cbcvebase.
CVE-2011-3360
published 2011-09-20

CVE-2011-3360: Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script…

PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.53%
98.3th percentile
Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory.

Affected

16 ranges
VendorProductVersion rangeFixed in
debianwireshark< wireshark 1.6.2-1 (bookworm)wireshark 1.6.2-1 (bookworm)
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark>= 0 < 1.6.2-11.6.2-1
wiresharkwireshark>= 0 < 1.6.2-11.6.2-1
wiresharkwireshark>= 0 < 1.6.2-11.6.2-1
wiresharkwireshark>= 0 < 1.6.2-11.6.2-1

Detection & IOCsextracted from sources · hover to see the quote

filenameconsole.lua
  • Detect Wireshark loading a 'console.lua' file from the same directory as a pcap file being opened — this is the trigger mechanism for the exploit.
  • Monitor HTTP WebDAV PROPFIND requests serving both a .lua file and a .pcap file from the same path, which is the delivery pattern used by the Metasploit module.
  • Flag Wireshark versions 1.6.0–1.6.1 and 1.4.0–1.4.8 as vulnerable; upgrade to 1.4.9 or 1.6.2 to remediate.
  • ·The exploit uses a WebDAV server on port 80 to serve both the malicious console.lua payload and a decoy pcap file; the port is marked 'do not change' in the module, indicating it is hardcoded.
  • ·On fully patched XP SP3, the plain IP URI format fails (Windows tries SMB); the attacker must specify a URI including the share name (e.g. http://192.168.1.11/files) instead of the root.
  • ·Red Hat Enterprise Linux 4, 5, and 6 are not affected because the shipped Wireshark versions either lack Lua support or are built without it.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3LOW
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.