CVE-2024-8250 - NTLMSSP Dissector Crash in Wireshark 4.2. to 4..6 and 4.. to 4..16 Allows Denial of Service via Packet Injection or Crafted Capture File
This post discusses CVE-2024-8250, a vulnerability affecting Wireshark versions 4.2. to 4..6 and 4.. to 4..16. Wireshark, a widely-used network protocol analyzer, is prone to a denial of service (DoS) attack due to a crash resulting from its NT LAN Manager Security Support Provider (NTLMSSP) dissector. This vulnerability can be exploited through packet injection or by using a specially crafted capture file.
Background
Wireshark is an open-source network protocol analyzer used by network professionals and enthusiasts worldwide. It allows users to analyze network traffic and troubleshoot issues. In order to display detailed information about protocols, Wireshark uses protocol dissectors, which are specialized pieces of code that analyze protocol bytes and present results in an organized and human-readable format.
One of the built-in dissectors in Wireshark is the NTLMSSP dissector, which analyzes the NT LAN Manager Security Support Provider messages that convey authentication, integrity, and confidentiality over an established connection.
Vulnerability Details (CVE-2024-8250)
The vulnerability resides in the NTLMSSP dissector and can be triggered when the dissector tries to parse a packet containing malformed data. As a result, Wireshark crashes, thus causing a denial of service for the user. An attacker could exploit this vulnerability by injecting crafted packets into the target network or by sending the victim a malicious capture file that would force Wireshark to crash when opened.
Below is a code snippet that demonstrates the vulnerable code in the Wireshark NTLMSSP dissector
// Vulnerable code in Wireshark NTLMSSP dissector
int dissect_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) {
...
int ntlmssp_type = tvb_get_letohl(tvb, offset);
...
switch (ntlmssp_type) {
case 1:
// Code to handle NTLM Type 1
...
break;
case 2:
// Code to handle NTLM Type 2
...
break;
case 3:
// Code to handle NTLM Type 3
...
break;
default:
// No proper handling for malformed data
break;
}
}
The vulnerability occurs because the NTLMSSP dissector does not properly handle malformed data. When the dissector encounters an unknown value, it should safely exit or dispose of the data, but this is not happening in the vulnerable versions of Wireshark.
Exploit
In order to exploit this vulnerability, an attacker can either inject malicious packets into the target network or craft a specific capture file that contains malformed data for NTLMSSP. When the victim opens this file or captures network traffic containing the malicious packets using Wireshark, the program will crash, resulting in a denial of service.
For example, an attacker could create a Python script to generate a malicious packet like this
from scapy.all import *
# Craft malicious packet with malformed NTLMSSP value (e.g. x01badcffee)
malicious_packet = IP() / TCP() / Raw(load="x01badcffee")
# Inject malicious packet into the network
send(malicious_packet)
Mitigation
To mitigate this vulnerability, users are highly encouraged to update their Wireshark installations to the latest version, which contains the necessary fixes for this issue. The fixed version can be downloaded from the official Wireshark website: https://www.wireshark.org/download.html
Additionally, users should exercise caution when opening capture files from untrusted sources and remain vigilant for any network anomalies indicative of an attack.
References
- Wireshark Security Advisory (WSA-2024-825): https://www.wireshark.org/security/WSA-2024-825
- CVE-2024-8250 in the National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-8250
- Wireshark Download Page: https://www.wireshark.org/download.html
- What Is NTLMSSP? https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
Timeline
Published on: 08/29/2024 00:15:09 UTC
Last modified on: 08/30/2024 16:32:16 UTC