CVE-2011-1591
published 2011-04-29CVE-2011-1591: Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect.c in Wireshark 1.4.x before 1.4.5 allows remote attackers to execute arbitrary…
PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.74%
98.5th percentile
Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect.c in Wireshark 1.4.x before 1.4.5 allows remote attackers to execute arbitrary code via a crafted .pcap file.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wireshark | < wireshark 1.4.5-1 (bookworm) | wireshark 1.4.5-1 (bookworm) |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | >= 0 < 1.4.5-1 | 1.4.5-1 |
| wireshark | wireshark | >= 0 < 1.4.5-1 | 1.4.5-1 |
| wireshark | wireshark | >= 0 < 1.4.5-1 | 1.4.5-1 |
| wireshark | wireshark | >= 0 < 1.4.5-1 | 1.4.5-1 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
Ethernet type 0x2323 (DECT trigger frame)
bytes↗
pcap global header magic: \xd4\xc3\xb2\xa1 with data link type \x01\x00\x00\x00
bytes↗
DECT Ethernet frame ptype trigger bytes: \xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x23\x23
bytes↗
linux/x86/shell_reverse_tcp shellcode connecting to 127.0.0.1:4444 (port 0x115c)
- →Detect crafted pcap files or live packets with Ethernet type 0x2323 (DECT dissector trigger); this ethertype is not legitimately used and is the specific trigger for the vulnerable DECT dissector code path in Wireshark. ↗
- →Detect the 14-byte DECT frame preamble pattern \xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x23\x23 at the start of a packet payload in pcap files or on the wire. ↗
- →The exploit uses a SEH-based stack overflow with offset 1239 bytes of padding followed by a short JMP (\xeb\x06\x90\x90) and a PPR address; look for oversized frames (>1239 bytes) with Ethernet type 0x2323. ↗
- →The Metasploit module uses a fixed offset of 1243 bytes to reach the saved return address; pcap files with a single packet of ~1540 bytes and Ethernet type 0x2323 should be treated as suspicious. ↗
- →The remote exploit variant sends the malicious packet to the broadcast address (dst ff:ff:ff:ff:ff:ff) with Ethernet type 0x2323, enabling network-level detection via IDS rules matching that combination. ↗
- →The vulnerability is in the DECT dissector; Wireshark versions 1.4.1 through 1.4.4 are affected. Presence of these versions parsing network traffic or pcap files is a risk indicator. ↗
- ·The local file-format exploit (17185/17186) requires DEP to be disabled for the non-ROP version; the Metasploit module includes a ROP chain for Generic DEP & ASLR bypass on 32-bit Windows, so DEP alone is not a reliable mitigation. ↗
- ·The ROP pivot address 0x667c484d is sourced from libgnutls (a non-ASLR module in the affected Wireshark installation); the gadget addresses from libpangoft2, libgio, freetype6, libglib, libatk, libgdk, libgtk, and libfontconfig DLLs are hardcoded and version-specific. ↗
- ·The remote exploit module (17195) supports a LOOP mode that repeatedly sends the malicious packet at a configurable interval, meaning a single attacker host can sustain the attack until a session is created. ↗
- ·Known bad characters that must be avoided in the payload are \x00, \x0a, \x0d, and \x09; detection signatures should account for these constraints when building byte-pattern rules. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Wireshark: Heap-based buffer overflow in DECT dissector
vendor_redhat·2011-04-15·CVSS 9.3
CVE-2011-1591 [CRITICAL] CWE-122 Wireshark: Heap-based buffer overflow in DECT dissector
Wireshark: Heap-based buffer overflow in DECT dissector
Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect.c in Wireshark 1.4.x before 1.4.5 allows remote attackers to execute arbitrary code via a crafted .pcap file.
Statement: Not vulnerable. This issue did not affect the versions of wireshark as
shipped with Red Hat Enterprise Linux 4, 5, or 6.
Debian
CVE-2011-1591: wireshark - Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect...
vendor_debian·2011·CVSS 9.3
CVE-2011-1591 [CRITICAL] CVE-2011-1591: wireshark - Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect...
Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect.c in Wireshark 1.4.x before 1.4.5 allows remote attackers to execute arbitrary code via a crafted .pcap file.
Scope: local
bookworm: resolved (fixed in 1.4.5-1)
bullseye: resolved (fixed in 1.4.5-1)
forky: resolved (fixed in 1.4.5-1)
sid: resolved (fixed in 1.4.5-1)
trixie: resolved (fixed in 1.4.5-1)
GHSA
GHSA-8qjg-52x8-f83x: Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect
ghsa_unreviewed·2022-05-17
CVE-2011-1591 [HIGH] CWE-119 GHSA-8qjg-52x8-f83x: Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect
Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect.c in Wireshark 1.4.x before 1.4.5 allows remote attackers to execute arbitrary code via a crafted .pcap file.
OSV
CVE-2011-1591: Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect
osv·2011-04-29·CVSS 9.3
CVE-2011-1591 [CRITICAL] CVE-2011-1591: Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect
Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect.c in Wireshark 1.4.x before 1.4.5 allows remote attackers to execute arbitrary code via a crafted .pcap file.
No detection rules found.
Exploit-DB
Wireshark 1.4.4 - DECT Dissector Remote Buffer Overflow
exploitdb·2011-11-22
CVE-2011-1591 Wireshark 1.4.4 - DECT Dissector Remote Buffer Overflow
Wireshark 1.4.4 - DECT Dissector Remote Buffer Overflow
---
#!/usr/bin/env python
# -*- coding: iso-8859-15 -*-
a = """
\n\t-- CVE: 2011-1591 : Wireshark = 2.5
# For any comments, remarks, news, please mail me : ipv _at_ [team] . net
###########################################################################\n"""
import sys, struct
if sys.version_info >= (2, 5):
from scapy.all import *
else:
from scapy import *
# align
def _x(v):
return struct.pack("= 0 :\n"
print " ID TARGET INFO"
print "--------------------------------------------------------------------"
for i in addr_os.iteritems():
print " %2d -- %s "%(i[0], i[1][0]),
if i[1][1] == -1:
print "Default package uses LibSSP & Fortify Source"
elif i[1][1] == -2:
print "Compiled/Build with Fortify Source"
elif i[1][1] == -3:
print "DE
Exploit-DB
Wireshark 1.4.4 - 'packet-dect.c' Local Stack Buffer Overflow (Metasploit) (1)
exploitdb·2011-04-19
CVE-2011-1591 Wireshark 1.4.4 - 'packet-dect.c' Local Stack Buffer Overflow (Metasploit) (1)
Wireshark 1.4.4 - 'packet-dect.c' Local Stack Buffer Overflow (Metasploit) (1)
---
##
# $Id: wireshark_packet_dect.rb 12364 2011-04-19 07:53:58Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Wireshark %q{
This module exploits a stack buffer overflow in Wireshark MSF_LICENSE,
'Author' =>
[
'sickness', #found the vulnerabilitiy
'corelanc0d3r' #rop exploit + msf module
],
'Version' => '$Revision: 12364 $',
'References' =>
[
[ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838' ],
[ 'URL', 'https://bugs.wireshark.org/bu
Exploit-DB
Wireshark 1.4.4 - 'packet-dect.c' Remote Stack Buffer Overflow (Metasploit) (2)
exploitdb·2011-04-19
CVE-2011-1591 Wireshark 1.4.4 - 'packet-dect.c' Remote Stack Buffer Overflow (Metasploit) (2)
Wireshark 1.4.4 - 'packet-dect.c' Remote Stack Buffer Overflow (Metasploit) (2)
---
##
# $Id: wireshark_packet_dect.rb 12371 2011-04-19 16:41:58Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Wireshark %q{
This module exploits a stack buffer overflow in Wireshark MSF_LICENSE,
'Author' =>
[
'Paul Makowski', #Initial discovery
'sickness', #proof of concept
'corelanc0d3r', #rop exploit + msf module
],
'Version' => '$Revision: 12371 $',
'References' =>
[
[ 'CVE', '2011-1591'],
[ 'OSVDB', '71848'],
[ 'URL', 'https://bugs.wireshark.org
Exploit-DB
Wireshark 1.4.1 < 1.4.4 - Local Overflow (SEH)
exploitdb·2011-04-18
CVE-2011-1591 Wireshark 1.4.1 < 1.4.4 - Local Overflow (SEH)
Wireshark 1.4.1 < 1.4.4 - Local Overflow (SEH)
---
#!/usr/bin/env python
# Vulnerable app: Wireshark 1.4.1-1.4.4
# Author: sickness
# Download :
# OS: Tested it on Windows XP SP2 and SP3 but it should work on every Windows with DEP off (still working on a ROP exploit)
# DATE : 17.04.2011
# Fixed in latest version 1.4.5
# DO NOT FORGET TO FEEL THE PWNSAUCE WITH: http://redmine.corelan.be:8800/projects/pvefindaddr
###################################################################
# Offset might change!
# Watch out for other bad chars!!
# Current bad chars: \x00\x0a\x0d\x09
###################################################################
# References:
# https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836
# https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838
###################
Metasploit
Wireshark packet-dect.c Stack Buffer Overflow (local)
metasploit
Wireshark packet-dect.c Stack Buffer Overflow (local)
Wireshark packet-dect.c Stack Buffer Overflow (local)
This module exploits a stack buffer overflow in Wireshark <= 1.4.4 When opening a malicious .pcap file in Wireshark, a stack buffer occurs, resulting in arbitrary code execution. Note: To exploit the vulnerability remotely with Scapy: sendp(rdpcap("file")).
Metasploit
Wireshark packet-dect.c Stack Buffer Overflow
metasploit
Wireshark packet-dect.c Stack Buffer Overflow
Wireshark packet-dect.c Stack Buffer Overflow
This module exploits a stack buffer overflow in Wireshark <= 1.4.4 by sending a malicious packet.
Bugzilla
CVE-2011-1591 Wireshark: Heap-based buffer overflow in DECT dissector
bugzilla·2011-04-19·CVSS 9.3
CVE-2011-1591 [CRITICAL] CVE-2011-1591 Wireshark: Heap-based buffer overflow in DECT dissector
CVE-2011-1591 Wireshark: Heap-based buffer overflow in DECT dissector
A heap-based buffer overflow was found in the DECT dissector of
wireshark versions 1.4.0 to 1.4.4
A remote attacker could use this flaw to cause wireshark executable
to crash or, potentially, execute arbitrary code with the privileges
of the user running wireshark.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836
Upstream acknowledges Paul Makowski of SEI/CERT as the original
reporter of the issue.
Discussion:
Created wireshark tracking bugs for this issue
Affects: fedora-all [bug 697747]
---
This issue was addressed in Fedora 14 and Fedora 15 via:
https://admin.fedoraproject.org/updates/wireshark-1.4.6-1.fc14
https://admin.fedoraproject.org/updat
Bugzilla
CVE-2011-1590 CVE-2011-1591 wireshark various flaws [fedora-all]
bugzilla·2011-04-19·CVSS 4.3
CVE-2011-1590 [MEDIUM] CVE-2011-1590 CVE-2011-1591 wireshark various flaws [fedora-all]
CVE-2011-1590 CVE-2011-1591 wireshark various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=697741
Please note: this issue affects multiple supported
http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058900.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/058983.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/058993.htmlhttp://openwall.com/lists/oss-security/2011/04/18/2http://openwall.com/lists/oss-security/2011/04/18/8http://secunia.com/advisories/44172http://secunia.com/advisories/44374http://securitytracker.com/id?1025389http://www.exploit-db.com/exploits/17185http://www.exploit-db.com/exploits/17195http://www.kb.cert.org/vuls/id/243670http://www.mandriva.com/security/advisories?name=MDVSA-2011:083http://www.osvdb.org/71848http://www.vupen.com/english/advisories/2011/1022http://www.vupen.com/english/advisories/2011/1106http://www.wireshark.org/security/wnpa-sec-2011-06.htmlhttps://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838https://exchange.xforce.ibmcloud.com/vulnerabilities/66834https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15000http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058900.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/058983.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-April/058993.htmlhttp://openwall.com/lists/oss-security/2011/04/18/2http://openwall.com/lists/oss-security/2011/04/18/8http://secunia.com/advisories/44172http://secunia.com/advisories/44374http://securitytracker.com/id?1025389http://www.exploit-db.com/exploits/17185http://www.exploit-db.com/exploits/17195http://www.kb.cert.org/vuls/id/243670http://www.mandriva.com/security/advisories?name=MDVSA-2011:083http://www.osvdb.org/71848http://www.vupen.com/english/advisories/2011/1022http://www.vupen.com/english/advisories/2011/1106http://www.wireshark.org/security/wnpa-sec-2011-06.htmlhttps://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5836https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5838https://exchange.xforce.ibmcloud.com/vulnerabilities/66834https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15000
2011-04-29
Published