New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap Overread triggered by sending specific packets over a interface being monitored by TCPDump, as well as while trying to parse the pcap file of these packets #645
Comments
|
Thank you for such a detailed report. As far as it is possible to tell from |
|
can you please attach the pcap here? Could not recreate a valid pcap file from the hexdump. Thanks |
|
The requested pcap file tcpdump-heapoverread.zip . Thanks |
|
@infrastation has this issue been resolved? |
|
@infrastation , "already been reported", <-(NDA ?) , had to raise questions like that. As for the furture release notes, you may want to include this CVE: CVE-2017-16080, because it was assigned: 11/13/2017 Here's their title: tcpdump 4.9.2 has a heap-based buffer over-read related to aoe_print in print-aoe.c and lookup_emem in addrtoname.c., idk if they told you already about the CVE, really, excuse me if this is also duplication. Yes, aslo as VictorR, asks...any resolutions here? |
|
Thank you for providing the reference, this issue is a duplicate of an earlier issue, which is not yet fixed with a stable release. |
|
JFYI, the actual CVE number is CVE-2017-16808 not CVE-2017-16080, see NVD |
|
@infrastation, could you point which commit fix this issue? |
|
Fixed by 46aead6. |
|
@fxlb Thanks so much |
There seems to be a heap-based buffer overread while running tcpdump on a crafted pcap file. A similar behavior is seen when tcpdump is listening on an interface and the contents of this file is relayed over the network.
In order to trigger the vulnerability, run
./tcpdump –vr %file%The relevant MemCheck output: The memcheck output has been attached because it was too long.
memcheck-local.txt memcheck-local.txt
Debug info:
Tcpdump version: tcpdump.4.9.2
Libcap version: libpcap 1.8.1
OS: Ubuntu 17.10
Compiler: gcc 7.2.0
Target: x86_64-linux-gnu
Hexdump of Input:
I performed some analysis with gdb to identify what was causing the issue. On adding a breakpoint in main and the function ether_print using:
GDB gave the following output:
Values after code execution
When the breakpoint reaches the second time.
ep has no values, and the fetching fails on VulnCodes
Looks like a heap-overread is happening resulting in NULL or garbage values.
Note that running Tcpdump without Memcheck doesn’t result in a crash:
TcpdumpOutput :
Valgrind Network Output : The network-memcheck output has been attached because it was too long.
memcheck-network.txt
memcheck-network.txt
Credits for discovering the potential memory error goes to @kirit1193, I performed the analysis and designed the POC for tcpdump on both the pcap file as well as on the network.
PS - Sorry for the long-ish bug report.
The text was updated successfully, but these errors were encountered: