Wireshark Heap Buffer Overflow Vulnerability in SBC Codec Allowing Denial-of-Service and Possible Code Execution

A heap buffer overflow vulnerability has been identified in the SBC audio codec of Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. This vulnerability allows for a denial-of-service condition and potentially arbitrary code execution. The issue arises in the 'codec_sbc_decode()' function, where a fixed-size output buffer is allocated but not properly managed during the decoding of RTP packets. When an RTP packet contains more than approximately 256 SBC frames, the decoded output exceeds the buffer size, leading to a heap buffer overflow. This vulnerability is present on all platforms where 'libsbc' is installed and the SBC codec plugin is compiled.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced using Wireshark's 'sharkd' command-line interface. After loading a crafted pcapng file that contains 400 SBC frames into an RTP packet, the 'download' method can be called to trigger the overflow. This can be automated with a Python script that interacts with the Wireshark 'sharkd' binary, using the AddressSanitizer tool to detect the overflow.

Remediation

Users are advised to upgrade to Wireshark versions 4.6.5, 4.4.15 or later.