ID CVE-2011-3360
Summary Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory.
References
Vulnerable Configurations
  • Wireshark 1.4.6
    cpe:2.3:a:wireshark:wireshark:1.4.6
  • Wireshark 1.4.5
    cpe:2.3:a:wireshark:wireshark:1.4.5
  • Wireshark 1.4.3
    cpe:2.3:a:wireshark:wireshark:1.4.3
  • Wireshark 1.4.2
    cpe:2.3:a:wireshark:wireshark:1.4.2
  • Wireshark 1.4.1
    cpe:2.3:a:wireshark:wireshark:1.4.1
  • Wireshark 1.4.0
    cpe:2.3:a:wireshark:wireshark:1.4.0
  • Wireshark 1.4.7
    cpe:2.3:a:wireshark:wireshark:1.4.7
  • Wireshark 1.4.4
    cpe:2.3:a:wireshark:wireshark:1.4.4
  • Wireshark 1.4.8
    cpe:2.3:a:wireshark:wireshark:1.4.8
  • Wireshark 1.6.0
    cpe:2.3:a:wireshark:wireshark:1.6.0
  • Wireshark 1.6.1
    cpe:2.3:a:wireshark:wireshark:1.6.1
CVSS
Base: 9.3 (as of 20-09-2011 - 09:53)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Wireshark console.lua pre-loading vulnerability. CVE-2011-3360. Remote exploit for windows platform
id EDB-ID:18125
last seen 2016-02-02
modified 2011-11-19
published 2011-11-19
reporter metasploit
source https://www.exploit-db.com/download/18125/
title Wireshark console.lua pre-loading Vulnerability
metasploit via4
description This module exploits a vulnerability in Wireshark 1.6 or less. When opening a pcap file, Wireshark will actually check if there's a 'console.lua' file in the same directory, and then parse/execute the script if found. Versions affected by this vulnerability: 1.6.0 to 1.6.1, 1.4.0 to 1.4.8
id MSF:EXPLOIT/WINDOWS/MISC/WIRESHARK_LUA
last seen 2019-03-26
modified 2017-09-14
published 2011-11-19
reliability Excellent
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/wireshark_lua.rb
title Wireshark console.lua Pre-Loading Script Execution
nessus via4
  • NASL family Windows
    NASL id WIRESHARK_1_6_2.NASL
    description The installed version of Wireshark is 1.6.x before 1.6.2. This version is affected by the following vulnerabilities : - An error exists in IKE dissector that can allow denial of service attacks when processing certain malformed packets. (CVE-2011-3266) - A buffer exception handling vulnerability exists that can allow denial of service attacks when processing certain malformed packets. (Issue #6135) - It may be possible to make Wireshark execute Lua scripts using a method similar to DLL hijacking. (Issue #6136) - An error exists in OpenSafety dissector that can allow denial of service attacks when processing certain malformed packets. (Issue #6138) - An error exists in CSN.1 dissector that can allow denial of service attacks when processing certain malformed packets. (Issue #6139)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 56164
    published 2011-09-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56164
    title Wireshark 1.6.x < 1.6.2 Multiple Vulnerabilities
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_WIRESHARK_20111205.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - The proto_tree_add_item function in Wireshark 1.6.0 through 1.6.1 and 1.4.0 through 1.4.8, when the IKEv1 protocol dissector is used, allows user-assisted remote attackers to cause a denial of service (infinite loop) via vectors involving a malformed IKE packet and many items in a tree. (CVE-2011-3266) - Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory. (CVE-2011-3360) - The dissect_infiniband_common function in epan/dissectors/packet-infiniband.c in the Infiniband dissector in Wireshark 1.4.0 through 1.4.9 and 1.6.x before 1.6.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed packet. (CVE-2011-4101)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 80800
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80800
    title Oracle Solaris Third-Party Patch Update : wireshark (denial_of_service_vulnerability_in)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2011-138.NASL
    description This advisory updates wireshark to the latest version (1.6.2), fixing several security issues : The proto_tree_add_item function in Wireshark 1.6.1, when the IKEv1 protocol dissector is used, allows user-assisted remote attackers to cause a denial of service (infinite loop) via vectors involving a malformed IKE packet and many items in a tree (CVE-2011-3266). Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory (CVE-2011-3360). The csnStreamDissector function in epan/dissectors/packet-csn1.c in the CSN.1 dissector in Wireshark 1.6.x before 1.6.2 does not initialize a certain structure member, which allows remote attackers to cause a denial of service (application crash) via a malformed packet (CVE-2011-3482). Wireshark 1.6.x before 1.6.2 allows remote attackers to cause a denial of service (application crash) via a malformed capture file that leads to an invalid root tvbuff, related to a buffer exception handling vulnerability. (CVE-2011-3483). The unxorFrame function in epan/dissectors/packet-opensafety.c in the OpenSafety dissector in Wireshark 1.6.x before 1.6.2 does not properly validate a certain frame size, which allows remote attackers to cause a denial of service (loop and application crash) via a malformed packet (CVE-2011-3484). The updated packages have been upgraded to the latest 1.6.x version (1.6.2) which is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 61928
    published 2012-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61928
    title Mandriva Linux Security Advisory : wireshark (MDVSA-2011:138)
  • NASL family Windows
    NASL id WIRESHARK_1_4_9.NASL
    description The installed version of Wireshark is 1.4.x before 1.4.9. This version is affected by the following vulnerabilities : - An error exists in IKE dissector that can allow denial of service attacks when processing certain malformed packets. (CVE-2011-3266) - A buffer exception handling vulnerability exists that can allow denial of service attacks when processing certain malformed packets. (Issue #6135) - It may be possible to make Wireshark execute Lua scripts using a method similar to DLL hijacking. (Issue #6136)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 56163
    published 2011-09-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56163
    title Wireshark 1.4.x < 1.4.9 Multiple Vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2324.NASL
    description The Microsoft Vulnerability Research group discovered that insecure load path handling could lead to execution of arbitrary Lua script code.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 56571
    published 2011-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56571
    title Debian DSA-2324-1 : wireshark - programming error
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201110-02.NASL
    description The remote host is affected by the vulnerability described in GLSA-201110-02 (Wireshark: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Wireshark. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could send specially crafted packets on a network being monitored by Wireshark, entice a user to open a malformed packet trace file using Wireshark, or deploy a specially crafted Lua script for use by Wireshark, possibly resulting in the execution of arbitrary code, or a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 56426
    published 2011-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56426
    title GLSA-201110-02 : Wireshark: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_WIRESHARK-7795.NASL
    description This update of wireshark fixes the following vulnerabilities : - Wireshark IKE dissector vulnerability. (CVE-2011-3266) - Wireshark Lua script execution vulnerability. (CVE-2011-3360) - Wireshark buffer exception handling vulnerability. (CVE-2011-3483) - Lucent/Ascend file parser susceptible to infinite loop. (CVE-2011-2597) - ANSI MAP dissector susceptible to infinite loop. (CVE-2011-2698) - Large/infinite loop in the DICOM dissector. (CVE-2011-1957) - A corrupted snoop file could crash Wireshark. (CVE-2011-1959) - Malformed compressed capture data could crash Wireshark. (CVE-2011-2174) - A corrupted Visual Networks file could crash Wireshark. (CVE-2011-2175) - dereferene a NULL pointer if we had a corrupted Diameter dictionary. (CVE-2011-1958)
    last seen 2019-02-21
    modified 2013-08-16
    plugin id 56617
    published 2011-10-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56617
    title SuSE 10 Security Update : wireshark (ZYPP Patch Number 7795)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_4_WIRESHARK-111013.NASL
    description This update of wireshark fixes the following vulnerabilities : - CVE-2011-3266: Wireshark IKE dissector vulnerability - CVE-2011-3360: Wireshark Lua script execution vulnerability - CVE-2011-3483: Wireshark buffer exception handling vulnerability - CVE-2011-2597: Lucent/Ascend file parser susceptible to infinite loop - CVE-2011-2698: ANSI MAP dissector susceptible to infinite loop - CVE-2011-1957: Large/infinite loop in the DICOM dissector - CVE-2011-1959: A corrupted snoop file could crash Wireshark - CVE-2011-2174: Malformed compressed capture data could crash Wireshark - CVE-2011-2175: A corrupted Visual Networks file could crash Wireshark - CVE-2011-1958: dereferene a NULL pointer if we had a corrupted Diameter dictionary
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 76045
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76045
    title openSUSE Security Update : wireshark (openSUSE-SU-2011:1142-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_WIRESHARK-111013.NASL
    description This update of wireshark fixes the following vulnerabilities : - CVE-2011-3266: Wireshark IKE dissector vulnerability - CVE-2011-3360: Wireshark Lua script execution vulnerability - CVE-2011-3483: Wireshark buffer exception handling vulnerability - CVE-2011-2597: Lucent/Ascend file parser susceptible to infinite loop - CVE-2011-2698: ANSI MAP dissector susceptible to infinite loop - CVE-2011-1957: Large/infinite loop in the DICOM dissector - CVE-2011-1959: A corrupted snoop file could crash Wireshark - CVE-2011-2174: Malformed compressed capture data could crash Wireshark - CVE-2011-2175: A corrupted Visual Networks file could crash Wireshark - CVE-2011-1958: dereferene a NULL pointer if we had a corrupted Diameter dictionary
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75774
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75774
    title openSUSE Security Update : wireshark (openSUSE-SU-2011:1142-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_WIRESHARK-7796.NASL
    description This update of wireshark fixes the following vulnerabilities : - Wireshark IKE dissector vulnerability. (CVE-2011-3266) - Wireshark Lua script execution vulnerability. (CVE-2011-3360) - Wireshark buffer exception handling vulnerability. (CVE-2011-3483) - Lucent/Ascend file parser susceptible to infinite loop. (CVE-2011-2597) - ANSI MAP dissector susceptible to infinite loop. (CVE-2011-2698) - Large/infinite loop in the DICOM dissector. (CVE-2011-1957) - A corrupted snoop file could crash Wireshark. (CVE-2011-1959) - Malformed compressed capture data could crash Wireshark. (CVE-2011-2174) - A corrupted Visual Networks file could crash Wireshark. (CVE-2011-2175) - dereferene a NULL pointer if we had a corrupted Diameter dictionary. (CVE-2011-1958)
    last seen 2019-02-21
    modified 2013-08-16
    plugin id 57263
    published 2011-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57263
    title SuSE 10 Security Update : wireshark (ZYPP Patch Number 7796)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_WIRESHARK-111013.NASL
    description This update of wireshark fixes the following vulnerabilities : - Wireshark IKE dissector vulnerability. (CVE-2011-3266) - Wireshark Lua script execution vulnerability. (CVE-2011-3360) - Wireshark buffer exception handling vulnerability. (CVE-2011-3483) - Lucent/Ascend file parser susceptible to infinite loop. (CVE-2011-2597) - ANSI MAP dissector susceptible to infinite loop. (CVE-2011-2698) - Large/infinite loop in the DICOM dissector. (CVE-2011-1957) - A corrupted snoop file could crash Wireshark. (CVE-2011-1959) - Malformed compressed capture data could crash Wireshark. (CVE-2011-2174) - A corrupted Visual Networks file could crash Wireshark. (CVE-2011-2175) - dereferene a NULL pointer if we had a corrupted Diameter dictionary. (CVE-2011-1958)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 57136
    published 2011-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57136
    title SuSE 11.1 Security Update : wireshark (SAT Patch Number 5281)
oval via4
accepted 2013-08-19T04:00:56.291-04:00
class vulnerability
contributors
  • name Shane Shaffer
    organization G2, Inc.
  • name Shane Shaffer
    organization G2, Inc.
  • name Shane Shaffer
    organization G2, Inc.
definition_extensions
comment Wireshark is installed on the system.
oval oval:org.mitre.oval:def:6589
description Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory.
family windows
id oval:org.mitre.oval:def:15059
status accepted
submitted 2012-02-27T15:34:33.178-04:00
title Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2
version 8
packetstorm via4
data source https://packetstormsecurity.com/files/download/107159/wireshark_lua.rb.txt
id PACKETSTORM:107159
last seen 2016-12-05
published 2011-11-20
reporter sinn3r
source https://packetstormsecurity.com/files/107159/Wireshark-1.6-console.lua-Pre-Load-Execution.html
title Wireshark 1.6 console.lua Pre-Load / Execution
refmap via4
confirm
debian DSA-2324
mandriva MDVSA-2011:138
mlist
  • [oss-security] 20110913 CVE Request: Multiple issues fixed in wireshark 1.6.2
  • [oss-security] 20110914 Re: CVE Request: Multiple issues fixed in wireshark 1.6.2
osvdb 75347
saint via4
bid 49528
description Wireshark Lua Untrusted Search Path vulnerability
osvdb 75347
title wireshark_lua_search_path
type client
Last major update 13-08-2012 - 23:30
Published 20-09-2011 - 06:55
Last modified 18-09-2017 - 21:33
Back to Top