Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in /src/common/get.c:174 function get_l2len #477

Closed
Edward-L opened this issue Jul 3, 2018 · 5 comments
Closed

heap-buffer-overflow in /src/common/get.c:174 function get_l2len #477

Edward-L opened this issue Jul 3, 2018 · 5 comments
Assignees
Projects

Comments

@Edward-L
Copy link

Edward-L commented Jul 3, 2018

heap-buffer-overflow in /src/common/get.c:174 function get_l2len

command:

/tcpprep --auto=bridge --pcap=poc --cachefile=/dev/null

asan report:

 AddressSanitizer: heap-buffer-overflow in /src/common/get.c:174 get_l2len
=================================================================
==68006==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000effc at pc 0x4174d8 bp 0x7ffffffede30 sp 0x7ffffffede28
READ of size 2 at 0x60200000effc thread T0
    #0 0x4174d7 in get_l2len /opt/lxf/tcpreplay/tcpreplay-master/src/common/get.c:174
    #1 0x4176b4 in get_ipv4 /opt/lxf/tcpreplay/tcpreplay-master/src/common/get.c:229
    #2 0x405fe5 in process_raw_packets /opt/lxf/tcpreplay/tcpreplay-master/src/tcpprep.c:368
    #3 0x405152 in main /opt/lxf/tcpreplay/tcpreplay-master/src/tcpprep.c:146
    #4 0x7ffff66faf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #5 0x4026c8 (/opt/lxf/tcpreplay/tcpreplay-master/src/tcpprep_asan+0x4026c8)

0x60200000effc is located 8 bytes to the right of 4-byte region [0x60200000eff0,0x60200000eff4)
allocated by thread T0 here:
    #0 0x7ffff6f59862 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54862)
    #1 0x7ffff6ce270c in pcap_check_header sf-pcap.c:401

SUMMARY: AddressSanitizer: heap-buffer-overflow /opt/lxf/tcpreplay/tcpreplay-master/src/common/get.c:174 get_l2len
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 04[fa]
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==68006==ABORTING

poc

@fklassen
Copy link
Member

fklassen commented Jul 3, 2018

What version is this? What OS? Please send the output of tcpprep -V.

@fklassen
Copy link
Member

fklassen commented Jul 3, 2018

Received the following which suggests the issue is in 4.3 beta1:

Source: tcpreplay
Version: 4.2.6-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/appneta/tcpreplay/issues/477

Hi,

The following vulnerability was published for tcpreplay.

CVE-2018-13112[0]:
| get_l2len in common/get.c in Tcpreplay 4.3.0 beta 1 allows remote
| attackers to cause a denial of service (heap-based buffer over-read and
| application crash) via crafted packets, as demonstrated by tcpprep.

its verifiable as well with the upstream attached poc and an ASAN
build of tcpreplay.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-13112
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13112
[1] https://github.com/appneta/tcpreplay/issues/477

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

@fklassen fklassen self-assigned this Jul 3, 2018
@fklassen fklassen added the bug label Jul 3, 2018
@fklassen fklassen added this to To Do in 4.3 via automation Jul 3, 2018
@Edward-L
Copy link
Author

Edward-L commented Jul 4, 2018

tcpprep -V

tcpprep version: 4.2.6 (build git:)
Copyright 2013-2017 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
The entire Tcpreplay Suite is licensed under the GPLv3
Cache file supported: 04
Not compiled with libdnet.
Compiled against libpcap: 1.8.1
64 bit packet counters: enabled
Verbose printing via tcpdump: enabled

os :ubuntu 14.04
source code: commit 230d7aa

@mkubecek
Copy link

mkubecek commented Oct 3, 2018

This is similar to #484. In this case, declared captured length is huge (837240390) but snaplen is only 4 so that libpcap truncates the packets to 4 bytes and sets pkthdr->caplen accordingly. The problem is get_l2len() not checking there is enough data for ethernet header.

AFAICS this has been fixed in branch 4.3 by commit 0253c47 (but the fix is missing in master branch). This commit is already in v4.3.0-beta1 so the CVE text is probably wrong unless they mean a different bug.

@fklassen fklassen moved this from To Do to In progress in 4.3 Oct 18, 2018
@fklassen
Copy link
Member

fklassen commented Oct 18, 2018

Duplicate of #408. Fixed in version 4.3.

4.3 automation moved this from In progress to Done Oct 18, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
No open projects
4.3
  
Done
Development

No branches or pull requests

3 participants