Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2015-3138 over-read issues in tcpdump Whiteboard decoder #446

Closed
brandonprry opened this issue Mar 25, 2015 · 9 comments
Closed

CVE-2015-3138 over-read issues in tcpdump Whiteboard decoder #446

brandonprry opened this issue Mar 25, 2015 · 9 comments

Comments

@brandonprry
Copy link

@brandonprry brandonprry commented Mar 25, 2015

Hello,

In learning how to use american fuzzy lop, I decided to make libpcap/tcpdump my first fuzzing foray. I was able to find two possible heap overflows in print-wb.c (lines 274 and 280).

Loading tcpdump (4.7.3) in gdb and running the two testcases that consistently segfault:

gdb ../../tcpdump-4.7.3/tcpdump

run -ntr id:000003,sig:11,src:005130,op:int32,pos:16,val:+64 

Program received signal SIGSEGV, Segmentation fault.
wb_prep (len=<optimized out>, prep=<optimized out>, ndo=0xcf82a0 <Gndo>)
    at ./print-wb.c:274
274         ND_PRINT((ndo, " %u/%s:%u",

And...

run -r id:000000,sig:11,src:004852,op:flip1,pos:92 

Program received signal SIGSEGV, Segmentation fault.
wb_prep (len=<optimized out>, prep=<optimized out>, ndo=0xcf82a0 <Gndo>)
    at ./print-wb.c:280
280             ND_PRINT((ndo, "%c%s:%u", c, ipaddr_string(ndo, &io->id),

What would be the best way to get the testcases to you that cause the crashes?

Thanks!

@infrastation
Copy link
Member

@infrastation infrastation commented Mar 25, 2015

Could you take the input pcap file(s) and use one of the binary-to-hex convertors (xxd, uuencode or base64, also available online) and then paste the encoded version as a comment? Thank you.

@brandonprry
Copy link
Author

@brandonprry brandonprry commented Mar 25, 2015

Absolutely, they are small (4kb).

Doing this now.

On Wed, Mar 25, 2015 at 3:05 PM, Denis Ovsienko notifications@github.com
wrote:

Could you take the input pcap file(s) and use one of the binary-to-hex
convertors (xxd, uuencode or base64, also available online) and then paste
the encoded version as a comment? Thank you.


Reply to this email directly or view it on GitHub
#446 (comment)
.

http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

@brandonprry
Copy link
Author

@brandonprry brandonprry commented Mar 25, 2015

Following base64-encoded pcap should be run with 'tcpdump -r':

1MOyoQIABAAALBAAAAAAAGAABQABAAAAuDFgVKUIAABAAAAASgAAAAAAAAAASgAAAAAAAAgARRAAPJw3QABAEQAAAX8AAAEAAIAXZxHXAwAAAACgAoAY/jAAAO4HQAwEAkgKI5dVSgA=

This pcap should be run with 'tcpdump -ntr':

1MOyoQIAAAAYLAAAAAAAAEAAAAABAAAAuDFgSKUIAAAtAAAASgAAAAAAAAAASgAAAAAAAAgARRAAPJw3QABAEQAA/4AAAAHgGgAXZxHXAwAAn5+fn5+fn5+fAAQHgCwAAgEAAAC4MWCfn5+fEgCgAoAY/jAAAAIEQAwEAkgKI5dVSgA=

Let me know if you need anything else.

@infrastation
Copy link
Member

@infrastation infrastation commented Mar 25, 2015

Thank you. I confirm a segfault for each case (both with -ntr), the 1st one takes longer to crash and the 2nd is almost instant. I am working on this.

@infrastation infrastation self-assigned this Mar 25, 2015
infrastation added a commit that referenced this issue Mar 25, 2015
This is a follow-up to commit 3a3ec26.
@infrastation
Copy link
Member

@infrastation infrastation commented Mar 25, 2015

Could you check the latest master branch build?

@brandonprry
Copy link
Author

@brandonprry brandonprry commented Mar 25, 2015

I can later tonight, give me a couple hours. Am in CST timezone.

On Mar 25, 2015, at 5:51 PM, Denis Ovsienko notifications@github.com wrote:

Could you check the latest master branch build?


Reply to this email directly or view it on GitHub #446 (comment).

@brandonprry
Copy link
Author

@brandonprry brandonprry commented Mar 25, 2015

Got a short amount of time to test, I can confirm master has fixed the parsing the test cases correctly.

infrastation added a commit that referenced this issue Mar 26, 2015
This is a follow-up to commit 3a3ec26.
@infrastation
Copy link
Member

@infrastation infrastation commented Mar 26, 2015

Thank you for the report and detailed feedback!

uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Apr 16, 2015
- Bump PORTREVISION

Obtained from:	the-tcpdump-group/tcpdump#446
MFH:		2015Q2
Security:	CVE-2015-3138


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@384101 35697150-7ecd-e111-bb59-0022644237b5
uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Apr 16, 2015
- Bump PORTREVISION

Obtained from:	the-tcpdump-group/tcpdump#446
MFH:		2015Q2
Security:	CVE-2015-3138
uqs pushed a commit to freebsd/freebsd-ports that referenced this issue Apr 16, 2015
- Add a patch to fix heap overflow
- Bump PORTREVISION

Obtained from:	the-tcpdump-group/tcpdump#446
Security:	CVE-2015-3138
Approved by:	portmgr (erwin)
@infrastation infrastation changed the title Possible heap overflows reading pcap CVE-2015-3138 over-read issues in tcpdump Whiteboard decoder Apr 22, 2015
@infrastation
Copy link
Member

@infrastation infrastation commented Apr 22, 2015

CVE-2015-3138 over-read issues in tcpdump Whiteboard decoder

Overview

tcpdump is a network protocol analyzer available on most UNIX-like operating
systems. Its releases between 4.7.0 and 4.7.3 inclusive can crash trying to
decode a specific packet, whether from a live network interface or from a .pcap
file. This vulnerability was discovered by Brandon Perry.

Description

One of the protocols supported in tcpdump is Whiteboard, a UDP-based protocol.
The decoder module for it, like other decoders, has a set of checks in place to
take into account the amount of bytes captured for each packet being decoded.
The checks guard the decoders from access beyond the initialized data.

During a recent unification of the source code a few such checks in the
Whiteboard decoder had been mistakenly reversed before the 4.7.0 release.
Because of this the decoder could access beyond the initialized data in an
endless loop and would eventually cause a segmentation fault (assigned bug
number 446). A later commit in the tcpdump repository (3ed82f4), which will be
included in a release following 4.7.3, fixes the issue.

Impact

CVSSv2 score: 1.0
(AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C/CDP:N/TD:L/CR:ND/IR:ND/AR:L)

mat813 pushed a commit to mat813/freebsd-ports that referenced this issue Oct 10, 2016
- Add a patch to fix heap overflow
- Bump PORTREVISION

Obtained from:	the-tcpdump-group/tcpdump#446
Security:	CVE-2015-3138
Approved by:	portmgr (erwin)


git-svn-id: https://svn.freebsd.org/ports/branches/2015Q2@384102 35697150-7ecd-e111-bb59-0022644237b5
mat813 pushed a commit to mat813/freebsd-ports that referenced this issue Nov 22, 2016
- Add a patch to fix heap overflow
- Bump PORTREVISION

Obtained from:	the-tcpdump-group/tcpdump#446
Security:	CVE-2015-3138
Approved by:	portmgr (erwin)


git-svn-id: https://svn.freebsd.org/ports/branches/2015Q2@384102 35697150-7ecd-e111-bb59-0022644237b5
mat813 pushed a commit to mat813/freebsd-ports that referenced this issue Jul 9, 2018
- Add a patch to fix heap overflow
- Bump PORTREVISION

Obtained from:	the-tcpdump-group/tcpdump#446
Security:	CVE-2015-3138
Approved by:	portmgr (erwin)


git-svn-id: https://svn.freebsd.org/ports/branches/2015Q2@384102 35697150-7ecd-e111-bb59-0022644237b5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.