Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows denial of service via packet injection or crafted capture file
Wireshark, a widely used network protocol analyzer, is vulnerable to a denial-of-service (DoS) attack due to an infinite loop within its RTMPT dissector. Attackers can exploit this flaw by injecting specially crafted network packets or providing a malicious capture file, causing Wireshark to consume excessive resources and become unresponsive, effectively disrupting network analysis and potentially impacting security operations.
Step 1: Payload Delivery: The attacker crafts a malicious RTMPT packet or creates a capture file (.pcap or .pcapng) containing a malicious RTMPT packet.
Step 2: Packet Injection/File Opening: The attacker either injects the crafted packet onto a network monitored by Wireshark or provides the malicious capture file to a user or system running Wireshark.
Step 3: Dissector Trigger: Wireshark's RTMPT dissector processes the malicious packet or the packet within the capture file.
Step 4: Infinite Loop: Due to a logic flaw in the dissector, the crafted packet triggers an infinite loop within the parsing logic.
Step 5: Resource Exhaustion: The infinite loop consumes CPU resources, leading to high CPU utilization and potentially system instability.
Step 6: Denial of Service: Wireshark becomes unresponsive, preventing network analysis and potentially disrupting security operations.
The vulnerability stems from an infinite loop within the RTMPT (Real Time Messaging Protocol Tunneling) dissector in Wireshark. The dissector, responsible for parsing and interpreting RTMPT traffic, contains a logic error that allows a crafted packet or capture file to trigger an endless loop. This loop likely occurs during the processing of specific RTMPT message types or malformed data within the packet. The root cause is likely a failure to properly handle edge cases or unexpected data formats within the RTMPT protocol, leading to a condition where the parsing logic repeatedly executes without advancing, consuming CPU resources and preventing the program from progressing. The infinite loop prevents the program from exiting or processing other packets, leading to a DoS condition.