Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bug] sngrep heap buffer overflow #431

Closed
randomssr opened this issue Mar 1, 2023 · 1 comment
Closed

[bug] sngrep heap buffer overflow #431

randomssr opened this issue Mar 1, 2023 · 1 comment
Assignees
Labels
Milestone

Comments

@randomssr
Copy link

I found a heap buffer overflow in sngrep.
Please confirm.
Thanks!

Test Environment
Ubuntu 20.04, 64 bit sngrep (version: v1.6.0 ;5089514)

How to trigger
Compile the program with AddressSanitizer
Run command $ ./sngrep -N -R -I $PoC
Details
ASAN report
$./sngrep -N -R -I $PoC

Dialog count: 0=================================================================
==974271==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000080a0 at pc 0x0000004d385c bp 0x7f69535f92f0 sp 0x7f69535f92e8
READ of size 2 at 0x6020000080a0 thread T1
    #0 0x4d385b in capture_packet_reasm_ip /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:678:49
    #1 0x4d0d09 in parse_packet /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:367:17
    #2 0x7f695522a466  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23466)
    #3 0x7f6955218f67 in pcap_loop (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x11f67)
    #4 0x4cf5c9 in capture_thread /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:1042:5
    #5 0x7f69551ea608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #6 0x7f6954f95132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x6020000080a0 is located 15 bytes to the right of 1-byte region [0x602000008090,0x602000008091)
allocated by thread T1 here:
    #0 0x49c3cd in __interceptor_malloc (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x49c3cd)
    #1 0x4dbb59 in packet_add_frame /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/packet.c:123:19
    #2 0x4d31ee in capture_packet_reasm_ip /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:639:9
    #3 0x4d0d09 in parse_packet /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:367:17
    #4 0x7f695522a466  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23466)

Thread T1 created by T0 here:
    #0 0x486a8c in pthread_create (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x486a8c)
    #1 0x4d712c in capture_launch_thread /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:1027:13
    #2 0x4efb9e in main /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/main.c:433:9
    #3 0x7f6954e9a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:678:49 in capture_packet_reasm_ip
Shadow bytes around the buggy address:
  0x0c047fff8fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9000: fa fa 00 00 fa fa fd fa fa fa fd fa fa fa 00 00
=>0x0c047fff9010: fa fa 01 fa[fa]fa fd fd fa fa 00 00 fa fa 01 fa
  0x0c047fff9020: fa fa 00 00 fa fa 01 fa fa fa 00 00 fa fa 01 fa
  0x0c047fff9030: fa fa 00 00 fa fa 01 fa fa fa 00 00 fa fa 01 fa
  0x0c047fff9040: fa fa 00 00 fa fa 01 fa fa fa 00 00 fa fa 01 fa
  0x0c047fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==974271==ABORTING

The URL of PoC is PoC

@Kaian Kaian self-assigned this Mar 3, 2023
@Kaian Kaian added this to the 1.7.0 milestone Mar 3, 2023
@Kaian
Copy link
Member

Kaian commented Mar 3, 2023

Thanks for reporting!!

Above commit should fix this problem by checking frames have at least Link layer + IP header size before accesing IP header fields.

Regards!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

2 participants