Unaligned access in the CSN.1 protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file

wnpa-sec-2022-04 · CSN.1 dissector crash

**Summary**

**Name:** CSN.1 dissector crash

**Docid:** wnpa-sec-2022-04

**Date:** February 10, 2022

**Affected versions:** 3.6.0 to 3.6.1, 3.4.0 to 3.4.11

**Fixed versions:** 3.6.2, 3.4.12

**References:**  
Wireshark issue 17882  
CVE-2022-0582

**Details****Description**

The CSN.1 protocol dissector could crash on some platforms. Discovered by Sharon Brizinov.

**Impact**

It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

**Resolution**

Upgrade to Wireshark 3.6.2, 3.4.12 or later.

CVE-2022-0582: Wireshark · wnpa-sec-2022-04 · CSN.1 dissector crash

Infinite loop in RTMPT protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file

wnpa-sec-2022-01 · RTMPT dissector infinite loop

**Summary**

**Name:** RTMPT dissector infinite loop

**Docid:** wnpa-sec-2022-01

**Date:** February 10, 2022

**Affected versions:** 3.6.0 to 3.6.1, 3.4.0 to 3.4.11

**Fixed versions:** 3.6.2, 3.4.12

**References:**  
Wireshark issue 17813

**Details****Description**

The RTMPT dissector could go into an infinite loop. Discovered by Sharon Brizinov.

**Impact**

It may be possible to make Wireshark consume excessive CPU resources by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

**Resolution**

Upgrade to Wireshark 3.6.2, 3.4.12 or later.

CVE-2022-0586: Wireshark · wnpa-sec-2022-01 · RTMPT dissector infinite loop

wnpa-sec-2022-04 · CSN.1 dissector crash

**Summary**

**Name:** CSN.1 dissector crash

**Docid:** wnpa-sec-2022-04

**Date:** February 10, 2022

**Affected versions:** 3.6.0 to 3.6.1, 3.4.0 to 3.4.11

**Fixed versions:** 3.6.2, 3.4.12

**References:**  
Wireshark issue 17882

**Details****Description**

The CSN.1 protocol dissector could crash on some platforms. Discovered by Sharon Brizinov.

**Impact**

It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

**Resolution**

Upgrade to Wireshark 3.6.2, 3.4.12 or later.

Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file

Problems have been found with the following capture file:

https://www.wireshark.org/download/automated/captures/fuzz-2022-02-07-6714.pcap

stderr:

    Branch: HEAD
    
    Input file: /var/menagerie/menagerie/13895-x509-ce-distribution-points-dissection-problem.pcapng
    
    Build host information:
    Linux 5.4.0-96-generic #109-Ubuntu SMP Wed Jan 12 16:49:16 UTC 2022 x86_64
    Distributor ID:	Ubuntu
    Description:	Ubuntu 20.04.3 LTS
    Release:	20.04
    Codename:	focal
    
    Branch: release-3.4
    
    CI job name: ASan Menagerie Fuzz, ID: 2060427609
    
    Return value:  0
    
    Dissector bug:  0
    
    Valgrind error count:  0
    
    Latest (but not necessarily the problem) commit:
    e9c3dfe05 [Automatic update for 2022-02-06]
    Command and args: /builds/wireshark/wireshark/_install/bin/tshark -2  -nVxr
    Running as user "root" and group "root". This could be dangerous.
    =================================================================
    ==87972==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000886420 at pc 0x5604c9392069 bp 0x7ffe62ef3be0 sp 0x7ffe62ef33a0
    READ of size 28 at 0x606000886420 thread T0
        #0 0x5604c9392068 in strlen (/builds/wireshark/wireshark/_install/bin/tshark+0x6e068)
        #1 0x7f9e573a6147 in g_strdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x72147)
        #2 0x7f9e63f2bc6b in find_string_dtbl_entry /builds/wireshark/wireshark/build/../epan/packet.c:1496:9
        #3 0x7f9e63f2c041 in dissector_try_string_new /builds/wireshark/wireshark/build/../epan/packet.c:1692:15
        #4 0x7f9e63f2c206 in dissector_try_string /builds/wireshark/wireshark/build/../epan/packet.c:1739:9
        #5 0x7f9e6100e26d in call_ber_oid_callback /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:1101:17
        #6 0x7f9e631995f1 in dissect_cms_T_parameters /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:220:10
        #7 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
        #8 0x7f9e63199477 in dissect_cms_SMIMECapability /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:236:12
        #9 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
        #10 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
        #11 0x7f9e63199407 in dissect_cms_SMIMECapabilities /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:249:12
        #12 0x7f9e63194397 in dissect_SMIMECapabilities_PDU /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:893:12
        #13 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #14 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #15 0x7f9e63f2c136 in dissector_try_string_new /builds/wireshark/wireshark/build/../epan/packet.c:1714:9
        #16 0x7f9e63f2c206 in dissector_try_string /builds/wireshark/wireshark/build/../epan/packet.c:1739:9
        #17 0x7f9e6100e26d in call_ber_oid_callback /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:1101:17
        #18 0x7f9e63ba9279 in dissect_x509af_T_extnValue /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:146:10
        #19 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
        #20 0x7f9e63ba6447 in dissect_x509af_Extension /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:163:12
        #21 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
        #22 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
        #23 0x7f9e63ba64b7 in dissect_x509af_Extensions /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:176:12
        #24 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
        #25 0x7f9e63ba9367 in dissect_x509af_T_signedCertificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:199:12
        #26 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
        #27 0x7f9e63ba6527 in dissect_x509af_Certificate /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:226:12
        #28 0x7f9e6293c5e9 in ssl_dissect_hnd_cert /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls-utils.c:8838:13
        #29 0x7f9e629656ca in dissect_tls_handshake_full /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:2676:17
        #30 0x7f9e629632fa in dissect_tls_handshake /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:2495:9
        #31 0x7f9e6295ed72 in dissect_ssl3_record /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:2005:13
        #32 0x7f9e6295aa21 in dissect_ssl /builds/wireshark/wireshark/build/../epan/dissectors/packet-tls.c:745:26
        #33 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #34 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #35 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
        #36 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
        #37 0x7f9e63f32a61 in call_dissector /builds/wireshark/wireshark/build/../epan/packet.c:3263:9
        #38 0x7f9e61642dd2 in dissect_eap /builds/wireshark/wireshark/build/../epan/dissectors/packet-eap.c:1938:13
        #39 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #40 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #41 0x7f9e63f2a919 in dissector_try_uint_new /builds/wireshark/wireshark/build/../epan/packet.c:1413:8
        #42 0x7f9e61649839 in dissect_eapol /builds/wireshark/wireshark/build/../epan/dissectors/packet-eapol.c:132:8
        #43 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #44 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #45 0x7f9e63f2a919 in dissector_try_uint_new /builds/wireshark/wireshark/build/../epan/packet.c:1413:8
        #46 0x7f9e63f2b3eb in dissector_try_uint /builds/wireshark/wireshark/build/../epan/packet.c:1437:9
        #47 0x7f9e61d70341 in dissect_snap /builds/wireshark/wireshark/build/../epan/dissectors/packet-llc.c:552:9
        #48 0x7f9e61d71134 in dissect_llc /builds/wireshark/wireshark/build/../epan/dissectors/packet-llc.c:434:3
        #49 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #50 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #51 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
        #52 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
        #53 0x7f9e63f32a61 in call_dissector /builds/wireshark/wireshark/build/../epan/packet.c:3263:9
        #54 0x7f9e61aa467a in dissect_ieee80211_common /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211.c:26880:11
        #55 0x7f9e61a74706 in dissect_ieee80211 /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211.c:26932:10
        #56 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #57 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #58 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
        #59 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
        #60 0x7f9e61a4e021 in dissect_wlan_radio /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211-radio.c:1513:10
        #61 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #62 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #63 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
        #64 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
        #65 0x7f9e61a60959 in dissect_radiotap /builds/wireshark/wireshark/build/../epan/dissectors/packet-ieee80211-radiotap.c:3104:2
        #66 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #67 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #68 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
        #69 0x7f9e6175f8b6 in dissect_frame /builds/wireshark/wireshark/build/../epan/dissectors/packet-frame.c:783:6
        #70 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #71 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #72 0x7f9e63f32a20 in call_dissector_only /builds/wireshark/wireshark/build/../epan/packet.c:3233:8
        #73 0x7f9e63f27024 in call_dissector_with_data /builds/wireshark/wireshark/build/../epan/packet.c:3246:8
        #74 0x7f9e63f2680f in dissect_record /builds/wireshark/wireshark/build/../epan/packet.c:594:3
        #75 0x7f9e63ef5f88 in epan_dissect_run_with_taps /builds/wireshark/wireshark/build/../epan/epan.c:598:2
        #76 0x5604c945e357 in process_packet_second_pass /builds/wireshark/wireshark/build/../tshark.c:3250:5
        #77 0x5604c945c88e in process_cap_file_second_pass /builds/wireshark/wireshark/build/../tshark.c:3389:9
        #78 0x5604c94569b6 in process_cap_file /builds/wireshark/wireshark/build/../tshark.c:3650:28
        #79 0x5604c94504c8 in main /builds/wireshark/wireshark/build/../tshark.c:2102:16
        #80 0x7f9e5711e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #81 0x5604c937f43d in _start (/builds/wireshark/wireshark/_install/bin/tshark+0x5b43d)
    
    0x60600088643b is located 0 bytes to the right of 59-byte region [0x606000886400,0x60600088643b)
    freed by thread T0 here:
        #0 0x5604c93f78fd in free (/builds/wireshark/wireshark/_install/bin/tshark+0xd38fd)
        #1 0x7f9e63e00f03 in wmem_free /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:65:9
        #2 0x7f9e63e0b01b in wmem_strict_free /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:127:5
        #3 0x7f9e63e0b0c4 in wmem_strict_free_all /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:182:9
        #4 0x7f9e63e01279 in wmem_free_all_real /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:104:5
        #5 0x7f9e63e011d6 in wmem_free_all /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:110:5
        #6 0x7f9e63e10a1a in wmem_leave_packet_scope /builds/wireshark/wireshark/build/../epan/wmem/wmem_scopes.c:69:5
        #7 0x7f9e63ef5f2d in epan_dissect_run /builds/wireshark/wireshark/build/../epan/epan.c:588:2
        #8 0x5604c945db37 in process_packet_first_pass /builds/wireshark/wireshark/build/../tshark.c:3028:5
        #9 0x5604c945bf2f in process_cap_file_first_pass /builds/wireshark/wireshark/build/../tshark.c:3165:9
        #10 0x5604c945696c in process_cap_file /builds/wireshark/wireshark/build/../tshark.c:3631:25
        #11 0x5604c94504c8 in main /builds/wireshark/wireshark/build/../tshark.c:2102:16
        #12 0x7f9e5711e0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    previously allocated by thread T0 here:
        #0 0x5604c93f7b7d in malloc (/builds/wireshark/wireshark/_install/bin/tshark+0xd3b7d)
        #1 0x7f9e5738be98 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x57e98)
        #2 0x7f9e63e0a8ab in wmem_strict_alloc /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:81:46
        #3 0x7f9e63e0ac94 in wmem_strict_realloc /builds/wireshark/wireshark/build/../epan/wmem/wmem_allocator_strict.c:139:15
        #4 0x7f9e63e011b0 in wmem_realloc /builds/wireshark/wireshark/build/../epan/wmem/wmem_core.c:96:12
        #5 0x7f9e63e1327c in wmem_strbuf_finalize /builds/wireshark/wireshark/build/../epan/wmem/wmem_strbuf.c:296:19
        #6 0x7f9e63f1d4dc in rel_oid_subid2string /builds/wireshark/wireshark/build/../epan/oids.c:898:9
        #7 0x7f9e63f18a07 in oid_subid2string /builds/wireshark/wireshark/build/../epan/oids.c:875:9
        #8 0x7f9e63f1f5f4 in oid_encoded2string /builds/wireshark/wireshark/build/../epan/oids.c:1164:9
        #9 0x7f9e6101dd26 in dissect_ber_any_oid_str /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3285:30
        #10 0x7f9e6101dec2 in dissect_ber_object_identifier_str /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3319:12
        #11 0x7f9e631994df in dissect_cms_T_capability /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:210:14
        #12 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
        #13 0x7f9e63199477 in dissect_cms_SMIMECapability /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:236:12
        #14 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
        #15 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
        #16 0x7f9e63199407 in dissect_cms_SMIMECapabilities /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:249:12
        #17 0x7f9e63194397 in dissect_SMIMECapabilities_PDU /builds/wireshark/wireshark/build/./asn1/cms/cms.cnf:893:12
        #18 0x7f9e63f361d1 in call_dissector_through_handle /builds/wireshark/wireshark/build/../epan/packet.c:720:9
        #19 0x7f9e63f2b000 in call_dissector_work /builds/wireshark/wireshark/build/../epan/packet.c:813:9
        #20 0x7f9e63f2c136 in dissector_try_string_new /builds/wireshark/wireshark/build/../epan/packet.c:1714:9
        #21 0x7f9e63f2c206 in dissector_try_string /builds/wireshark/wireshark/build/../epan/packet.c:1739:9
        #22 0x7f9e6100e26d in call_ber_oid_callback /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:1101:17
        #23 0x7f9e63ba9279 in dissect_x509af_T_extnValue /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:146:10
        #24 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
        #25 0x7f9e63ba6447 in dissect_x509af_Extension /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:163:12
        #26 0x7f9e61020437 in dissect_ber_sq_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3556:9
        #27 0x7f9e610206f2 in dissect_ber_sequence_of /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:3584:12
        #28 0x7f9e63ba64b7 in dissect_x509af_Extensions /builds/wireshark/wireshark/build/./asn1/x509af/x509af.cnf:176:12
        #29 0x7f9e61017bed in dissect_ber_sequence /builds/wireshark/wireshark/build/../epan/dissectors/packet-ber.c:2444:17
    
    SUMMARY: AddressSanitizer: heap-use-after-free (/builds/wireshark/wireshark/_install/bin/tshark+0x6e068) in strlen
    Shadow bytes around the buggy address:
      0x0c0c80108c30: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
      0x0c0c80108c40: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
      0x0c0c80108c50: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
      0x0c0c80108c60: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
      0x0c0c80108c70: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
    =>0x0c0c80108c80: fd fd fd fd[fd]fd fd fd fa fa fa fa fd fd fd fd
      0x0c0c80108c90: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c0c80108ca0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
      0x0c0c80108cb0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
      0x0c0c80108cc0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c0c80108cd0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==87972==ABORTING
    
    fuzz-test.sh stderr:
    Running as user "root" and group "root". This could be dangerous.

_no debug trace_

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

CVE-2022-0581: Fuzz job crash output: fuzz-2022-02-07-6714.pcap (#17935) · Issues · Wireshark Foundation / wireshark

Crash in the PVFS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3.4.0 to 3.4.11 allows denial of service via packet injection or crafted capture file

**Replace CVE-2022-0583.json**

Attach a file by drag & drop or click to upload

  

Commit message

Cancel

GitLab will create a branch in your fork and start a merge request.

CVE-2022-0583: 2022/CVE-2022-0583.json · master · GitLab.org / cves

An Arbitrary File Deletion vulnerability exists in SourceCodester Attendance Management System v1.0 via the csv parameter in admin/pageUploadCSV.php, which can cause a Denial of Service (crash).

Submitted by razormist on Friday, February 5, 2021 - 10:22.

![](https://www.sourcecodester.com/sites/default/files/styles/large/public/2020-04/images/attendance-management-system_1.png?itok=RiD4Q5YS)

The **Attendance Management System** with Source Code is a **PHP** project that can maintain daily attendance records easily and conveniently. This system was created using **PHP, HTML, MYSQLi,** and **Javascript**.

This application is easy to use, the user has access to all data that is related to student information. You can view the details and add some new information for courses, units, etc. The system data/lists can be **printed** and exported to **CSV, Excel, and PDF**. The administrator can manipulate the information and also maintain the security of the system. Database backups can also be generated through admin permission.

****Features****

*   **Manage Courses**
*   **Manage Units**
*   **Manage Student**
*   **Manage Attendance**
*   **Manage Website Settings**
*   **Manage User Accounts**
*   **Manage User Groups**

****How to Run****

**Requirements**

*   **Download** and **Install** any **local web server** such as **XAMPP/WAMP.**
*   **Download** and **Extract** the source code **zip** file.

**Installation**

*   **Open** the **XAMPP/WAMP's Control Panel** and start **"Apache"** and **"MySQL"**.
*   If you are using **XAMPP**, **copy** the **extracted folder** and **paste** it into the **XAMPP's "htdocs" directory**. If you are using **WAMP**, **paste** it into the **"www" directory**.
*   **Locate** the **SQL** file in the extracted source code folder. The **SQL** file is known as **"attendance\_management.sql"** and located inside the **"db"** folder.
*   **Open** a **web browser** and browse the **PHPMyAdmin**. (http://localhost/phpmyadmin)
*   **Create** a new **database** naming **"attendance\_management"**.
*   **Import** the **SQL** file to your newly created database.
*   **Open** a **web browser** and browse the **web application**. (http://localhost/Attendance%20Management%20System/)

**Admin Access**

Username: **admin**  
Password: **admin**

**Demo**

That's it! I hope that this system can help you with what you are looking for. For more updates and tutorials just kindly visit this site.

**Enjoy Coding!!**

*   14313 views

CVE-2021-45348: Attendance Management System using PHP with Source Code

A Buffer Overflow vulnerability exists in Tenda Router AX12 V22.03.01.21_CN in the sub_422CE4 function in page /goform/setIPv6Status via the prefixDelegate parameter, which causes a Denial of Service.

**突破墙的约束，畅享3000兆Wi-Fi 6****AX3000双频千兆Wi-Fi 6无线路由器【信号增强版】**

![AX12](https://www.tenda.com.cn/resource/products/AX12/1-0.png)

![AX12](https://www.tenda.com.cn/resource/products/AX12/1-1.png)![AX12](https://www.tenda.com.cn/resource/products/AX12/bg1.png)

**突破墙的约束 信号如此强悍****腾达AX12外置四颗独立信号增强模块，搭配四根6dBi高增益天线让信号释放更加强劲，势不可挡，突破墙的约束，畅享三千兆级Wi-Fi6**

![AX12](https://www.tenda.com.cn/resource/products/AX12/bg2.png)

**Wi-Fi6终端网速 实测提升1.5倍****日益增多的新手机、Pad、电脑、网卡、智能电视都已经逐渐开始支持Wi-Fi 6技术，配合腾达AX12无线路由器，相比AC2600 Wi-Fi5路由器无线峰值速率最高可提升1.2倍，相比AC1900 Wi-Fi5路由器无线峰值速率最高可提升1.5倍。**

![](https://www.tenda.com.cn/resource/products/AX12/3-1.png)

**\* 测试拓扑**

![](https://www.tenda.com.cn/resource/products/AX12/3-2.png)

**\* 陪测终端**

华为P40、苹果iPhone11、小米10、三星S10、Intel AX200网卡、华硕PCE-AC88网卡

**\* 测试说明**

中国电信1000M宽带下，每个配测终端使用5GHz分别连接到AX12/AC2600/AC1900使用Speedtest测速3次，取所有终端中最高测试的数据。

![AX12](https://www.tenda.com.cn/resource/products/AX12/bg3.png)

\*以上数据由腾达实验室测试，仅供参考  
目前支持Wi-Fi6 的终端有：华为P40系列、小米10系列、Reno 3、iQOO 3、华硕PCE-AC88网卡、腾达E30、Galaxy S10系列、Galaxy S20系列、Intel AX200/AX201、Galaxy Note10系列、iPhone11系列、Find x2系列、vivo APEX 2020、iPad pro 2020、Realme X50 Pro等）

**网速齐飚 多人上网更畅快****采用MU-MIMO + OFDMA技术，显著提升网络性能与效率、延时更低，满足多人在线游戏、观看超清视频更流畅。**

![AX12](https://www.tenda.com.cn/resource/products/AX12/bg4.png)

![AX12](https://www.tenda.com.cn/resource/products/AX12/4-1.png)

◆ OFDMA技术加持，同一时刻传输多个用户数据，延时更低，效率更高。

◆ 无OFDMA技术加持，同一时刻只能传输1个用户数据，延时高，效率低。

\* 此功能需要终端设备支持OFDMA和MU-MIMO技术

**四颗强劲信号模块 突破墙的约束 覆盖更广****2.4GHz和5GHz频段均采用2颗外置信号增强模块（FEM），同时提升信号增强和接受能力，覆盖范围更广。**

![AX12](https://www.tenda.com.cn/resource/products/AX12/bg5.png)

**抗干扰 高效通信 上网更畅快****支持BSS Coloring着色技术，增强抗邻居家Wi-Fi干扰的能力，有效缓解同频干扰，提升频谱利用率与通信效率，有效提高整个网络的通信效率，提升空间复用率，打造专属你的网络空间。**

![AX12](https://www.tenda.com.cn/resource/products/AX12/bg6.png)

\* 此功能需要终端设备支持OFDMA和MU-MIMO技术

**支持IPv6 海量IP 上网更顺畅****传统IPv4协议路由器上网，需要经过地址转换。IPv6协议具有海量的IP地址空间，上网无需经过地址转换，可缩短上网设备与服务器端的数据传输时间，时延更短，游戏更畅快 。**

![AX12](https://www.tenda.com.cn/resource/products/AX12/bg7.png)

**支持WPA3 防破译 更安全****WPA3是新一代Wi-Fi安全标准，更成熟的身份认证算法，极大的增强了网络密码破解难度，能阻止强力攻击，暴力破解，使家庭网络信息安全得到更加有效的保护。**

![AX12](https://www.tenda.com.cn/resource/products/AX12/bg8.png)

**支持TWT 用时唤醒 低功耗 长续航****支持TWT技术，改变传统设备一直待命待机状态，当设备收到传输指令后，才进行连接，有效实现设备用时唤醒，降低终端设备能耗，延长终端设备电池寿命。**

![AX12](https://www.tenda.com.cn/resource/products/AX12/bg9.png)

**手机APP管理 随时随地掌控网络****手机下载Tenda App，随时掌控家中网络和设备情况；防蹭网、信道优化、信道强度调节、安全检测、云管理等一系列功能，通过App一键设置，随时随地，轻松玩转。**

![AX12](https://www.tenda.com.cn/resource/products/AX12/bg10.png)

![Tenda](https://www.tenda.com.cn/resource/products/AX12/11-1.png)

**访客网络**

保护隐私与安全

![Tenda](https://www.tenda.com.cn/resource/products/AX12/11-2.png)

**定时开关**

Wi-Fi定时  
智能环保

![Tenda](https://www.tenda.com.cn/resource/products/AX12/11-3.png)

**家长控制**

合理管控  
小孩上网时长

![Tenda](https://www.tenda.com.cn/resource/products/AX12/11-4.png)

**双频合一**

支持双频合一  
自动优选5G频段

![Tenda](https://www.tenda.com.cn/resource/products/AX12/11-5.png)

**信号调节**

支持信号强度调节  
多穿一堵墙

![Tenda](https://www.tenda.com.cn/resource/products/AX12/11-6.png)

**黑白名单**

支持黑白名单  
防止有效蹭网

CVE-2021-45392: AX12 AX3000双频千兆Wi-Fi 6无线路由器_腾达(Tenda)官方网站

** UNSUPPORTED WHEN ASSIGNED ** Emerson Dixell XWEB-500 products are affected by information disclosure via directory listing. A potential attacker can use this misconfiguration to access all the files in the remote directories. Note: the product has not been supported since 2018 and should be removed or replaced.

![Emerson](https://www.swascan.com/wp-content/uploads/2022/01/Emerson-scaled.jpg)

**1.Technical Summary**

Swascan’s Cyber Security Research Team detected some important potential vulnerabilities on:

*   Dixell **XWEB-500**

Detected vulnerabilities were:

Vulnerability

Assets

CVSSv3

Severity

**Arbitrary File Write**

http://<target>/cgi-bin/logo\_extra\_upload.cgi

http://<target>/cgi-bin/cal\_save.cgi

http://<target>/cgi-bin/lo\_utils.cgi

**7.5**

**HIGH**

**Directory Listing**

http://<target>/cgi-bin/lo\_utils.cgi

**5.3**

**MEDIUM**

In the following section we are reporting some technical details on these vulnerabilities including evidences and proof-of-concepts.

**2.Vulnerability details****Arbitrary File Write**

CWE-73: _External Control of File Name or Path_  
CVSSv3: **7.5**\[AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\]

Description

Emerson Dixell XWEB-500 products are vulnerable to Arbitrary File Write attack. An attacker will be able to write any file on the target system without any kind of authentication mechanism, and this can lead to filesystem space bursting and, as so a Denial of Service.

**Assets**

*   http://<target>/cgi-bin/logo\_extra\_upload.cgi
*   http://<target>/cgi-bin/cal\_save.cgi
*   http://<target>/cgi-bin/lo\_utils.cgi

**Proof of Concept**

The next images represent the evidence of the vulnerability and how it was possible to write any files into the filesystem using the CGIs listed in the previous sections:

![](https://www.swascan.com/wp-content/uploads/2022/01/MicrosoftTeams-image-9-1024x555.png)

Evidence 1 File write using the logo\_extra\_upload.cgi

![](https://www.swascan.com/wp-content/uploads/2022/01/PH2-2.png)

Evidence 2 File write using lo\_utils.cgi

****

![](https://www.swascan.com/wp-content/uploads/2022/01/PH3-2.png)

Evidence 3 Check file write

![](https://www.swascan.com/wp-content/uploads/2022/01/PH4-1.png)

Evidence 4 File write using cal\_save.cgi

![](https://www.swascan.com/wp-content/uploads/2022/01/PH5-1.png)

Evidence 5 Check file write

**References**

https://cwe.mitre.org/data/definitions/73.html

**Directory Listing**

CWE-548: _Exposure of Information Through Directory Listing_  
CVSSv3: **5.3** \[AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\]

**Description**

Emerson Dixell XWEB-500 products are affected by Information Disclosure via Directory Listing. A potential attacker can use this misconfiguration to access all the files present in the directories.

In this particular case, we found that the java directory was very interesting because contains many .jar files that have been used to find hidden cgi. Furthermore, this can allow finding other exploitation vectors using reverse engineering techniques.

**Assets**

*   http://<target>/<folder>/

**Proof of Concept**

The next images represent the evidence of the vulnerability and how it was possible to list the files:

![](https://www.swascan.com/wp-content/uploads/2022/01/PH6-1.png)

Evidence 6 Directory Listing

Below is a sample of the reverse engineering process to find some hidden cgi:

![](https://www.swascan.com/wp-content/uploads/2022/01/PH7.png)

Evidence 7 Hidden cgi discovery and jar reversing

**Emerson’s note**

Out of an abundance of caution, this CVE ID is being assigned to better serve customers and ensure all who are still running this product understands that the product has not been supported since 2018 and should be removed or replaced with XWEB PRO. Further information on supported Dixell products can be found at https://webapps.emerson.com/Dixell/Pages/Leaflets or by contacting customer support at dixell.servi\[email protected\].

**  
References**

*   https://cwe.mitre.org/data/definitions/548.html
*   https://cwiki.apache.org/confluence/display/httpd/DirectoryListings
*   https://preventdirectaccess.com/docs/disable-directory-listing/

**Our Services**

CVE-2021-45421: Vulnerability Report Emerson – Dixell XWEB-500 Multiple Vulnerabilities - Swascan

The Custom Popup Builder WordPress plugin before 1.3.1 autoload data from its popup on every pages, as such data can be sent by unauthenticated user, and is not validated in length, this could cause a denial of service on the blog

CVE-2022-0214

The Popup | Custom Popup Builder WordPress plugin before 1.3.1 autoload data from its popup on every pages, as such data can be sent by unauthenticated user, and is not validated in length, this could cause a denial of service on the blog

Tag

#dos