CVE assigned due to potential for harm even though some social engineering trickery is required

Maliciously constructed Wireshark packet capture files might be used to distribute malware, providing recipients can be tricked into double clicking file URL fields.

Variants of the same attack could potentially be thrown against users of the popular network security tool, widely used by security analysts and penetration testers, whether they use Windows or Xubuntu Linux-based systems.

The attack, discovered by security researcher Lukas Euler of Positive Security, is explained in a recent post on GitLab that features proof-of-concept videos.

Even though developers of Wireshark normally avoid asking for a CVE to be created for potential security issues that require user interaction, an exception was made in this case because of the “low barrier to entry and level of control” an attacker might gain.

The issue, tracked as CVE-2021-22191, was resolved through a recent update.

17-year-old bug

A discussion on source code management platform GitLab suggests the issue may have been introduced with changes to Wireshark made as long as 17 years ago.

The root cause of the problem is that for some schemes, referenced files will be opened by the system’s standard application associated with a particular file type, as Euler explains in his blog post:

Some fields in the Wireshark proto_tree are double-clickable and pass URLs with arbitrary schemes to the QDesktopServices::openUrl function. http and https URLs passed to this function are opened by the browser which is generally safe.

For some other schemes like dav and file however, referenced files will be opened by the system’s standard application associated with their file type.

By preparing internet-hosted file shares and executable files, arbitrary code execution can be achieved via malicious pcap(ng) files or captured live-traffic and some user interaction.

On Windows machines, if a user opens the malicious pcap file and double-clicks the file URL, the WebDAV share is mounted in the background and the .jar file is executed.

A similar attack with the same effect might be run against Wireshark users on Xubuntu but featuring NFS share and a malicious .desktop file.


Read more of the latest security vulnerability news


Euler warned: “An attacker could distribute malicious capture files and entice people to inspect them. On Windows with JRE installed, a simple double click on a crafted field is enough to cause code execution on the victim's system.”

In a security advisory, Wireshark advises users to update to versions 3.4.4 or 3.2.12, both of which have been patched to address the issue.

"The issue on GitLab also links the relevant merge requests," Euler told The Daily Swig. "The code difference shows that the team opted to fix the issue by copying potentially malicious URLs to the clipboard rather than [by] opening them directly."

High barrier to exploitation

Euler added that, contrary to Wireshark's advisory, older versions of the utility before the officially supported versions 3.4.x and 3.2.x, are also vulnerable.

In all cases the risk is low.

"Exploiting the Wireshark vulnerability requires an attacker to make their victim capture malicious traffic/open a malicious capture file, and then double click the malicious entry in the packet dissector view," Euler explained. "While it is not impossible to achieve this, it seems like an unlikely choice for larger malware campaigns."

Even though the flaw has existed for years there's nothing to suggest exploitation of this vulnerability in the wild. This isn't altogether surprising since the same methodology of distributing malicious URLs can be more readily be thrown as users of similarly vulnerable, more widely used applications.

Euler and his colleague Fabian Bräunlein, also from Positive Security, discovered the vulnerability in Wireshark while researching the URL opening behaviour of popular desktop applications.

This work uncovered code execution vulnerabilities and other flaws due to be detailed by the pair in an upcoming blog post, due to be published over the coming weeks.

Wireshark is developed by San Francisco-based Riverbed Technology, a developer of network performance products.

The Daily Swig has approached Riverbed for comment. We’ll update this story as and when more information comes to hand.


This story has been update to add comment from Euler and revised to cover the content of Wireshark's recently issued patch


READ MORE LocalStack zero-day vulnerabilities chained to achieve remote takeover of local instances