Wireshark Profile Import Path Traversal Vulnerability Allowing Denial-of-Service and Possible Code Execution

A path traversal vulnerability has been identified in Wireshark versions 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14. This vulnerability arises in the Configuration Profile import feature, where the application fails to properly validate file paths in ZIP archives in the extraction process. As a result, a crafted ZIP file can overwrite files in arbitrary locations, potentially leading to code execution. On POSIX systems, this could involve placing a malicious Lua plugin in a directory that Wireshark loads at startup, executing the code when Wireshark is launched.

Impact

Exploitation of this vulnerability can cause Wireshark to crash or execute arbitrary code, depending on the actions taken by the imported profile.

Reproduction

The vulnerability can be reproduced by creating a ZIP file that exploits the path traversal issue, and then importing this file through the Wireshark Configuration Profiles menu. After importing, Wireshark should be restarted to verify if the payload was executed.

Remediation

Users should upgrade to Wireshark versions 4.6.5, 4.4.15 or later.