Skip to content

NULL pointer dereference in get_layer4_v6()  #537

Closed
@SegfaultMasters

Description

@SegfaultMasters

Description - we observed a NULL pointer dereference occured in function get_layer4_v6 () located at get.c .The same be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Command - tcpreplay-edit -r 80:84 -s 20 -b -C -m 1500 -P --oneatatime -i $INTERFACE $POC

POC - REPRODUCER

Debug -

GDB -

Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0 
$rbx : 0x00005555557b7bb8 → 0x0000337330706e65 ("enp0s3"?)
$rcx : 0xfb 
$rdx : 0x334 
$rsp : 0x00007fffffffd8f0 → 0x000000fbffffd940
$rbp : 0x00007fffffffd920 → 0x00007fffffffd990 → 0x00007fffffffd9d0 → 0x00007fffffffda70 → 0x00007fffffffdbc0 → 0x00007fffffffdd10 → 0x00007fffffffdd40 → 0x00007fffffffddd0
$rsi : 0x123 
$rdi : 0x00005555557be236 → 0x6e0000000000cb00
$rip : 0x000055555557674a → <get_layer4_v6+222> movzx eax, BYTE PTR [rax]
$r8 : 0x2f 
$r9 : 0x00005555557be200 → 0x0000000000000000
$r10 : 0x00005555557b9700 → 0x0000000000000000
$r11 : 0x00007ffff78d6000 → <__fread_chk+0> push r13
$r12 : 0x00007ffff7bbb954 → 0x6800424d30314e45 ("EN10MB"?)
$r13 : 0x00007fffffffe2f0 → 0x000000000000000e
$r14 : 0x0 
$r15 : 0x0 
$eflags: [zero CARRY PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffd8f0│+0x0000: 0x000000fbffffd940 ← $rsp
0x00007fffffffd8f8│+0x0008: 0x00005555557be20e → 0x0000322ffb000062 ("b"?)
0x00007fffffffd900│+0x0010: 0x0000000000000000
0x00007fffffffd908│+0x0018: 0x000001230000002a ("*"?)
0x00007fffffffd910│+0x0020: 0x00005555557be236 → 0x6e0000000000cb00
0x00007fffffffd918│+0x0028: 0x0000000000000000
0x00007fffffffd920│+0x0030: 0x00007fffffffd990 → 0x00007fffffffd9d0 → 0x00007fffffffda70 → 0x00007fffffffdbc0 → 0x00007fffffffdd10 → 0x00007fffffffdd40 → 0x00007fffffffddd0 ← $rbp
0x00007fffffffd928│+0x0038: 0x00005555555695b0 → <do_checksum+224> mov rdx, rax
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x55555557673d <get_layer4_v6+209> call 0x555555576798 <get_ipv6_next>
0x555555576742 <get_layer4_v6+214> mov QWORD PTR [rbp-0x8], rax
0x555555576746 <get_layer4_v6+218> mov rax, QWORD PTR [rbp-0x8]
→ 0x55555557674a <get_layer4_v6+222> movzx eax, BYTE PTR [rax]
0x55555557674d <get_layer4_v6+225> mov BYTE PTR [rbp-0x19], al
0x555555576750 <get_layer4_v6+228> mov rax, QWORD PTR [rbp-0x8]
0x555555576754 <get_layer4_v6+232> mov QWORD PTR [rbp-0x10], rax
0x555555576758 <get_layer4_v6+236> jmp 0x555555576791 <get_layer4_v6+293>
0x55555557675a <get_layer4_v6+238> mov eax, 0x0
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:get.c+410 ────
405 case TCPR_IPV6_NH_DESTOPTS:
406 case TCPR_IPV6_NH_HBH:
407 dbgx(3, "Going deeper due to extension header 0x%02X", proto);
408 maxlen = len - (int)((u_char *)ip6_hdr - (u_char *)next);
409 exthdr = get_ipv6_next(next, maxlen);
// exthdr=0x00007fffffffd918 → 0x0000000000000000
→ 410 proto = exthdr->ip_nh;
411 next = exthdr;
412 break;
413 
414 /*
415 * Can't handle. Unparsable IPv6 fragment/encrypted data
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "tcpreplay-edit", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x55555557674a → get_layer4_v6(ip6_hdr=0x5555557be20e, len=0xfb)
[#1] 0x5555555695b0 → do_checksum(tcpedit=0x5555557b86c0, data=0x5555557be20e "b", proto=0x8, len=0xfb)
[#2] 0x555555565fbc → fix_ipv4_checksums(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdb50, ip_hdr=0x5555557be20e)
[#3] 0x555555564991 → tcpedit_packet(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdac0, pktdata=0x7fffffffdab0, direction=TCPR_DIR_C2S)
[#4] 0x55555555c589 → send_packets(ctx=0x5555557aa260, pcap=0x5555557ba860, idx=0x0)
[#5] 0x555555563169 → replay_file(ctx=0x5555557aa260, idx=0x0)
[#6] 0x555555562a1b → tcpr_replay_index(ctx=0x5555557aa260)
[#7] 0x555555562341 → tcpreplay_replay(ctx=0x5555557aa260)
[#8] 0x55555555f112 → main(argc=0x1, argv=0x7fffffffe360)


gef➤  p exthdr->ip_nh
Cannot access memory at address 0x0

Metadata

Metadata

Assignees

Labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions