
      script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2016-44.html");
      script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2016-45.html");
      script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2016-46.html");
      script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2016-47.html");
      script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2016-48.html");
      script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/security/wnpa-sec-2016-49.html");
      script_set_attribute(attribute:"see_also", value:"https://www.wireshark.org/docs/relnotes/wireshark-2.0.5.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Wireshark version 2.0.5 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6513");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/07/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:wireshark:wireshark");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("wireshark_installed.nasl");
      script_require_keys("installed_sw/Wireshark");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("install_func.inc");
    
    app_name = "Wireshark";
    install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
    version = install['version'];
    path    = install['path'];
    fix = '2.0.5';
    
    if(version !~ "^2\.0\.")
      exit(0, "The remote installation of Wireshark is not 2.0.x.");
    
    # Affected :
    #  2.0.x < 2.0.5
    if (version !~ "^2\.0\.[0-4]($|[^0-9])")
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);
    
    port = get_kb_item("SMB/transport");
    if (!port) port = 445;
    
    report =
      '\n  Path              : ' + path +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : ' + fix +
      '\n';
    
    security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_610101EA5B6A11E6B334002590263BF5.NASL
    descriptionWireshark development team reports : The following vulnerabilities have been fixed : - wnpa-sec-2016-41 PacketBB crash. (Bug 12577) - wnpa-sec-2016-42 WSP infinite loop. (Bug 12594) - wnpa-sec-2016-44 RLC long loop. (Bug 12660) - wnpa-sec-2016-45 LDSS dissector crash. (Bug 12662) - wnpa-sec-2016-46 RLC dissector crash. (Bug 12664) - wnpa-sec-2016-47 OpenFlow long loop. (Bug 12659) - wnpa-sec-2016-48 MMSE, WAP, WBXML, and WSP infinite loop. (Bug 12661) - wnpa-sec-2016-49 WBXML crash. (Bug 12663)
    last seen2020-06-01
    modified2020-06-02
    plugin id92771
    published2016-08-08
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92771
    titleFreeBSD : wireshark -- multiple vulnerabilities (610101ea-5b6a-11e6-b334-002590263bf5)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92771);
      script_version("2.6");
      script_cvs_date("Date: 2019/04/11 17:23:06");
    
      script_cve_id("CVE-2016-6505", "CVE-2016-6506", "CVE-2016-6508", "CVE-2016-6509", "CVE-2016-6510", "CVE-2016-6511", "CVE-2016-6512", "CVE-2016-6513");
    
      script_name(english:"FreeBSD : wireshark -- multiple vulnerabilities (610101ea-5b6a-11e6-b334-002590263bf5)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Wireshark development team reports :
    
    The following vulnerabilities have been fixed :
    
    - wnpa-sec-2016-41
    
    PacketBB crash. (Bug 12577)
    
    - wnpa-sec-2016-42
    
    WSP infinite loop. (Bug 12594)
    
    - wnpa-sec-2016-44
    
    RLC long loop. (Bug 12660)
    
    - wnpa-sec-2016-45
    
    LDSS dissector crash. (Bug 12662)
    
    - wnpa-sec-2016-46
    
    RLC dissector crash. (Bug 12664)
    
    - wnpa-sec-2016-47
    
    OpenFlow long loop. (Bug 12659)
    
    - wnpa-sec-2016-48
    
    MMSE, WAP, WBXML, and WSP infinite loop. (Bug 12661)
    
    - wnpa-sec-2016-49
    
    WBXML crash. (Bug 12663)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.wireshark.org/docs/relnotes/wireshark-2.0.5.html"
      );
      # http://www.openwall.com/lists/oss-security/2016/08/01/4
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.openwall.com/lists/oss-security/2016/08/01/4"
      );
      # https://vuxml.freebsd.org/freebsd/610101ea-5b6a-11e6-b334-002590263bf5.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?97d02d88"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:tshark");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:tshark-lite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:wireshark");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:wireshark-lite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:wireshark-qt5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/08/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/08");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"wireshark<2.0.5")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"wireshark-lite<2.0.5")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"wireshark-qt5<2.0.5")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"tshark<2.0.5")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"tshark-lite<2.0.5")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");