The Wireshark DoS Module

This week, we have an interesting new module from Metasploit community contributor JoseMi, which exercises a (seeming) denial-of-service (DoS) condition in a Wireshark dissector responsible for decoding CAPWAP packets. No, I've never heard of CAPWAP either, but Wikipedia's article, now I'm an expert! At any rate, it's not a protocol that you would expect to find really anywhere, given that no real wireless access point support it yet, and you should certainly not find it on the Internet. If I'm wrong on this, please let me know in the comments. I'd love to know what, if any, devices support this protocol in production.

That said, this points out some interesting similarities, and differences, between Wireshark and Metasploit development models. Like Metasploit modules, most Wireshark dissectors come from community contributors, rather than paid, full-time software developers connected to the project. We get plenty of Metasploit modules that target obscure software that most people never run into, and there are a fair amount of Wireshark dissectors like this one; many people only care about the top 10 Metasploit modules, and I expect most people only care about a tiny handful of Wireshark dissectors for their day-to-day. Also like Metasploit modules, by default, you get access to all of Wireshark's dissectors. However, there are a couple of important distinctions to be made here in terms of safety.

First, no Metasploit module runs without some kind of assertive action from the user. Second, Metasploit modules tend to be the source of "unstrusted user data," while Wireshark tends to be the receiver. While it's not impossible to mess up a Metasploit instance through some honeypot techniques, you have no way of forcing a Metasploit user to attack you. In this respect, Wireshark is much more like a "server" application, while Metasploit tends to be a "client" application.

These factors, along with the usual problems of trusting untrustable data for things like offset calculations -- makes Wireshark a delightful target for attackers, based purely on the technical profile. Add to this the likely profile of Wireshark users: Network administrators and security people. On top of that, you've got the likely privileges of the Wireshark process -- Wireshark begs you not to run as root, but people do it all the time anyway. This adds up to one of the most attractive targets of opportunity attackers can have.

The Wireshark core developers are constantly guarding against unintentionally (or intentionally) backdooring basically everyone's network monitoring infrastructure, and for that we all owe them a massive debt of gratitude. That said, mistakes happen -- even Metasploit ships an occasional bug. While JoseMi's module targets just one DoS condition, this bug came from a fuzzing run that turned out seven other CVE-designated issues. So, not to pick on Wireshark (too much), but if you're interested in contributing to Metasploit, that set of CVEs would be a fine place to start. The bugs and the patches are public, the protocols involved tend to be pretty well documented, and the payoff for an arbitrary code exec is pretty huge.

Incidentally, while this module in particular is "just a DoS," any organization falling victim to this can have some significant degradation of its monitoring capability. And don't forget that the problem is in the dissector, not just Wireshark, so any monitoring that's built on top of TShark (the command line version of Wireshark) is also vulnerable. Figuring out why TShark is crashing can be a frustrating experience, especially if you're also in the middle of another attack.

Finally, thanks to the original CAPWAP dissector authors, Alexis and Tanmay, as well as the core Wireshark developer community. This post is absolutely not intended to denigrate your efforts to make Wireshark the most complete packet dissector around -- it's a continuous miracle that open source software development happens at all, let alone at the level of quality that Wireshark achieves. Pretty much everyone I know uses Wireshark routinely, and it's all because of the open source authors like you guys. Thanks.

New Modules

We have three new modules this week, including the above-discussed Wireshark DoS module.

Auxiliary and post modules

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.

For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes (also last week's).