Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NULL pointer dereference in get_layer4_v6() #537

Closed
SegfaultMasters opened this issue Feb 12, 2019 · 2 comments

Comments

Projects
3 participants
@SegfaultMasters
Copy link

commented Feb 12, 2019

Description - we observed a NULL pointer dereference occured in function get_layer4_v6 () located at get.c .The same be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Command - tcpreplay-edit -r 80:84 -s 20 -b -C -m 1500 -P --oneatatime -i $INTERFACE $POC

POC - REPRODUCER

Debug -

GDB -

Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0 
$rbx : 0x00005555557b7bb8 → 0x0000337330706e65 ("enp0s3"?)
$rcx : 0xfb 
$rdx : 0x334 
$rsp : 0x00007fffffffd8f0 → 0x000000fbffffd940
$rbp : 0x00007fffffffd920 → 0x00007fffffffd990 → 0x00007fffffffd9d0 → 0x00007fffffffda70 → 0x00007fffffffdbc0 → 0x00007fffffffdd10 → 0x00007fffffffdd40 → 0x00007fffffffddd0
$rsi : 0x123 
$rdi : 0x00005555557be236 → 0x6e0000000000cb00
$rip : 0x000055555557674a → <get_layer4_v6+222> movzx eax, BYTE PTR [rax]
$r8 : 0x2f 
$r9 : 0x00005555557be200 → 0x0000000000000000
$r10 : 0x00005555557b9700 → 0x0000000000000000
$r11 : 0x00007ffff78d6000 → <__fread_chk+0> push r13
$r12 : 0x00007ffff7bbb954 → 0x6800424d30314e45 ("EN10MB"?)
$r13 : 0x00007fffffffe2f0 → 0x000000000000000e
$r14 : 0x0 
$r15 : 0x0 
$eflags: [zero CARRY PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffd8f0│+0x0000: 0x000000fbffffd940 ← $rsp
0x00007fffffffd8f8│+0x0008: 0x00005555557be20e → 0x0000322ffb000062 ("b"?)
0x00007fffffffd900│+0x0010: 0x0000000000000000
0x00007fffffffd908│+0x0018: 0x000001230000002a ("*"?)
0x00007fffffffd910│+0x0020: 0x00005555557be236 → 0x6e0000000000cb00
0x00007fffffffd918│+0x0028: 0x0000000000000000
0x00007fffffffd920│+0x0030: 0x00007fffffffd990 → 0x00007fffffffd9d0 → 0x00007fffffffda70 → 0x00007fffffffdbc0 → 0x00007fffffffdd10 → 0x00007fffffffdd40 → 0x00007fffffffddd0 ← $rbp
0x00007fffffffd928│+0x0038: 0x00005555555695b0 → <do_checksum+224> mov rdx, rax
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x55555557673d <get_layer4_v6+209> call 0x555555576798 <get_ipv6_next>
0x555555576742 <get_layer4_v6+214> mov QWORD PTR [rbp-0x8], rax
0x555555576746 <get_layer4_v6+218> mov rax, QWORD PTR [rbp-0x8]
→ 0x55555557674a <get_layer4_v6+222> movzx eax, BYTE PTR [rax]
0x55555557674d <get_layer4_v6+225> mov BYTE PTR [rbp-0x19], al
0x555555576750 <get_layer4_v6+228> mov rax, QWORD PTR [rbp-0x8]
0x555555576754 <get_layer4_v6+232> mov QWORD PTR [rbp-0x10], rax
0x555555576758 <get_layer4_v6+236> jmp 0x555555576791 <get_layer4_v6+293>
0x55555557675a <get_layer4_v6+238> mov eax, 0x0
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:get.c+410 ────
405 case TCPR_IPV6_NH_DESTOPTS:
406 case TCPR_IPV6_NH_HBH:
407 dbgx(3, "Going deeper due to extension header 0x%02X", proto);
408 maxlen = len - (int)((u_char *)ip6_hdr - (u_char *)next);
409 exthdr = get_ipv6_next(next, maxlen);
// exthdr=0x00007fffffffd918 → 0x0000000000000000
→ 410 proto = exthdr->ip_nh;
411 next = exthdr;
412 break;
413 
414 /*
415 * Can't handle. Unparsable IPv6 fragment/encrypted data
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "tcpreplay-edit", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x55555557674a → get_layer4_v6(ip6_hdr=0x5555557be20e, len=0xfb)
[#1] 0x5555555695b0 → do_checksum(tcpedit=0x5555557b86c0, data=0x5555557be20e "b", proto=0x8, len=0xfb)
[#2] 0x555555565fbc → fix_ipv4_checksums(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdb50, ip_hdr=0x5555557be20e)
[#3] 0x555555564991 → tcpedit_packet(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdac0, pktdata=0x7fffffffdab0, direction=TCPR_DIR_C2S)
[#4] 0x55555555c589 → send_packets(ctx=0x5555557aa260, pcap=0x5555557ba860, idx=0x0)
[#5] 0x555555563169 → replay_file(ctx=0x5555557aa260, idx=0x0)
[#6] 0x555555562a1b → tcpr_replay_index(ctx=0x5555557aa260)
[#7] 0x555555562341 → tcpreplay_replay(ctx=0x5555557aa260)
[#8] 0x55555555f112 → main(argc=0x1, argv=0x7fffffffe360)


gef➤  p exthdr->ip_nh
Cannot access memory at address 0x0

@fklassen fklassen self-assigned this Feb 12, 2019

@fklassen fklassen added the bug label Feb 12, 2019

@carnil

This comment has been minimized.

Copy link

commented Feb 17, 2019

CVE-2019-8376 was assigned for this issue.

GabrielGanne added a commit to GabrielGanne/tcpreplay that referenced this issue Mar 6, 2019

fix NULL pointer dereference get_ipv6_l4proto()
get_ipv6_next() returns NULL on malformed packets. If that happens
return the last proto that could be read.

This should fix issues appneta#537

GabrielGanne added a commit to GabrielGanne/tcpreplay that referenced this issue Mar 6, 2019

fix NULL pointer dereference get_ipv6_l4proto()
get_ipv6_next() returns NULL on malformed packets. If that happens
return the last proto that could be read.

This should fix issue appneta#537

@fklassen fklassen added this to To do in 4.3.2 via automation Mar 12, 2019

@fklassen fklassen moved this from To do to In progress in 4.3.2 Mar 12, 2019

fklassen added a commit that referenced this issue Mar 12, 2019

@fklassen

This comment has been minimized.

Copy link
Member

commented Mar 12, 2019

Fixed in PR #544 & #546

@fklassen fklassen closed this Mar 12, 2019

4.3.2 automation moved this from In progress to Done Mar 12, 2019

fklassen added a commit that referenced this issue Mar 12, 2019

GabrielGanne added a commit to GabrielGanne/tcpreplay that referenced this issue May 2, 2019

fix NULL pointer dereference get_ipv6_l4proto()
get_ipv6_next() returns NULL on malformed packets. If that happens
return the last proto that could be read.

This should fix issue appneta#537

GabrielGanne added a commit to GabrielGanne/tcpreplay that referenced this issue May 2, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.