December 9, 2016

New version of Wireshark fixes vulnerabilities in the PPP and NFS dissectors

(LiveHacking.Com) – Versions 1.6.9 and 1.8.1 of Wireshark, the open source network protocol analyzer, have been released to address two vulnerabilities that could be exploited by a remote attacker to cause a denial of service (DoS).

The first problem is a crash in the PPP dissector. It is possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. Versions affected are 1.4.0 to 1.4.13, 1.6.0 to 1.6.8, 1.8.0.

The other vulnerability in the NFS dissector can cause excessive amounts of CPU. It is possible to provoke the condition by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file. Versions affected are 1.4.0 to 1.4.13, 1.6.0 to 1.6.8, 1.8.0.

Upgrading to 1.6.9 or 1.8.1 fixes both problems. More information (including a full list of known issues and changes) can be found in the 1.6.9 and 1.8.1 release notes. Wireshark 1.6.9 and 1.8.1 are available to download  for Windows, Mac OS X 10.5.5 and above (Intel and PPC). The source code is also available.

Wireshark Updated to Fix Vulnerabilities and Bugs

(LiveHacking.Com) – Two new versions of Wireshark,the popular network protocol analyzer, have been released. The stable branch has been updated to V1.6.3 and the “old stable” branch has been updated to 1.4.10. These versions don’t contain any new functionally but they do have several vulnerability and bug fixes.

The following vulnerabilities have been fixed.

  • wnpa-sec-2011-17: The CSN.1 dissector could crash. (Bug 6351)Versions affected: 1.6.0 to 1.6.2.
  • wnpa-sec-2011-18: Huzaifa Sidhpurwala of Red Hat Security Response Team discovered that the Infiniband dissector could dereference a NULL pointer. (Bug 6476)Versions affected: 1.4.0 to 1.4.9, 1.6.0 to 1.6.2.
  • wnpa-sec-2011-19: Huzaifa Sidhpurwala of Red Hat Security Response Team discovered a buffer overflow in the ERF file reader. (Bug 6479)Versions affected: 1.4.0 to 1.4.9, 1.6.0 to 1.6.2.

Also the following bugs have been fixed:

  • Assertion failed when doing File->Quit->Save during live capture. (Bug 1710)
  • Wrong PCEP XRO sub-object decoding. (Bug 3778)
  • Wireshark window takes very long time to show up if invalid network file path is at recent file list (Bug 3810)
  • Decoding [Status Records] Timestamp Sequence Field in Bundle Protocol fails if over 32 bits. (Bug 4109)
  • ISUP party number dissection. (Bug 5221)
  • wireshark-1.4.2 crashes when testing the example python dissector because of a dissector count assertion. (Bug 5431)
  • Ethernet packets with both VLAN tag and LLC header no longer displayed correctly. (Bug 5645)
  • SLL encapsuled 802.1Q VLAN is not dissected. (Bug 5680)
  • Wireshark crashes when attempting to open a file via drag & drop when there’s already a file open. (Bug 5987)
  • Adding and removing custom HTTP headers requires a restart. (Bug 6241)
  • Can’t read full 64-bit SNMP values. (Bug 6295)
  • Dissection fails for frames with Gigamon Header and VLAN. (Bug 6305)
  • RTP Stream Analysis does not work for TURN-encapsulated RTP. (Bug 6322)
  • packet-csn1.c doesn’t process CSN_CHOICE entries properly. (Bug 6328)
  • BACnet property time-synchronization-interval (204) name shown incorrectly as time-synchronization-recipients. (Bug 6336)
  • GUI crash on invalid IEEE 802.11 GAS frame. (Bug 6345)
  • [ASN.1 PER] Incorrect decoding of BIT STRING type. (Bug 6347)
  • ICMPv6 router advertisement Prefix Information Flag R “Router Address” missing. (Bug 6350)
  • Export -> Object -> HTTP -> save all: Error on saving files. (Bug 6362)
  • Inner tag of 802.1ad frames not parsed properly. (Bug 6366)
  • Added cursor type decoding to MySQL dissector. (Bug 6396)
  • Incorrect identification of UDP-encapsulated NAT-keepalive packets. (Bug 6414)
  • WPA IE pairwise cipher suite dissector uses incorrect value_string list. (Bug 6420)
  • S1AP protocol can’t decode IPv6 transportLayerAddress. (Bug 6435)
  • RTPS2 dissector doesn’t handle 0 in the octestToNextHeader field. (Bug 6449)
  • packet-ajp13 fix, cleanup, and enhancement. (Bug 6452)
  • Network Instruments Observer file format bugs. (Bug 6453)
  • Wireshark crashes when using “Open Recent” 2 times in a row. (Bug 6457)
  • Wireshark packet_gsm-sms, display bug: Filler bits in TP-User Data Header. (Bug 6469)
  • wireshark unable to decode NetFlow options which have system scope size != 4 bytes. (Bug 6471)
  • Display filter Expression Dialog Box Error. (Bug 6472)
  • text_import_scanner.l missing. (Bug 6531)

Wireshark can be downloaded from http://www.wireshark.org/download.html

Wireshark Version 1.6.0 released

The Wireshark development team has released Wireshark version 1.6.0 of its open source, cross-platform network protocol analyzer.

This new version of Wireshark improves support for large files and has some new features such as the ability to export SSL session keys and SMB objects. The users can now import text dumps into Wireshark and TShark, similar to text2pcap. Further, TShark can now display iSCSI, ICMP and ICMPv6 service response times.

Wireshark is now distributed as an installation package rather than a drag-installer on OS X. The installer adds a startup item that should make it easier to capture packets. Please visit Wireshark version 1.6.0 release notes for a complete list of changes.

Wireshark is licensed under version 2 of the GNU General Public License. It can be download here.

Wireshark 1.4.1 Released

The new version of Wireshark the world’s most popular network protocol analyzer has been released. In Wireshark version 1.4.1 many bugs and one major vulnerability that could cause stack overflow have been fixed.

What’s New

Bug Fixes

The following vulnerabilities have been fixed. See the security advisory for details and a workaround.

  • The Penetration Test Team of NCNIPC (China) discovered that the ASN.1 BER dissector was susceptible to a stack overflow. (Bug 5230)

    Versions affected: All previous versions up to and including 1.2.11 and 1.4.0.

    CVE-2010-3445

The following bugs have been fixed:

  • Wireshark may appear offscreen on multi-monitor Windows systems. (Bug 553)
  • Incorrect behavior using sorting in the packet list. (Bug 2225)
  • Cooked-capture dissector should omit the source address field if empty. (Bug 2519)
  • MySQL dissector doesn’t dissect MySQL stream. (Bug 2691)
  • Wireshark crashes if active display filter macro is renamed. (Bug 5002)
  • Incorrect dissection of MAP V2 PRN_ACK. (Bug 5076)
  • TCP bytes_in_flight becomes inflated with lost packets. (Bug 5132)
  • Wireshark fails to start on Windows XP 64bit. (Bug 5160)
  • GTP header is exported in PDML with an incorrect size. (Bug 5162)
  • Packet list hidden columns will not be parsed correctly from preferences file. (Bug 5163)
  • Wireshark does not display the t.38 graph. (Bug 5165)
  • Wireshark don’t show mgcp calls in “Telephony → VoIP calls”. (Bug 5167)
  • Wireshark 1.4.0 & VoIP calls “Prepare Filter” problem. (Bug 5172)
  • GTPv2: IMSI is decoded improperly. (Bug 5179)
  • [NAS EPS] EPS Quality of Service IE decoding is wrong. (Bug 5186)
  • Wireshark mistakenly writes “not all data available” for IPv4 checksum. (Bug 5194)
  • GSM: Cell Channel Description, range 1024 format. (Bug 5214)
  • Wrong SDP interpretation on VoIP call flow chart. (Bug 5220)
  • The CLDAP attribute value on a CLDAP reply is no longer being decoded. (Bug 5239)
  • [NAS EPS] Traffic Flow Template IE dissection bugs. (Bug 5243)
  • [NAS EPS] Use Request Type IE defined in 3GPP 24.008. (Bug 5246)
  • NTLMSSP_AUTH domain and username truncated to first letter with IE8/Windows7 (generating the NTLM packet). (Bug 5251)
  • IPv6 RH0: dest addr is to be used i.s.o. last RH address when 0 segments remain. (Bug 5252)
  • EIGRP dissection error in Flags field in external route TLVs. (Bug 5261)
  • MRP packet is not correctly parsed in PROFINET multiple write record request. (Bug 5267)
  • MySQL Enhancement: support of Show Fields and bug fix. (Bug 5271)
  • [NAS EPS] Fix TFT decoding when having several Packet Filters defined. (Bug 5274)
  • Crash if using ssl.debug.file with no password for ssl.keys_list. (Bug 5277)

New and Updated Features

There are no new features in this release.

New Protocol Support

There are no new protocols in this release.

Updated Protocol Support

ASN.1 BER, ASN.1 PER, EIGRP, GSM A RR, GSM Management, GSM MAP, GTP, GTPv2, ICMPv6, Interlink, IPv4, IPv6, IPX, LDAP, LLC, MySQL, NAS EPS, NTLMSSP, PN-IO, PPP, RPC, SDP, SLL, SSL, TCP

New and Updated Capture File Support

There are no new or updated capture file formats in this release.

Getting Wireshark

Wireshark source code and installation packages are available from http://www.wireshark.org/download.html.

Vendor-supplied Packages

Most Linux and Unix vendors supply their own Wireshark packages. You can usually install or upgrade Wireshark using the package management system specific to that platform. A list of third-party packages can be found on the download page on the Wireshark web site.

File Locations

Wireshark and TShark look in several different locations for preference files, plugins, SNMP MIBS, and RADIUS dictionaries. These locations vary from platform to platform. You can use About->Folders to find the default locations on your system.

Source:[Wireshark 1.4.1 Release Note]

The H Security: Scope of DLL security problem widens – Update

After HD Moore released details last week about the DLL problem under Windows, along with a testing tool, an increasing number of affected applications and their matching exploits have been reported. In addition to Firefox and Opera, vulnerable programs include such popular applications as PowerPoint, Photoshop, Dreamweaver, VLC, uTorrent and Wireshark – in each case, the current version is affected. They all use an insecure way of loading DLLs in which at an early stage the search order contains the current directory – a directory that could be on a network device.

Read the full story here.

Source:[The H Security]