Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL pointer dereference get_ipv6_l4proto() #536

Closed
SegfaultMasters opened this issue Feb 7, 2019 · 2 comments

Comments

Projects
3 participants
@SegfaultMasters
Copy link

commented Feb 7, 2019

Description - we observed a NULL pointer dereference occured in function get_ipv6_l4proto() located at get.c .The same be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Command - tcpreplay-edit -r 80:84 -s 20 -b -C -m 1500 -P --oneatatime -i $INTERFACE $POC

POC - REPRODUCER

Debug -

GDB -

Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x0 
$rbx : 0x5555557aac20 → 0x00005555557b56a0 → 0x0000337330706e65 ("enp0s3"?)
$rcx : 0xed 
$rdx : 0x8 
$rsp : 0x7fffffffdad0 → 0x000000c5ffffdb20
$rbp : 0x7fffffffdb00 → 0x00007fffffffdb70 → 0x00007fffffffdbb0 → 0x00007fffffffdc50 → 0x00007fffffffdda0 → 0x00007fffffffdef0 → 0x00007fffffffdf20 → 0x00007fffffffdfb0
$rsi : 0xc5 
$rdi : 0x7ffff7fcd6ae → 0x7ffff7b8f5600000
$rip : 0x55555557694c → <get_ipv6_l4proto+194> movzx eax, BYTE PTR [rax]
$r8 : 0x2f 
$r9 : 0x7ffff7e4d010 → 0x0000000000000000
$r10 : 0x5555557b9700 → 0x0000000000000000
$r11 : 0x7ffff78d6000 → <__fread_chk+0> push r13
$r12 : 0x5555555599e0 → <_start+0> xor ebp, ebp
$r13 : 0x7fffffffe4d0 → 0x000000000000000e
$r14 : 0x0 
$r15 : 0x0 
$eflags: [zero CARRY PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$fs: 0x0000 $ds: 0x0000 $ss: 0x002b $es: 0x0000 $gs: 0x0000 $cs: 0x0033 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffdad0│+0x00: 0x000000c5ffffdb20 ← $rsp
0x00007fffffffdad8│+0x08: 0x00007ffff7e4d01e → 0x80000000ed000062 ("b"?)
0x00007fffffffdae0│+0x10: 0x00000a555c5ace1f
0x00007fffffffdae8│+0x18: 0x00fdebbbffffdb70
0x00007fffffffdaf0│+0x20: 0x00007ffff7fcd6ae → 0x7ffff7b8f5600000
0x00007fffffffdaf8│+0x28: 0x0000000000000000
0x00007fffffffdb00│+0x30: 0x00007fffffffdb70 → 0x00007fffffffdbb0 → 0x00007fffffffdc50 → 0x00007fffffffdda0 → 0x00007fffffffdef0 → 0x00007fffffffdf20 → 0x00007fffffffdfb0 ← $rbp
0x00007fffffffdb08│+0x38: 0x0000555555569599 → <do_checksum+201> movzx eax, al
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x55555557693f <get_ipv6_l4proto+181> call 0x555555576798 <get_ipv6_next>
0x555555576944 <get_ipv6_l4proto+186> mov QWORD PTR [rbp-0x8], rax
0x555555576948 <get_ipv6_l4proto+190> mov rax, QWORD PTR [rbp-0x8]
→ 0x55555557694c <get_ipv6_l4proto+194> movzx eax, BYTE PTR [rax]
0x55555557694f <get_ipv6_l4proto+197> mov BYTE PTR [rbp-0x11], al
0x555555576952 <get_ipv6_l4proto+200> mov rax, QWORD PTR [rbp-0x8]
0x555555576956 <get_ipv6_l4proto+204> mov QWORD PTR [rbp-0x10], rax
0x55555557695a <get_ipv6_l4proto+208> jmp 0x555555576962 <get_ipv6_l4proto+216>
0x55555557695c <get_ipv6_l4proto+210> movzx eax, BYTE PTR [rbp-0x11]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:get.c+539 ]────
534 case TCPR_IPV6_NH_ROUTING:
535 case TCPR_IPV6_NH_DESTOPTS:
536 case TCPR_IPV6_NH_HBH:
537 dbgx(3, "Jumping to next extension header (0x%hhx)", proto);
538 exthdr = get_ipv6_next((struct tcpr_ipv6_ext_hdr_base *)ptr, len);
// exthdr=0x00007fffffffdaf8 → 0x0000000000000000
→ 539 proto = exthdr->ip_nh;
540 ptr = (u_char *)exthdr;
541 break;
542 
543 /* should be TCP, UDP or the like */
544 default:
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "tcpreplay-edit", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x55555557694c → Name: get_ipv6_l4proto(ip6_hdr=0x7ffff7e4d01e, len=0xc5)
[#1] 0x555555569599 → Name: do_checksum(tcpedit=0x5555557b86c0, data=0x7ffff7e4d01e "b", proto=0x0, len=0xed)
[#2] 0x555555565fbc → Name: fix_ipv4_checksums(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdd30, ip_hdr=0x7ffff7e4d01e)
[#3] 0x555555564991 → Name: tcpedit_packet(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdca0, pktdata=0x7fffffffdc90, direction=TCPR_DIR_C2S)
[#4] 0x55555555c589 → Name: send_packets(ctx=0x5555557aa260, pcap=0x5555557ba860, idx=0x0)
[#5] 0x555555563169 → Name: replay_file(ctx=0x5555557aa260, idx=0x0)
[#6] 0x555555562a1b → Name: tcpr_replay_index(ctx=0x5555557aa260)
[#7] 0x555555562341 → Name: tcpreplay_replay(ctx=0x5555557aa260)
[#8] 0x55555555f112 → Name: main(argc=0x1, argv=0x7fffffffe540)


gef➤ p exthdr
Cannot access memory at address 0x0
gef➤ p exthdr->ip_nh 
Cannot access memory at address 0x0

@fklassen fklassen added the bug label Feb 7, 2019

@fklassen fklassen self-assigned this Feb 7, 2019

@carnil

This comment has been minimized.

Copy link

commented Feb 17, 2019

CVE-2019-8377 was assigned for this issue.

GabrielGanne added a commit to GabrielGanne/tcpreplay that referenced this issue Mar 6, 2019

fix NULL pointer dereference in get_layer4_v6()
Both get_ipv6_next() and get_layer4_v6() return NULL on malformed
packets. Make get_layer4_v6() forward the NULL return value of
get_ipv6_next() on malformed packets.

This should fix issues appneta#536

GabrielGanne added a commit to GabrielGanne/tcpreplay that referenced this issue Mar 6, 2019

fix NULL pointer dereference in get_layer4_v6()
get_ipv6_next() returns NULL on malformed packets. If that happens
return the last header that could be read.

This should fix issue appneta#536

@fklassen fklassen added this to To do in 4.3.2 via automation Mar 12, 2019

fklassen added a commit that referenced this issue Mar 12, 2019

@fklassen fklassen moved this from To do to In progress in 4.3.2 Mar 12, 2019

@fklassen

This comment has been minimized.

Copy link
Member

commented Mar 12, 2019

Fixed in PR #544 & #546

@fklassen fklassen closed this Mar 12, 2019

4.3.2 automation moved this from In progress to Done Mar 12, 2019

fklassen added a commit that referenced this issue Mar 12, 2019

GabrielGanne added a commit to GabrielGanne/tcpreplay that referenced this issue May 2, 2019

fix NULL pointer dereference in get_layer4_v6()
get_ipv6_next() returns NULL on malformed packets. If that happens
return the last header that could be read.

This should fix issue appneta#536

GabrielGanne added a commit to GabrielGanne/tcpreplay that referenced this issue May 2, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.