Describe the bug
A heap-based buffer overflow was discovered in tcpreplay-edit binary, during the pointer 'ip' dereference operation. The issue is being triggered in the function randomize_iparp at edit_packet.c:1032.
To Reproduce
Steps to reproduce the behavior:
Compile tcpreplay according to the default configuration
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious pcap that exploits this issue. This will result in a Denial of Service (DoS), potentially Information Exposure when the application attempts to process the file.
Screenshots
ASAN Reports
==64974==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000edf6 at pc 0x000000425341 bp 0x7fffffffd5d0 sp 0x7fffffffd5c0
READ of size 4 at 0x60300000edf6 thread T0
#0 0x425340 in randomize_iparp /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/edit_packet.c:1032#1 0x41c71b in tcpedit_packet /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/tcpedit.c:329#2 0x40963b in send_packets /home/test/Desktop/evaulation/tcpreplay/src/send_packets.c:552#3 0x418e9a in replay_file /home/test/Desktop/evaulation/tcpreplay/src/replay.c:182#4 0x417e73 in tcpr_replay_index /home/test/Desktop/evaulation/tcpreplay/src/replay.c:59#5 0x416de4 in tcpreplay_replay /home/test/Desktop/evaulation/tcpreplay/src/tcpreplay_api.c:1136#6 0x40fb4f in main /home/test/Desktop/evaulation/tcpreplay/src/tcpreplay.c:139#7 0x7ffff687f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)#8 0x403508 in _start (/usr/local/bin/tcpreplay-edit+0x403508)
0x60300000edf6 is located 6 bytes to the right of 32-byte region [0x60300000edd0,0x60300000edf0)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)#1 0x7ffff6c484fe (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1f4fe)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/edit_packet.c:1032 randomize_iparp
Shadow bytes around the buggy address:
0x0c067fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00[fa]fa
0x0c067fff9dc0: 00 00 00 fa fa fa fd fd fd fa fa fa fd fd fd fa
0x0c067fff9dd0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c067fff9de0: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
0x0c067fff9df0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa
0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==64974==ABORTING
I am unable to playback the poc file. It also gets the same failure if I attempt to open with wireshark or tcpdump.
PID: 128257
Warning in sendpacket.c:sendpacket_open_pf() line 943:
Unsupported physical layer type 0x0304 on lo. Maybe it works, maybe it won't. See tickets #123/318
Failed: From replay.c:replay_file() line 129:
Error opening pcap file: unsupported pcap savefile version 2.250
Describe the bug
A heap-based buffer overflow was discovered in tcpreplay-edit binary, during the pointer 'ip' dereference operation. The issue is being triggered in the function randomize_iparp at edit_packet.c:1032.
To Reproduce
Steps to reproduce the behavior:
./configure CFLAGS="-g -O0 -fsanitize=address"tcpreplay-edit -r 80:84 -s 20 -b -C -m 1500 -P --oneatatime -i lo $pocpoc can be found here.
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious pcap that exploits this issue. This will result in a Denial of Service (DoS), potentially Information Exposure when the application attempts to process the file.
Screenshots
ASAN Reports
==64974==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000edf6 at pc 0x000000425341 bp 0x7fffffffd5d0 sp 0x7fffffffd5c0 READ of size 4 at 0x60300000edf6 thread T0 #0 0x425340 in randomize_iparp /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/edit_packet.c:1032 #1 0x41c71b in tcpedit_packet /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/tcpedit.c:329 #2 0x40963b in send_packets /home/test/Desktop/evaulation/tcpreplay/src/send_packets.c:552 #3 0x418e9a in replay_file /home/test/Desktop/evaulation/tcpreplay/src/replay.c:182 #4 0x417e73 in tcpr_replay_index /home/test/Desktop/evaulation/tcpreplay/src/replay.c:59 #5 0x416de4 in tcpreplay_replay /home/test/Desktop/evaulation/tcpreplay/src/tcpreplay_api.c:1136 #6 0x40fb4f in main /home/test/Desktop/evaulation/tcpreplay/src/tcpreplay.c:139 #7 0x7ffff687f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x403508 in _start (/usr/local/bin/tcpreplay-edit+0x403508) 0x60300000edf6 is located 6 bytes to the right of 32-byte region [0x60300000edd0,0x60300000edf0) allocated by thread T0 here: #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x7ffff6c484fe (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1f4fe) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/edit_packet.c:1032 randomize_iparp Shadow bytes around the buggy address: 0x0c067fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00[fa]fa 0x0c067fff9dc0: 00 00 00 fa fa fa fd fd fd fa fa fa fd fd fd fa 0x0c067fff9dd0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 0x0c067fff9de0: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa 0x0c067fff9df0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa 0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==64974==ABORTINGDebug
System (please complete the following information):
The text was updated successfully, but these errors were encountered: