lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAMZSfUhagCVqfA2LP9H9wO+5ckxvZy-GKiy_SRscpQB0KZfWRQ@mail.gmail.com>
Date: Mon, 6 Mar 2017 17:18:34 +0530
From: Aromal Raj <ddos2me@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2017-6429: Buffer overflow vulnerability in Tcpreplay
	tcpcapinfo utility

Document Title:
===============
CVE-2017-6429: Buffer overflow vulnerability in Tcpreplay tcpcapinfo utility

Vendor:
=======
Appneta (https://www.appneta.com/)

Product and Versions Affected:
==============================
Tcpreplay 4.1.2 and possibly prior.

Fixed Version:
==============
4.2.0 Beta 1

Product Description:
====================
Tcpreplay is a suite of GPLv3 licensed utilities for UNIX (and Win32 under
Cygwin) operating systems for editing and replaying network traffic which
was previously captured by tools like tcpdump and Ethereal/Wireshark.

Vulnerability Type:
===================
Buffer Overflow

CVE Reference:
==============
CVE-2017-6429

Vulnerability Details:
======================
Tcpcapinfo utility of Tcpreplay have a buffer overflow vulnerability
associated with parsing a crafted pcap file. This occurs in the
src/tcpcapinfo.c file when capture has a packet that is too large to handle.

GDB Dump:
=========
---------Backtrace:-----------
/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7ffff7a8838f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff7b1fc9c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7ffff7b1eb60]
/lib/x86_64-linux-gnu/libc.so.6(+0x109fed)[0x7ffff7b1efed]
/home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x40228c]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff7a36ec5]
/home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x4028dc]
======= Memory map: ========
00400000-0041b000 r-xp 00000000 08:01 453864
/home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo
0061a000-0061b000 r--p 0001a000 08:01 453864
/home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo
0061b000-0061c000 rw-p 0001b000 08:01 453864
/home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo
0061c000-0063e000 rw-p 00000000 00:00 0
[heap]
7ffff77fe000-7ffff7814000 r-xp 00000000 08:01 660352
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7814000-7ffff7a13000 ---p 00016000 08:01 660352
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a13000-7ffff7a14000 r--p 00015000 08:01 660352
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a14000-7ffff7a15000 rw-p 00016000 08:01 660352
/lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a15000-7ffff7bd0000 r-xp 00000000 08:01 660238
/lib/x86_64-linux-gnu/libc-2.19.so
7ffff7bd0000-7ffff7dcf000 ---p 001bb000 08:01 660238
/lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dcf000-7ffff7dd3000 r--p 001ba000 08:01 660238
/lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd3000-7ffff7dd5000 rw-p 001be000 08:01 660238
/lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd5000-7ffff7dda000 rw-p 00000000 00:00 0
7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 660214
/lib/x86_64-linux-gnu/ld-2.19.so
7ffff7fd5000-7ffff7fd8000 rw-p 00000000 00:00 0
7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0
[vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0
[vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 660214
/lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 660214
/lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0
[stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
[vsyscall]
1    1260        134217964        575b56ff.0
Program received signal SIGABRT, Aborted.

 [----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x70 ('p')
RCX: 0xffffffffffffffff
RDX: 0x6
RSI: 0xcc0b
RDI: 0xcc0b
RBP: 0x7fffffffb500 --> 0x7ffff7b944c2 ("buffer overflow detected")
RSP: 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>:    mov
rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff7a4bcc9 (<__GI_raise+57>:    cmp    rax,0xfffffffffffff000)
R8 : 0x7ffff7b8bdc0 ("0123456789abcdefghijklmnopqrstuvwxyz")
R9 : 0x61bd80 --> 0x7ffff7dd41c0 --> 0xfbad2086
R10: 0x8
R11: 0x246
R12: 0x7fffffffb370 --> 0x1
R13: 0x5
R14: 0x70 ('p')
R15: 0x5
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7a4bcbf <__GI_raise+47>:    movsxd rdi,ecx
   0x7ffff7a4bcc2 <__GI_raise+50>:    mov    eax,0xea
   0x7ffff7a4bcc7 <__GI_raise+55>:    syscall
=> 0x7ffff7a4bcc9 <__GI_raise+57>:    cmp    rax,0xfffffffffffff000
   0x7ffff7a4bccf <__GI_raise+63>:    ja     0x7ffff7a4bcea <__GI_raise+90>
   0x7ffff7a4bcd1 <__GI_raise+65>:    repz ret
   0x7ffff7a4bcd3 <__GI_raise+67>:    nop    DWORD PTR [rax+rax*1+0x0]
   0x7ffff7a4bcd8 <__GI_raise+72>:    test   eax,eax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>:    mov
rdx,QWORD PTR fs:0x10)
0008| 0x7fffffffb1f0 --> 0x20 (' ')
0016| 0x7fffffffb1f8 --> 0x0
0024| 0x7fffffffb200 --> 0x0
0032| 0x7fffffffb208 --> 0x0
0040| 0x7fffffffb210 --> 0x0
0048| 0x7fffffffb218 --> 0x0
0056| 0x7fffffffb220 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@...ry=0x6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56    ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.


Patch:
======
 src/tcpcapinfo.c
 @@ -281,6 +281,15 @@ main(int argc, char *argv[])
                  caplen = pcap_ph.caplen;
              }

 +            if (caplentoobig) {
 +                printf("\n\nCapture file appears to be damaged or
corrupt.\n"
 +                        "Contains packet of size %u, bigger than snap
length %u\n",
 +                        caplen, pcap_fh.snaplen);
 +
 +                close(fd);
 +                break;
 +            }
 +
              /* check to make sure timestamps don't go backwards */
              if (last_sec > 0 && last_usec > 0) {
                  if ((pcap_ph.ts.tv_sec == last_sec) ?
 @@ -306,7 +315,7 @@ main(int argc, char *argv[])
                  }

                  close(fd);
 -                continue;
 +                break;
              }

              /* print the frame checksum */


References:
===========
https://github.com/appneta/tcpreplay/issues/278
https://github.com/appneta/tcpreplay/releases/tag/v4.2.0-beta1


Vulnerability Disclosure Timeline:
==================================
2017-02-08: Bug Report Submission & Coordination
2017-03-05: Public Disclosure

Credit:
=======
AromalUllas

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ