Bugtraq: CVE-2017-6429: Buffer overflow vulnerability in Tcpreplay tcpcapinfo utility

Document Title:

===============

CVE-2017-6429: Buffer overflow vulnerability in Tcpreplay tcpcapinfo utility

Vendor:

=======

Appneta (https://www.appneta.com/)

Product and Versions Affected:

==============================

Tcpreplay 4.1.2 and possibly prior.

Fixed Version:

==============

4.2.0 Beta 1

Product Description:

====================

Tcpreplay is a suite of GPLv3 licensed utilities for UNIX (and Win32 under Cygwin) operating systems for editing and replaying network traffic which was previously captured by tools like tcpdump and Ethereal/Wireshark.

Vulnerability Type:

===================

Buffer Overflow

CVE Reference:

==============

CVE-2017-6429

Vulnerability Details:

======================

Tcpcapinfo utility of Tcpreplay have a buffer overflow vulnerability associated with parsing a crafted pcap file. This occurs in the src/tcpcapinfo.c file when capture has a packet that is too large to handle.

GDB Dump:

=========

———Backtrace:———–

/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7ffff7a8838f]

/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff7b1fc9c]

/lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7ffff7b1eb60]

/lib/x86_64-linux-gnu/libc.so.6(+0x109fed)[0x7ffff7b1efed]

/home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x40228c]

/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff7a36ec5]

/home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x4028dc]

======= Memory map: ========

00400000-0041b000 r-xp 00000000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo

0061a000-0061b000 r–p 0001a000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo

0061b000-0061c000 rw-p 0001b000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo

0061c000-0063e000 rw-p 00000000 00:00 0 [heap]

7ffff77fe000-7ffff7814000 r-xp 00000000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1

7ffff7814000-7ffff7a13000 —p 00016000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1

7ffff7a13000-7ffff7a14000 r–p 00015000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1

7ffff7a14000-7ffff7a15000 rw-p 00016000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1

7ffff7a15000-7ffff7bd0000 r-xp 00000000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so

7ffff7bd0000-7ffff7dcf000 —p 001bb000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so

7ffff7dcf000-7ffff7dd3000 r–p 001ba000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so

7ffff7dd3000-7ffff7dd5000 rw-p 001be000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so

7ffff7dd5000-7ffff7dda000 rw-p 00000000 00:00 0

7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so

7ffff7fd5000-7ffff7fd8000 rw-p 00000000 00:00 0

7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0

7ffff7ff8000-7ffff7ffa000 r–p 00000000 00:00 0 [vvar]

7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]

7ffff7ffc000-7ffff7ffd000 r–p 00022000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so

7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so

7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0

7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]

ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

1 1260 134217964 575b56ff.0

Program received signal SIGABRT, Aborted.

[———————————-registers—————————-

——-]

RAX: 0x0

RBX: 0x70 (‘p’)

RCX: 0xffffffffffffffff

RDX: 0x6

RSI: 0xcc0b

RDI: 0xcc0b

RBP: 0x7fffffffb500 –> 0x7ffff7b944c2 (“buffer overflow detected”)

RSP: 0x7fffffffb1e8 –> 0x7ffff7a4f0d8 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10)

RIP: 0x7ffff7a4bcc9 (<__GI_raise+57>: cmp rax,0xfffffffffffff000)

R8 : 0x7ffff7b8bdc0 (“0123456789abcdefghijklmnopqrstuvwxyz”)

R9 : 0x61bd80 –> 0x7ffff7dd41c0 –> 0xfbad2086

R10: 0x8

R11: 0x246

R12: 0x7fffffffb370 –> 0x1

R13: 0x5

R14: 0x70 (‘p’)

R15: 0x5

EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)

[————————————-code——————————

——-]

0x7ffff7a4bcbf <__GI_raise+47>: movsxd rdi,ecx

0x7ffff7a4bcc2 <__GI_raise+50>: mov eax,0xea

0x7ffff7a4bcc7 <__GI_raise+55>: syscall

=> 0x7ffff7a4bcc9 <__GI_raise+57>: cmp rax,0xfffffffffffff000

0x7ffff7a4bccf <__GI_raise+63>: ja 0x7ffff7a4bcea <__GI_raise+90>

0x7ffff7a4bcd1 <__GI_raise+65>: repz ret

0x7ffff7a4bcd3 <__GI_raise+67>: nop DWORD PTR [rax+rax*1+0x0]

0x7ffff7a4bcd8 <__GI_raise+72>: test eax,eax

[————————————stack——————————

——-]

0000| 0x7fffffffb1e8 –> 0x7ffff7a4f0d8 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10)

0008| 0x7fffffffb1f0 –> 0x20 (‘ ‘)

0016| 0x7fffffffb1f8 –> 0x0

0024| 0x7fffffffb200 –> 0x0

0032| 0x7fffffffb208 –> 0x0

0040| 0x7fffffffb210 –> 0x0

0048| 0x7fffffffb218 –> 0x0

0056| 0x7fffffffb220 –> 0x0

[———————————————————————–

——-]

Legend: code, data, rodata, value

Stopped reason: SIGABRT

0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56

56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.

Patch:

======

src/tcpcapinfo.c

@@ -281,6 +281,15 @@ main(int argc, char *argv[])

caplen = pcap_ph.caplen;

}

+ if (caplentoobig) {

+ printf(“\n\nCapture file appears to be damaged or corrupt.\n”

+ “Contains packet of size %u, bigger than snap length %u\n”,

+ caplen, pcap_fh.snaplen);

+

+ close(fd);

+ break;

+ }

+

/* check to make sure timestamps don’t go backwards */

if (last_sec > 0 && last_usec > 0) {

if ((pcap_ph.ts.tv_sec == last_sec) ?

@@ -306,7 +315,7 @@ main(int argc, char *argv[])

}

close(fd);

– continue;

+ break;

}

/* print the frame checksum */

References:

===========

https://github.com/appneta/tcpreplay/issues/278

https://github.com/appneta/tcpreplay/releases/tag/v4.2.0-beta1

Vulnerability Disclosure Timeline:

==================================

2017-02-08: Bug Report Submission & Coordination

2017-03-05: Public Disclosure

Credit:

=======

AromalUllas

[ reply ]

Source: SecurityFocus Vulnerabilities @ March 6, 2017 at 06:18AM

0
Share