CVE-2011-3360
published 2011-09-20CVE-2011-3360: Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script…
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.53%
98.3th percentile
Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wireshark | < wireshark 1.6.2-1 (bookworm) | wireshark 1.6.2-1 (bookworm) |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | >= 0 < 1.6.2-1 | 1.6.2-1 |
| wireshark | wireshark | >= 0 < 1.6.2-1 | 1.6.2-1 |
| wireshark | wireshark | >= 0 < 1.6.2-1 | 1.6.2-1 |
| wireshark | wireshark | >= 0 < 1.6.2-1 | 1.6.2-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect Wireshark loading a 'console.lua' file from the same directory as a pcap file being opened — this is the trigger mechanism for the exploit. ↗
- →Monitor HTTP WebDAV PROPFIND requests serving both a .lua file and a .pcap file from the same path, which is the delivery pattern used by the Metasploit module. ↗
- →Flag Wireshark versions 1.6.0–1.6.1 and 1.4.0–1.4.8 as vulnerable; upgrade to 1.4.9 or 1.6.2 to remediate. ↗
- ·The exploit uses a WebDAV server on port 80 to serve both the malicious console.lua payload and a decoy pcap file; the port is marked 'do not change' in the module, indicating it is hardcoded. ↗
- ·On fully patched XP SP3, the plain IP URI format fails (Windows tries SMB); the attacker must specify a URI including the share name (e.g. http://192.168.1.11/files) instead of the root. ↗
- ·Red Hat Enterprise Linux 4, 5, and 6 are not affected because the shipped Wireshark versions either lack Lua support or are built without it. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3LOW
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Wireshark: Lua script execution vulnerability
vendor_redhat·2011-07-28·CVSS 9.3
CVE-2011-3360 [CRITICAL] Wireshark: Lua script execution vulnerability
Wireshark: Lua script execution vulnerability
Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory.
Statement: Not Vulnerable. This issue does not affect the version of wireshark shipped with Red Hat Enterprise Linux 4, 5 or 6.
Package: wireshark (Red Hat Enterprise Linux 4) - Not affected
Package: wireshark (Red Hat Enterprise Linux 5) - Not affected
Package: wireshark (Red Hat Enterprise Linux 6) - Not affected
Debian
CVE-2011-3360: wireshark - Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x be...
vendor_debian·2011·CVSS 9.3
CVE-2011-3360 [CRITICAL] CVE-2011-3360: wireshark - Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x be...
Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory.
Scope: local
bookworm: resolved (fixed in 1.6.2-1)
bullseye: resolved (fixed in 1.6.2-1)
forky: resolved (fixed in 1.6.2-1)
sid: resolved (fixed in 1.6.2-1)
trixie: resolved (fixed in 1.6.2-1)
GHSA
GHSA-6c9g-wrqp-q548: Untrusted search path vulnerability in Wireshark 1
ghsa_unreviewed·2022-05-17
CVE-2011-3360 [HIGH] GHSA-6c9g-wrqp-q548: Untrusted search path vulnerability in Wireshark 1
Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory.
OSV
CVE-2011-3360: Untrusted search path vulnerability in Wireshark 1
osv·2011-09-20·CVSS 9.3
CVE-2011-3360 [CRITICAL] CVE-2011-3360: Untrusted search path vulnerability in Wireshark 1
Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory.
No detection rules found.
Exploit-DB
Wireshark - console.lua pre-loading (Metasploit)
exploitdb·2011-11-19
CVE-2011-3360 Wireshark - console.lua pre-loading (Metasploit)
Wireshark - console.lua pre-loading (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Wireshark console.lua pre-loading vulnerability",
'Description' => %q{
This modules exploits a vulnerability in Wireshark 1.6 or less. When opening a
pcap file, Wireshark will actually check if there's a 'console.lua' file in the same
directory, and then parse/execute the script if found. Versions affected by this
vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8
},
'License' => MSF_LICENSE,
'Author' =>
[
'sinn3r', #Metasploit
],
'References' =>
[
[
Metasploit
Wireshark console.lua Pre-Loading Script Execution
metasploit
Wireshark console.lua Pre-Loading Script Execution
Wireshark console.lua Pre-Loading Script Execution
This module exploits a vulnerability in Wireshark 1.6 or less. When opening a pcap file, Wireshark will actually check if there's a 'console.lua' file in the same directory, and then parse/execute the script if found. Versions affected by this vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8
http://osvdb.org/75347http://www.debian.org/security/2011/dsa-2324http://www.mandriva.com/security/advisories?name=MDVSA-2011:138http://www.openwall.com/lists/oss-security/2011/09/13/1http://www.openwall.com/lists/oss-security/2011/09/14/5http://www.wireshark.org/security/wnpa-sec-2011-15.htmlhttps://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6136https://bugzilla.redhat.com/show_bug.cgi?id=737784https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15059http://osvdb.org/75347http://www.debian.org/security/2011/dsa-2324http://www.mandriva.com/security/advisories?name=MDVSA-2011:138http://www.openwall.com/lists/oss-security/2011/09/13/1http://www.openwall.com/lists/oss-security/2011/09/14/5http://www.wireshark.org/security/wnpa-sec-2011-15.htmlhttps://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6136https://bugzilla.redhat.com/show_bug.cgi?id=737784https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15059
2011-09-20
Published