CVE-2015-3138 over-read issues in tcpdump Whiteboard decoder #446

Closed
brandonprry opened this Issue Mar 25, 2015 · 9 comments

Projects

None yet

2 participants

@brandonprry

Hello,

In learning how to use american fuzzy lop, I decided to make libpcap/tcpdump my first fuzzing foray. I was able to find two possible heap overflows in print-wb.c (lines 274 and 280).

Loading tcpdump (4.7.3) in gdb and running the two testcases that consistently segfault:

gdb ../../tcpdump-4.7.3/tcpdump

run -ntr id:000003,sig:11,src:005130,op:int32,pos:16,val:+64 

Program received signal SIGSEGV, Segmentation fault.
wb_prep (len=<optimized out>, prep=<optimized out>, ndo=0xcf82a0 <Gndo>)
    at ./print-wb.c:274
274         ND_PRINT((ndo, " %u/%s:%u",

And...

run -r id:000000,sig:11,src:004852,op:flip1,pos:92 

Program received signal SIGSEGV, Segmentation fault.
wb_prep (len=<optimized out>, prep=<optimized out>, ndo=0xcf82a0 <Gndo>)
    at ./print-wb.c:280
280             ND_PRINT((ndo, "%c%s:%u", c, ipaddr_string(ndo, &io->id),

What would be the best way to get the testcases to you that cause the crashes?

Thanks!

@infrastation
Member

Could you take the input pcap file(s) and use one of the binary-to-hex convertors (xxd, uuencode or base64, also available online) and then paste the encoded version as a comment? Thank you.

@brandonprry

Absolutely, they are small (4kb).

Doing this now.

On Wed, Mar 25, 2015 at 3:05 PM, Denis Ovsienko notifications@github.com
wrote:

Could you take the input pcap file(s) and use one of the binary-to-hex
convertors (xxd, uuencode or base64, also available online) and then paste
the encoded version as a comment? Thank you.


Reply to this email directly or view it on GitHub
#446 (comment)
.

http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

@brandonprry

Following base64-encoded pcap should be run with 'tcpdump -r':

1MOyoQIABAAALBAAAAAAAGAABQABAAAAuDFgVKUIAABAAAAASgAAAAAAAAAASgAAAAAAAAgARRAAPJw3QABAEQAAAX8AAAEAAIAXZxHXAwAAAACgAoAY/jAAAO4HQAwEAkgKI5dVSgA=

This pcap should be run with 'tcpdump -ntr':

1MOyoQIAAAAYLAAAAAAAAEAAAAABAAAAuDFgSKUIAAAtAAAASgAAAAAAAAAASgAAAAAAAAgARRAAPJw3QABAEQAA/4AAAAHgGgAXZxHXAwAAn5+fn5+fn5+fAAQHgCwAAgEAAAC4MWCfn5+fEgCgAoAY/jAAAAIEQAwEAkgKI5dVSgA=

Let me know if you need anything else.

@infrastation
Member

Thank you. I confirm a segfault for each case (both with -ntr), the 1st one takes longer to crash and the 2nd is almost instant. I am working on this.

@infrastation infrastation self-assigned this Mar 25, 2015
@infrastation infrastation added a commit that referenced this issue Mar 25, 2015
@infrastation infrastation whiteboard: fixup a few reversed tests (GH #446)
This is a follow-up to commit 3a3ec26.
3ed82f4
@infrastation
Member

Could you check the latest master branch build?

@brandonprry

I can later tonight, give me a couple hours. Am in CST timezone.

On Mar 25, 2015, at 5:51 PM, Denis Ovsienko notifications@github.com wrote:

Could you check the latest master branch build?


Reply to this email directly or view it on GitHub #446 (comment).

@brandonprry

Got a short amount of time to test, I can confirm master has fixed the parsing the test cases correctly.

@infrastation infrastation added a commit that referenced this issue Mar 26, 2015
@infrastation infrastation whiteboard: fixup a few reversed tests (GH #446)
This is a follow-up to commit 3a3ec26.
8aa5ede
@infrastation
Member

Thank you for the report and detailed feedback!

@uqs uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Apr 16, 2015
garga - Add a patch to fix heap overflow
- Bump PORTREVISION

Obtained from:	the-tcpdump-group/tcpdump#446
MFH:		2015Q2
Security:	CVE-2015-3138


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@384101 35697150-7ecd-e111-bb59-0022644237b5
d29924e
@uqs uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Apr 16, 2015
@rbgarga rbgarga - Add a patch to fix heap overflow
- Bump PORTREVISION

Obtained from:	the-tcpdump-group/tcpdump#446
MFH:		2015Q2
Security:	CVE-2015-3138
fe7275a
@uqs uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Apr 16, 2015
@rbgarga rbgarga MFH: r384101
- Add a patch to fix heap overflow
- Bump PORTREVISION

Obtained from:	the-tcpdump-group/tcpdump#446
Security:	CVE-2015-3138
Approved by:	portmgr (erwin)
1f97e64
@infrastation infrastation changed the title from Possible heap overflows reading pcap to CVE-2015-3138 over-read issues in tcpdump Whiteboard decoder Apr 22, 2015
@infrastation
Member

CVE-2015-3138 over-read issues in tcpdump Whiteboard decoder

Overview

tcpdump is a network protocol analyzer available on most UNIX-like operating
systems. Its releases between 4.7.0 and 4.7.3 inclusive can crash trying to
decode a specific packet, whether from a live network interface or from a .pcap
file. This vulnerability was discovered by Brandon Perry.

Description

One of the protocols supported in tcpdump is Whiteboard, a UDP-based protocol.
The decoder module for it, like other decoders, has a set of checks in place to
take into account the amount of bytes captured for each packet being decoded.
The checks guard the decoders from access beyond the initialized data.

During a recent unification of the source code a few such checks in the
Whiteboard decoder had been mistakenly reversed before the 4.7.0 release.
Because of this the decoder could access beyond the initialized data in an
endless loop and would eventually cause a segmentation fault (assigned bug
number 446). A later commit in the tcpdump repository (3ed82f4), which will be
included in a release following 4.7.3, fixes the issue.

Impact

CVSSv2 score: 1.0
(AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C/CDP:N/TD:L/CR:ND/IR:ND/AR:L)

@mat813 mat813 pushed a commit to mat813/freebsd-ports that referenced this issue Oct 10, 2016
garga MFH: r384101
- Add a patch to fix heap overflow
- Bump PORTREVISION

Obtained from:	the-tcpdump-group/tcpdump#446
Security:	CVE-2015-3138
Approved by:	portmgr (erwin)


git-svn-id: https://svn.freebsd.org/ports/branches/2015Q2@384102 35697150-7ecd-e111-bb59-0022644237b5
0a5ce69
@mat813 mat813 pushed a commit to mat813/freebsd-ports that referenced this issue Nov 22, 2016
garga MFH: r384101
- Add a patch to fix heap overflow
- Bump PORTREVISION

Obtained from:	the-tcpdump-group/tcpdump#446
Security:	CVE-2015-3138
Approved by:	portmgr (erwin)


git-svn-id: https://svn.freebsd.org/ports/branches/2015Q2@384102 35697150-7ecd-e111-bb59-0022644237b5
3cd5936
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment