Wireshark RDP Protocol Dissector Heap Buffer Overflow Vulnerability Allowing Denial-of-Service and Possible Code Execution

A heap buffer overflow vulnerability has been identified in the RDP protocol dissector of Wireshark. This issue is present in Wireshark versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. The vulnerability allows for a denial-of-service condition and potentially arbitrary code execution. The issue arises in the uncompressed ZGFX segment path, where attacker-controlled data is copied into a fixed-size buffer without proper bounds checking. This overflow can be exploited by injecting a malformed packet or by convincing a user to open a packet trace file containing the malicious data.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, causing a crash and allowing for potential arbitrary code execution.

Reproduction

The vulnerability can be reproduced using a crafted pcapng file that contains an RDP session with a malicious ZGFX uncompressed segment. This can be done with regular tshark, which will crash with a SIGSEGV error, or with tshark built with AddressSanitizer, which will report the heap-buffer-overflow error. The issue can also be triggered through the standard RDP dissection chain without any special configuration.

Remediation

Users are advised to upgrade to Wireshark versions 4.6.5, 4.4.15 or later.