Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in pcap_thread_callback_ipv6() #43

Closed
geeknik opened this issue Mar 25, 2017 · 3 comments
Closed

heap-buffer-overflow in pcap_thread_callback_ipv6() #43

geeknik opened this issue Mar 25, 2017 · 3 comments

Comments

@geeknik
Copy link

geeknik commented Mar 25, 2017

I like to fuzz everything. Built from b0e787e with afl-clang-fast on Debian 8.x x64.

./drool -c 'text:timing ignore;' -c 'text:client_pool target "127.0.0.1" "53";' -c 'text:client_pool skip_reply;' -r
test001.pcap

==12187==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000c53a at pc 0x0000004f8b7d bp 0x7f880b7fda30 sp 0x7f880b7fda28
READ of size 1 at 0x60800000c53a thread T3
    #0 0x4f8b7c in pcap_thread_callback_ipv6 /root/drool/src/pcap-thread/pcap_thread.c:1818:13
    #1 0x4f8b7c in pcap_thread_callback_ip /root/drool/src/pcap-thread/pcap_thread.c:1649
    #2 0x4f184c in pcap_thread_callback_loop /root/drool/src/pcap-thread/pcap_thread.c:1418:21
    #3 0x4f184c in pcap_thread_callback /root/drool/src/pcap-thread/pcap_thread.c:1137
    #4 0x4f4afd in _callback /root/drool/src/pcap-thread/pcap_thread.c:2408:13
    #5 0x7f8812536f03 (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1df03)
    #6 0x7f8812527d2e in pcap_loop (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0xed2e)
    #7 0x4f2bba in _thread /root/drool/src/pcap-thread/pcap_thread.c:2486:15
    #8 0x7f8812304063 in start_thread /build/glibc-qK83Be/glibc-2.19/nptl/pthread_create.c:309
    #9 0x7f881171662c in clone /build/glibc-qK83Be/glibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/drool/src/pcap-thread/pcap_thread.c:1818 pcap_thread_callback_ipv6
Shadow bytes around the buggy address:
  0x0c107fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff9890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c107fff98a0: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x0c107fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
Thread T3 created by T0 here:
    #0 0x48e09f in __interceptor_pthread_create (/root/drool/src/drool+0x48e09f)
    #1 0x4ef28c in pcap_thread_run /root/drool/src/pcap-thread/pcap_thread.c:2658:24
    #2 0x4d4fec in run /root/drool/src/drool.c:243:16
    #3 0x4d4fec in main /root/drool/src/drool.c:684
    #4 0x7f881164fb44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287

==12187==ABORTING
@jelu
Copy link
Member

jelu commented Mar 25, 2017 via email

jelu added a commit to jelu/pcap-thread that referenced this issue Mar 27, 2017
@jelu
Issue DNS-OARC/drool#43, DNS-OARC/drool#44: Fix reverse reading a byte
4185b7b
jelu added a commit to DNS-OARC/pcap-thread that referenced this issue Mar 27, 2017
@jelu
Merge pull request #73 from jelu/doh
9d23ec1 
Issue DNS-OARC/drool#43, DNS-OARC/drool#44: Fix reverse reading a byte
@jelu jelu closed this as completed in 3b9f2dc Mar 27, 2017
@jelu
Copy link
Member

jelu commented Mar 28, 2017

@geeknik Could you give me a description on how you set this up so I can start looking at running this continuously in our testing platform?

@geeknik
Copy link
Author

geeknik commented Mar 28, 2017
edited
Loading

@jelu I'm just using cheap $2.50/month VPS for fuzzing things. Well multiple, but that's another story for another day.

  1. insure clang, llvm, libasan are installed.
  2. download AFL, compile afl, libdislocator.so and afl-clang-fast
  3. CC=afl-clang-fast ./configure --disable-shared && AFL_USE_ASAN=1 make (ensure it uses afl-clang-fast)
  4. run AFL: afl-fuzz -m none -i input_dir -o output_dir ./drool -c 'text:timing ignore;' -c 'text:client_pool target "127.0.0.1" "53";' -c 'text:client_pool skip_reply;' -r @@

For my starting corpus, I used a few CVE-worthy pcaps that I generated with AFL by disovering some tcpdump bugs, but AFL comes with a perfectly usable pcap in the testcases dir. Plus you have my 3 for regression testing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@geeknik @jelu