You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
A heap-based buffer overflow was discovered in tcpreplay-edit binary, during the do_checksum operation. The issue is being triggered in the function do_checksum at Checksum.c:132.
To Reproduce
Steps to reproduce the behavior:
Compile tcpreplay according to the default configuration
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious pcap that exploits this issue. This will result in a Denial of Service (DoS) and potentially Information Exposure when the application attempts to process the file.
Screenshots
ASAN Reports
==64466==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000ec3c at pc 0x000000428924 bp 0x7fffffffd570 sp 0x7fffffffd560
WRITE of size 2 at 0x60600000ec3c thread T0
#0 0x428923 in do_checksum /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/checksum.c:132#1 0x42033a in fix_ipv4_checksums /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/edit_packet.c:82#2 0x41c8f9 in tcpedit_packet /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/tcpedit.c:354#3 0x40963b in send_packets /home/test/Desktop/evaulation/tcpreplay/src/send_packets.c:552#4 0x418e9a in replay_file /home/test/Desktop/evaulation/tcpreplay/src/replay.c:182#5 0x417e73 in tcpr_replay_index /home/test/Desktop/evaulation/tcpreplay/src/replay.c:59#6 0x416de4 in tcpreplay_replay /home/test/Desktop/evaulation/tcpreplay/src/tcpreplay_api.c:1136#7 0x40fb4f in main /home/test/Desktop/evaulation/tcpreplay/src/tcpreplay.c:139#8 0x7ffff687f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)#9 0x403508 in _start (/usr/local/bin/tcpreplay-edit+0x403508)
0x60600000ec3c is located 10 bytes to the right of 50-byte region [0x60600000ec00,0x60600000ec32)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)#1 0x7ffff6c484fe (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1f4fe)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/checksum.c:132 do_checksum
Shadow bytes around the buggy address:
0x0c0c7fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9d80: 00 00 00 00 00 00 02[fa]fa fa fa fa 00 00 00 00
0x0c0c7fff9d90: 00 00 00 05 fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff9da0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff9db0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
0x0c0c7fff9dc0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff9dd0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==64466==ABORTING
[Inferior 1 (process 64466) exited with code 01]
Possible cause of vulnerability
The lacking a check between IP and ICMP6 packet length, resulting in a header buffer overflow in (icmpv6_hdr_t *)(data + ip_hl)
case IPPROTO_ICMP6:
icmp6 = (icmpv6_hdr_t *)(data + ip_hl);
icmp6->icmp_sum = 0;
if (ipv6 != NULL) {
sum = do_checksum_math((u_int16_t *)&ipv6->ip_src, 32);
}
sum += ntohs(IPPROTO_ICMP6 + len);
sum += do_checksum_math((u_int16_t *)icmp6, len);
icmp6->icmp_sum = CHECKSUM_CARRY(sum);
break;
System (please complete the following information):
OS version : Ubuntu 16.04
Tcpreplay Version : 4.3.2/master branch
Additional context
The crash point of this vulnerability is different from issue 556. Although the specific causes of the vulnerabilities are different, they are similar. It is necessary to fully check the 80-142 lines of code in do_checksum.
The text was updated successfully, but these errors were encountered:
Describe the bug
A heap-based buffer overflow was discovered in tcpreplay-edit binary, during the do_checksum operation. The issue is being triggered in the function do_checksum at Checksum.c:132.
To Reproduce
Steps to reproduce the behavior:
./configure CFLAGS="-g -O0 -fsanitize=address"
tcpreplay-edit -r 80:84 -s 20 -b -C -m 1500 -P --oneatatime -i lo $poc
poc can be found here.
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious pcap that exploits this issue. This will result in a Denial of Service (DoS) and potentially Information Exposure when the application attempts to process the file.
Screenshots
ASAN Reports
Debug
Possible cause of vulnerability
The lacking a check between IP and ICMP6 packet length, resulting in a header buffer overflow in (icmpv6_hdr_t *)(data + ip_hl)
System (please complete the following information):
Additional context
The crash point of this vulnerability is different from issue 556. Although the specific causes of the vulnerabilities are different, they are similar. It is necessary to fully check the 80-142 lines of code in do_checksum.
The text was updated successfully, but these errors were encountered: