The LWRES dissector in Wireshark version 0.9.15 through 1.0.10 and 1.2.0 through
1.2.5 allows remote attackers to execute arbitrary code due to a stack-based buffer
overflow. This bug found and reported by babi.
This particular exploit targets the dissect_getaddrsbyname_request function. Several
other functions also contain potentially exploitable stack-based buffer overflows.
The Windows version (of 1.2.5 at least) is compiled with /GS, which prevents
exploitation via the return address on the stack. Sending a larger string allows
exploitation using the SEH bypass method. However, this packet will usually get
fragmented, which may cause additional complications.
NOTE: The vulnerable code is reached only when the packet dissection is rendered.
If the packet is fragmented, all fragments must be captured and reassembled to
exploit this issue.
- jduck <email@example.com>