Wireshark Monero Dissector Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Wireshark Monero protocol dissector, present in versions 4.6.0 through 4.6.4 and 4.4.0 through 4.4.14. The issue arises from a stack overflow caused by mutual recursion in the 'dissect_encoded_dictionary()' and 'dissect_encoded_value()' functions. This recursion can be triggered by a single TCP stream containing nested structures, leading to a crash (SIGSEGV) when the stack limit is exceeded.

Impact

Exploitation of this vulnerability causes Wireshark or TShark to crash, terminating the process. The issue is automatically triggered by the heuristic that detects Monero traffic on any TCP port, requiring only a single TCP stream with approximately 160KB of payload.

Reproduction

The vulnerability can be reproduced by using a crafted packet capture file that simulates Monero traffic. This file can be generated with a Python script that creates a payload designed to exploit the recursion issue in the dissector. The generated file can then be read with TShark, Wireshark's command-line counterpart, which will crash due to the stack overflow.

Remediation

Users can upgrade to Wireshark versions 4.6.5, 4.4.15 or later to address this vulnerability.