Wireshark AFP Spotlight Protocol Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Wireshark AFP Spotlight protocol dissector, specifically in versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. The issue arises from a stack overflow in the 'spotlight_dissect_query_loop()' function, which processes Spotlight query entries. The recursion is driven by packet data, leading to unbounded recursion and a crash (SIGSEGV) on systems with 8MB or 1MB stack limits. This vulnerability can be exploited by injecting malformed packets or by using a crafted pcap file that triggers the recursive dissection without the '-V' flag, which is the default behavior for pcap processing.

Impact

Exploitation of this vulnerability causes Wireshark to crash, specifically the TShark command-line utility, which is used for processing pcap files or capturing live network traffic. The crash occurs due to a segmentation fault, which can be replicated by using a pcap file that contains crafted AFP Spotlight queries designed to exploit the stack overflow vulnerability.

Reproduction

The vulnerability can be reproduced by using TShark to read a pcap file that contains approximately 55000 recursion levels of AFP Spotlight query data. This can be done by generating a pcap file with a Python script that creates a DSI packet containing the recursive query data, and then sending this packet over TCP port 548, which is used by the AFP protocol. Alternatively, the vulnerability can be reproduced by manually sending the crafted DSI packet over an open TCP connection to a TShark instance running without the '-V' flag, which will result in a crash on the default 8MB stack.

Remediation

Users can upgrade to Wireshark versions 4.6.5, 4.4.15 or later to address this vulnerability.