Join GitHub today
Heap Overread triggered by sending specific packets over a interface being monitored by TCPDump, as well as while trying to parse the pcap file of these packets #645
There seems to be a heap-based buffer overread while running tcpdump on a crafted pcap file. A similar behavior is seen when tcpdump is listening on an interface and the contents of this file is relayed over the network.
In order to trigger the vulnerability, run
Tcpdump version: tcpdump.4.9.2
Hexdump of Input:
I performed some analysis with gdb to identify what was causing the issue. On adding a breakpoint in main and the function ether_print using:
GDB gave the following output:
Values after code execution
When the breakpoint reaches the second time.
ep has no values, and the fetching fails on VulnCodes
Looks like a heap-overread is happening resulting in NULL or garbage values.
Note that running Tcpdump without Memcheck doesn’t result in a crash:
Valgrind Network Output : The network-memcheck output has been attached because it was too long.
Credits for discovering the potential memory error goes to @kirit1193, I performed the analysis and designed the POC for tcpdump on both the pcap file as well as on the network.
PS - Sorry for the long-ish bug report.
Thank you for such a detailed report. As far as it is possible to tell from
@infrastation , "already been reported", <-(NDA ?) , had to raise questions like that. As for the furture release notes, you may want to include this CVE: CVE-2017-16080, because it was assigned: 11/13/2017
Here's their title: tcpdump 4.9.2 has a heap-based buffer over-read related to aoe_print in print-aoe.c and lookup_emem in addrtoname.c.,
idk if they told you already about the CVE, really, excuse me if this is also duplication. Yes, aslo as VictorR, asks...any resolutions here?