CVE-2015-3138 over-read issues in tcpdump Whiteboard decoder

[brandonprry]

Hello,

In learning how to use american fuzzy lop, I decided to make libpcap/tcpdump my first fuzzing foray. I was able to find two possible heap overflows in print-wb.c (lines 274 and 280).

Loading tcpdump (4.7.3) in gdb and running the two testcases that consistently segfault:

gdb ../../tcpdump-4.7.3/tcpdump

run -ntr id:000003,sig:11,src:005130,op:int32,pos:16,val:+64 

Program received signal SIGSEGV, Segmentation fault.
wb_prep (len=<optimized out>, prep=<optimized out>, ndo=0xcf82a0 <Gndo>)
    at ./print-wb.c:274
274         ND_PRINT((ndo, " %u/%s:%u",

And...

run -r id:000000,sig:11,src:004852,op:flip1,pos:92 

Program received signal SIGSEGV, Segmentation fault.
wb_prep (len=<optimized out>, prep=<optimized out>, ndo=0xcf82a0 <Gndo>)
    at ./print-wb.c:280
280             ND_PRINT((ndo, "%c%s:%u", c, ipaddr_string(ndo, &io->id),

What would be the best way to get the testcases to you that cause the crashes?

Thanks!

[infrastation]

Could you take the input pcap file(s) and use one of the binary-to-hex convertors (xxd, uuencode or base64, also available online) and then paste the encoded version as a comment? Thank you.

[brandonprry]

Absolutely, they are small (4kb).

Doing this now.

On Wed, Mar 25, 2015 at 3:05 PM, Denis Ovsienko notifications@github.com
wrote:

Could you take the input pcap file(s) and use one of the binary-to-hex
convertors (xxd, uuencode or base64, also available online) and then paste
the encoded version as a comment? Thank you.

—
Reply to this email directly or view it on GitHub
#446 (comment)
.

http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

[brandonprry]

Following base64-encoded pcap should be run with 'tcpdump -r':

1MOyoQIABAAALBAAAAAAAGAABQABAAAAuDFgVKUIAABAAAAASgAAAAAAAAAASgAAAAAAAAgARRAAPJw3QABAEQAAAX8AAAEAAIAXZxHXAwAAAACgAoAY/jAAAO4HQAwEAkgKI5dVSgA=

This pcap should be run with 'tcpdump -ntr':

1MOyoQIAAAAYLAAAAAAAAEAAAAABAAAAuDFgSKUIAAAtAAAASgAAAAAAAAAASgAAAAAAAAgARRAAPJw3QABAEQAA/4AAAAHgGgAXZxHXAwAAn5+fn5+fn5+fAAQHgCwAAgEAAAC4MWCfn5+fEgCgAoAY/jAAAAIEQAwEAkgKI5dVSgA=

Let me know if you need anything else.

[infrastation]

Thank you. I confirm a segfault for each case (both with -ntr), the 1st one takes longer to crash and the 2nd is almost instant. I am working on this.

[infrastation]

Could you check the latest master branch build?

[brandonprry]

I can later tonight, give me a couple hours. Am in CST timezone.

On Mar 25, 2015, at 5:51 PM, Denis Ovsienko notifications@github.com wrote:

Could you check the latest master branch build?

—
Reply to this email directly or view it on GitHub #446 (comment).

[brandonprry]

Got a short amount of time to test, I can confirm master has fixed the parsing the test cases correctly.

[infrastation]

Thank you for the report and detailed feedback!

[infrastation]

CVE-2015-3138 over-read issues in tcpdump Whiteboard decoder

Overview

tcpdump is a network protocol analyzer available on most UNIX-like operating
systems. Its releases between 4.7.0 and 4.7.3 inclusive can crash trying to
decode a specific packet, whether from a live network interface or from a .pcap
file. This vulnerability was discovered by Brandon Perry.

Description

One of the protocols supported in tcpdump is Whiteboard, a UDP-based protocol.
The decoder module for it, like other decoders, has a set of checks in place to
take into account the amount of bytes captured for each packet being decoded.
The checks guard the decoders from access beyond the initialized data.

During a recent unification of the source code a few such checks in the
Whiteboard decoder had been mistakenly reversed before the 4.7.0 release.
Because of this the decoder could access beyond the initialized data in an
endless loop and would eventually cause a segmentation fault (assigned bug
number 446). A later commit in the tcpdump repository (3ed82f4), which will be
included in a release following 4.7.3, fixes the issue.

Impact

CVSSv2 score: 1.0
(AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C/CDP:N/TD:L/CR:ND/IR:ND/AR:L)