Wireshark 1.6.1 Malformed IKE Packet Denial of Service
I. Summary
A flaw has been identified in Wireshark 1.6.1 concerning IKEv1 protocol dissector and the
function proto_tree_add_item() ,when add more than 1000000 items to a proto_tree,that will
cause a denial of service (denial of service and memory rising ).
II. Description
Wireshark use the function proto_tree_add_item() to add an item to a proto_tree.When we use
filter expression 'isakmp' to look up a malformed IKE packet (Next Payload = DELETE (12),
Exchange Type = Information (5) with no actual payload data) and click on the resultant list
entry,wireshark will run in the function TRY_TO_FAKE_THIS_ITEM(tree, hfindex, hfinfo),there are
more than 1000000 items in the tree, this will cause an infinite loop,then cause denial of
service and memory rising.
III. Impact
Denial of service
IV. Affected
Wireshark 1.6.1, tested with Windows XP SP2. Previous versions may also be affected due to
code reuse.
V. Solution
There is no known workaround at this time.
VI. Credit
The penetration test team Of NCNIPC (China) is credited for this vulnerability.