Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NULL pointer dereference in get_layer4_v6() #537

Closed
SegfaultMasters opened this issue Feb 12, 2019 · 2 comments
Closed

NULL pointer dereference in get_layer4_v6() #537

SegfaultMasters opened this issue Feb 12, 2019 · 2 comments
Assignees
@fklassen
Labels
bug

Comments

@SegfaultMasters
Copy link

Description - we observed a NULL pointer dereference occured in function get_layer4_v6 () located at get.c .The same be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Command - tcpreplay-edit -r 80:84 -s 20 -b -C -m 1500 -P --oneatatime -i $INTERFACE $POC

POC - REPRODUCER

Debug -

GDB -

Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0 
$rbx : 0x00005555557b7bb8 → 0x0000337330706e65 ("enp0s3"?)
$rcx : 0xfb 
$rdx : 0x334 
$rsp : 0x00007fffffffd8f0 → 0x000000fbffffd940
$rbp : 0x00007fffffffd920 → 0x00007fffffffd990 → 0x00007fffffffd9d0 → 0x00007fffffffda70 → 0x00007fffffffdbc0 → 0x00007fffffffdd10 → 0x00007fffffffdd40 → 0x00007fffffffddd0
$rsi : 0x123 
$rdi : 0x00005555557be236 → 0x6e0000000000cb00
$rip : 0x000055555557674a → <get_layer4_v6+222> movzx eax, BYTE PTR [rax]
$r8 : 0x2f 
$r9 : 0x00005555557be200 → 0x0000000000000000
$r10 : 0x00005555557b9700 → 0x0000000000000000
$r11 : 0x00007ffff78d6000 → <__fread_chk+0> push r13
$r12 : 0x00007ffff7bbb954 → 0x6800424d30314e45 ("EN10MB"?)
$r13 : 0x00007fffffffe2f0 → 0x000000000000000e
$r14 : 0x0 
$r15 : 0x0 
$eflags: [zero CARRY PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffd8f0│+0x0000: 0x000000fbffffd940 ← $rsp
0x00007fffffffd8f8│+0x0008: 0x00005555557be20e → 0x0000322ffb000062 ("b"?)
0x00007fffffffd900│+0x0010: 0x0000000000000000
0x00007fffffffd908│+0x0018: 0x000001230000002a ("*"?)
0x00007fffffffd910│+0x0020: 0x00005555557be236 → 0x6e0000000000cb00
0x00007fffffffd918│+0x0028: 0x0000000000000000
0x00007fffffffd920│+0x0030: 0x00007fffffffd990 → 0x00007fffffffd9d0 → 0x00007fffffffda70 → 0x00007fffffffdbc0 → 0x00007fffffffdd10 → 0x00007fffffffdd40 → 0x00007fffffffddd0 ← $rbp
0x00007fffffffd928│+0x0038: 0x00005555555695b0 → <do_checksum+224> mov rdx, rax
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x55555557673d <get_layer4_v6+209> call 0x555555576798 <get_ipv6_next>
0x555555576742 <get_layer4_v6+214> mov QWORD PTR [rbp-0x8], rax
0x555555576746 <get_layer4_v6+218> mov rax, QWORD PTR [rbp-0x8]
→ 0x55555557674a <get_layer4_v6+222> movzx eax, BYTE PTR [rax]
0x55555557674d <get_layer4_v6+225> mov BYTE PTR [rbp-0x19], al
0x555555576750 <get_layer4_v6+228> mov rax, QWORD PTR [rbp-0x8]
0x555555576754 <get_layer4_v6+232> mov QWORD PTR [rbp-0x10], rax
0x555555576758 <get_layer4_v6+236> jmp 0x555555576791 <get_layer4_v6+293>
0x55555557675a <get_layer4_v6+238> mov eax, 0x0
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:get.c+410 ────
405 case TCPR_IPV6_NH_DESTOPTS:
406 case TCPR_IPV6_NH_HBH:
407 dbgx(3, "Going deeper due to extension header 0x%02X", proto);
408 maxlen = len - (int)((u_char *)ip6_hdr - (u_char *)next);
409 exthdr = get_ipv6_next(next, maxlen);
// exthdr=0x00007fffffffd918 → 0x0000000000000000
→ 410 proto = exthdr->ip_nh;
411 next = exthdr;
412 break;
413 
414 /*
415 * Can't handle. Unparsable IPv6 fragment/encrypted data
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "tcpreplay-edit", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x55555557674a → get_layer4_v6(ip6_hdr=0x5555557be20e, len=0xfb)
[#1] 0x5555555695b0 → do_checksum(tcpedit=0x5555557b86c0, data=0x5555557be20e "b", proto=0x8, len=0xfb)
[#2] 0x555555565fbc → fix_ipv4_checksums(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdb50, ip_hdr=0x5555557be20e)
[#3] 0x555555564991 → tcpedit_packet(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdac0, pktdata=0x7fffffffdab0, direction=TCPR_DIR_C2S)
[#4] 0x55555555c589 → send_packets(ctx=0x5555557aa260, pcap=0x5555557ba860, idx=0x0)
[#5] 0x555555563169 → replay_file(ctx=0x5555557aa260, idx=0x0)
[#6] 0x555555562a1b → tcpr_replay_index(ctx=0x5555557aa260)
[#7] 0x555555562341 → tcpreplay_replay(ctx=0x5555557aa260)
[#8] 0x55555555f112 → main(argc=0x1, argv=0x7fffffffe360)


gef➤  p exthdr->ip_nh
Cannot access memory at address 0x0
@fklassen fklassen self-assigned this Feb 12, 2019
@fklassen fklassen added the bug label Feb 12, 2019
@carnil
Copy link

carnil commented Feb 17, 2019

CVE-2019-8376 was assigned for this issue.

GabrielGanne added a commit to GabrielGanne/tcpreplay that referenced this issue Mar 6, 2019
@GabrielGanne
fix NULL pointer dereference get_ipv6_l4proto()
d4ba7d3 
get_ipv6_next() returns NULL on malformed packets. If that happens
return the last proto that could be read.

This should fix issues appneta#537
GabrielGanne added a commit to GabrielGanne/tcpreplay that referenced this issue Mar 6, 2019
@GabrielGanne
fix NULL pointer dereference get_ipv6_l4proto()
ecee2ac 
get_ipv6_next() returns NULL on malformed packets. If that happens
return the last proto that could be read.

This should fix issue appneta#537
@GabrielGanne GabrielGanne mentioned this issue Mar 6, 2019
Merged
fklassen added a commit that referenced this issue Mar 12, 2019
@fklassen
Merge pull request #546 from appneta/Bugs_#536_#537
098ad88 
Bugs #536 #537
@fklassen
Copy link
Member

Fixed in PR #544 & #546

fklassen added a commit that referenced this issue Mar 12, 2019
@fklassen
Bugs #536 #537 update CHANGELOG/CREDITS
02b309f
GabrielGanne added a commit to GabrielGanne/tcpreplay that referenced this issue May 2, 2019
@GabrielGanne
fix NULL pointer dereference get_ipv6_l4proto()
39b2786 
get_ipv6_next() returns NULL on malformed packets. If that happens
return the last proto that could be read.

This should fix issue appneta#537
GabrielGanne pushed a commit to GabrielGanne/tcpreplay that referenced this issue May 2, 2019
@fklassen @GabrielGanne
Bugs appneta#536 appneta#537 update CHANGELOG/CREDITS
41e857e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fklassen fklassen

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @fklassen @SegfaultMasters