CVE-2011-3360 in Wireshark
Summary
by MITRE
Untrusted search path vulnerability in Wireshark 1.4.x before 1.4.9 and 1.6.x before 1.6.2 allows local users to gain privileges via a Trojan horse Lua script in an unspecified directory.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/14/2025
The vulnerability identified as CVE-2011-3360 represents a critical untrusted search path issue affecting Wireshark versions 1.4.x prior to 1.4.9 and 1.6.x prior to 1.6.2. This flaw resides in the software's handling of dynamic script loading mechanisms, specifically within the Lua scripting environment that Wireshark employs for protocol analysis and packet decoding. The vulnerability stems from the application's failure to properly validate or sanitize the search paths used when loading Lua scripts, creating a privilege escalation vector that malicious actors can exploit through carefully crafted Trojan horse scripts.
The technical implementation of this vulnerability involves the insecure loading of Lua scripts from directories that are not properly validated for trustworthiness. When Wireshark processes packet captures or performs protocol analysis, it may automatically load Lua scripts from various directories in the system search path. The flaw occurs because the application does not adequately verify the source or integrity of these scripts before execution, allowing local users to place malicious Lua scripts in directories that are searched before the intended script locations. This behavior aligns with CWE-427 Uncontrolled Search Path Element, which specifically addresses the risk of applications loading code from untrusted directories.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass potential full system compromise when exploited by local attackers. An attacker with access to the system can place a malicious Lua script in a directory that will be searched before Wireshark's legitimate script directories, thereby executing arbitrary code with the privileges of the Wireshark process. This represents a significant security risk particularly in environments where Wireshark is run with elevated privileges or where users may have the ability to modify system directories. The vulnerability is particularly concerning because it operates at the privilege level of the application itself, potentially allowing attackers to bypass other security controls that might otherwise protect the system.
Mitigation strategies for CVE-2011-3360 should focus on both immediate patching and operational security improvements. The most effective immediate solution involves upgrading to Wireshark versions 1.4.9 or 1.6.2 and later, which contain the necessary fixes to properly validate script loading paths. Organizations should also implement strict directory permissions and access controls to prevent unauthorized modification of Wireshark's script directories. The principle of least privilege should be enforced by running Wireshark with minimal necessary privileges rather than elevated permissions. Additionally, security monitoring should include detection of unauthorized script modifications and unusual file access patterns in Wireshark-related directories. This vulnerability demonstrates the importance of secure coding practices around dynamic loading mechanisms and aligns with ATT&CK technique T1059.007 for Lua scripting, highlighting the need for comprehensive input validation and secure path handling in applications that load external code.