How to stop Wireshark watching you

David Heath
Wednesday, 10 February 2010 12:35

Business IT - Networking

A vulnerability in Wireshark announced this week would make it simple for a data-stream under observation to completely disable the ability to be captured.

Announced earlier this week, a vulnerability in the packet capture tool Wireshark versions 0.9.15 through to 1.0.10 and versions 1.2.0 through to 1.2.5 will allow a remote hacker to cause a denial of service (read as 'crash') against the software by way of a specially crafted (malformed) IP packet.

According to the Vupen Security vulnerability listing, "Multiple vulnerabilities have been identified in Wireshark, which could be exploited by attackers to compromise a vulnerable system. These issues are caused by buffer overflow errors in the LWRES dissector when processing malformed data or packets, which could be exploited by attackers to crash an affected application or potentially execute arbitrary code."

The strong recommendation is to immediately upgrade to either version 1.0.11 (for the earlier version stream) or to 1.2.6 for the later versions mentioned.

The Wireshark site also notes that "It may be possible to make Wireshark crash remotely or by convincing someone to read a malformed packet trace file."

What does this mean?  Simply that it is reasonably possible (for smart nasty people) to insert specific data in the packet stream being analysed to crash Wireshark (and thereby escape capture).  This may be done either through a live data-stream on the wire or via a specially crafted packet trace file.