Wireshark BT-DHT Protocol Dissector Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the BT-DHT protocol dissector of Wireshark. This issue is present in Wireshark versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. The vulnerability causes a crash due to a stack overflow when the dissector processes nested bencoded list elements without a recursion depth guard. The crash can be triggered by using 'Decode As' on a system with a limited stack.

Impact

Exploitation of this vulnerability leads to a segmentation fault, causing Wireshark to crash. On systems with a stack limit of approximately 1MB, this vulnerability can be exploited to create a stack overflow, but it does not cause a crash on systems with the default 8MB stack limit.

Reproduction

The vulnerability can be reproduced by injecting a malformed BT-DHT packet that contains a payload with a high degree of nesting, exceeding 32,000 levels. This can be done by using a Python script to generate a capture file that exploits the stack overflow vulnerability. The generated capture file can then be read by TShark, Wireshark's command-line interface, with the BT-DHT dissector applied to the appropriate UDP port. The 'ulimit' command can be used to set a low stack limit, which will cause TShark to crash due to the stack overflow.

Remediation

Users can upgrade to Wireshark versions 4.6.5, 4.4.15 or later to address this vulnerability.