CVE-2014-2299
published 2014-03-11CVE-2014-2299: Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 allows remote…
PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
47.42%
98.7th percentile
Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a large record in MPEG data.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wireshark | < wireshark 1.10.6-1 (bookworm) | wireshark 1.10.6-1 (bookworm) |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | >= 0 < 1.10.6-1 | 1.10.6-1 |
| wireshark | wireshark | >= 0 < 1.10.6-1 | 1.10.6-1 |
| wireshark | wireshark | >= 0 < 1.10.6-1 | 1.10.6-1 |
| wireshark | wireshark | >= 0 < 1.10.6-1 | 1.10.6-1 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xff\xfb\x41
bytes↗
\x55\x59\x80\x6b
bytes↗
\x81\xec\xc8\x00\x00\x00
- →The exploit triggers the vulnerability by opening a crafted PCAP/MPEG file; detect suspicious PCAP files with an MPEG magic header (0xFF 0xFB 0x41) followed by an oversized record (>65535 bytes) being opened in Wireshark. ↗
- →The overflow occurs in the mpeg_read function in wiretap/mpeg.c; monitor Wireshark process crashes or abnormal termination when parsing MPEG-format capture files as an indicator of exploitation. ↗
- →ROP chain uses VirtualProtect() via IAT pointer in libcares-2.dll (0x62d9027c) and gadgets from libgtk-win32-2.0-0.dll; presence of these ROP gadget addresses on the stack during Wireshark execution is indicative of exploitation. ↗
- →The exploit targets Windows XP SP2/SP3 (English and Spanish); the default output filename is 'mpeg_overflow.pcap' — flag delivery or opening of files with this name. ↗
- ·The ROP chain and gadget addresses are specific to WinXP SP3 Spanish and WinXP SP2/SP3 English targets using the exact DLL versions listed (libgtk-win32-2.0-0.dll ver 2.24.14.0, zlib1.dll ver 1.2.5.0, krb5_32.dll ver 1.6.3.16); addresses will differ on other platforms or DLL versions. ↗
- ·Payload bad characters are limited to 0xFF and space is 600 bytes; NOP generation is disabled and a stack-adjustment prepend encoder (sub esp,200) is required for reliable shellcode execution. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-89xx-9cg2-c9fg: Buffer overflow in the mpeg_read function in wiretap/mpeg
ghsa_unreviewed·2022-05-17
CVE-2014-2299 [HIGH] CWE-119 GHSA-89xx-9cg2-c9fg: Buffer overflow in the mpeg_read function in wiretap/mpeg
Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a large record in MPEG data.
OSV
CVE-2014-2299: Buffer overflow in the mpeg_read function in wiretap/mpeg
osv·2014-03-11·CVSS 9.3
CVE-2014-2299 [CRITICAL] CVE-2014-2299: Buffer overflow in the mpeg_read function in wiretap/mpeg
Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a large record in MPEG data.
Red Hat
wireshark: buffer overflow in MPEG file parser (wnpa-sec-2014-04)
vendor_redhat·2014-03-07·CVSS 9.3
CVE-2014-2299 [CRITICAL] CWE-119 wireshark: buffer overflow in MPEG file parser (wnpa-sec-2014-04)
wireshark: buffer overflow in MPEG file parser (wnpa-sec-2014-04)
Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a large record in MPEG data.
Package: wireshark (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2014-2299: wireshark - Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser i...
vendor_debian·2014·CVSS 9.3
CVE-2014-2299 [CRITICAL] CVE-2014-2299: wireshark - Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser i...
Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a large record in MPEG data.
Scope: local
bookworm: resolved (fixed in 1.10.6-1)
bullseye: resolved (fixed in 1.10.6-1)
forky: resolved (fixed in 1.10.6-1)
sid: resolved (fixed in 1.10.6-1)
trixie: resolved (fixed in 1.10.6-1)
No detection rules found.
Exploit-DB
Wireshark 1.8.12/1.10.5 - wiretap/mpeg.c Stack Buffer Overflow (Metasploit)
exploitdb·2014-04-28
CVE-2014-2299 Wireshark 1.8.12/1.10.5 - wiretap/mpeg.c Stack Buffer Overflow (Metasploit)
Wireshark 1.8.12/1.10.5 - wiretap/mpeg.c Stack Buffer Overflow (Metasploit)
---
# Exploit Title: Wireshark 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer
Overflow
# Date: 24/04/2014
# Exploit Author: j0sm1
# Vendor Homepage: www.wireshark.org
# Software Link: http://wireshark.askapache.com/download/win32/all-versions/
# Version: 'Wireshark %q{
This module triggers a stack buffer overflow in Wireshark MSF_LICENSE,
'Author' =>
[
'Wesley Neelen', # Discovery vulnerability
'j0sm1', # Exploit and msf module
],
'References' =>
[
[ 'CVE', '2014-2299'],
[ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843' ],
[ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2014-04.html' ],
[ 'URL', 'https://www.securityfocus.com/bid/66066/info' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
Metasploit
Wireshark wiretap/mpeg.c Stack Buffer Overflow
metasploit
Wireshark wiretap/mpeg.c Stack Buffer Overflow
Wireshark wiretap/mpeg.c Stack Buffer Overflow
This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5 by generating a malicious file.
Bugzilla
CVE-2014-2281 CVE-2014-2282 CVE-2014-2283 CVE-2014-2299 wireshark: various flaws [fedora-all]
bugzilla·2014-03-08·CVSS 4.3
CVE-2014-2281 [MEDIUM] CVE-2014-2281 CVE-2014-2282 CVE-2014-2283 CVE-2014-2299 wireshark: various flaws [fedora-all]
CVE-2014-2281 CVE-2014-2282 CVE-2014-2283 CVE-2014-2299 wireshark: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note
Bugzilla
CVE-2014-2299 wireshark: buffer overflow in MPEG file parser (wnpa-sec-2014-04)
bugzilla·2014-03-08·CVSS 9.3
CVE-2014-2299 [CRITICAL] CVE-2014-2299 wireshark: buffer overflow in MPEG file parser (wnpa-sec-2014-04)
CVE-2014-2299 wireshark: buffer overflow in MPEG file parser (wnpa-sec-2014-04)
It was reported that Wireshark's MPEG file parser could overflow a buffer. It may be possible to make Wireshark crash or execute malicious code by convincing someone to read a malformed packet trace file.
This is reported to affect Wireshark versions 1.10.0 to 1.10.5 and 1.8.0 to 1.8.12. It is fixed in 1.10.6 and 1.8.13.
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843
External References:
http://www.wireshark.org/security/wnpa-sec-2014-04.html
Discussion:
Created wireshark tracking bugs for this issue:
Affects: fedora-all [bug 1074118]
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2014:0342 https://rhn.redhat.com/errata/RHSA-2014-0342.html
--
arXiv
HardScope: Thwarting DOP with Hardware-assisted Run-time Scope Enforcement
arxiv_fulltext·2018-03-12
HardScope: Thwarting DOP with Hardware-assisted Run-time Scope Enforcement
:
: Thwarting DOP attacks with Hardware-assisted Run-time Scope Enforcement
## Abstract
Widespread use of memory unsafe programming languages (e.g., C and C++)
leaves many systems vulnerable to memory corruption attacks.
A variety of defenses have been proposed to mitigate attacks that exploit memory errors to hijack the control flow of the code at run-time, e.g., (fine-grained) randomization or Control Flow Integrity.
However, recent work on data-oriented programming (DOP) demonstrated highly expressive (Turing-complete) attacks, even in the presence of these state-of-the-art defenses.
Although multiple real-world DOP attacks have been demonstrated, no efficient defenses are yet available.
We propose run-time scope enforcement ( ), a novel approach designed to efficiently mitigate all
http://lists.opensuse.org/opensuse-updates/2014-03/msg00046.htmlhttp://lists.opensuse.org/opensuse-updates/2014-03/msg00047.htmlhttp://osvdb.org/show/osvdb/104199http://packetstormsecurity.com/files/126337/Wireshark-1.8.12-1.10.5-wiretap-mpeg.c-Stack-Buffer-Overflow.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0341.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0342.htmlhttp://secunia.com/advisories/57480http://secunia.com/advisories/57489http://www.debian.org/security/2014/dsa-2871http://www.exploit-db.com/exploits/33069http://www.securityfocus.com/bid/66066http://www.securitytracker.com/id/1029907http://www.wireshark.org/security/wnpa-sec-2014-04.htmlhttps://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=f567435ac7140c96a5de56dbce3d5e7659af4d09http://lists.opensuse.org/opensuse-updates/2014-03/msg00046.htmlhttp://lists.opensuse.org/opensuse-updates/2014-03/msg00047.htmlhttp://osvdb.org/show/osvdb/104199http://packetstormsecurity.com/files/126337/Wireshark-1.8.12-1.10.5-wiretap-mpeg.c-Stack-Buffer-Overflow.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0341.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0342.htmlhttp://secunia.com/advisories/57480http://secunia.com/advisories/57489http://www.debian.org/security/2014/dsa-2871http://www.exploit-db.com/exploits/33069http://www.securityfocus.com/bid/66066http://www.securitytracker.com/id/1029907http://www.wireshark.org/security/wnpa-sec-2014-04.htmlhttps://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843https://code.wireshark.org/review/gitweb?p=wireshark.git%3Ba=commit%3Bh=f567435ac7140c96a5de56dbce3d5e7659af4d09
2014-03-11
Published