Bug 1468504
| Summary: | There is a heap buffer overflow tcpdump. A crafted input will lead to remote denial of service attack. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | owl337 <v.owl337> | ||||
| Component: | tcpdump | Assignee: | Michal Ruprich <mruprich> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.5 | CC: | anarcat, denis, henri, msekleta, thozza | ||||
| Target Milestone: | rc | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-02-26 14:37:43 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Did you already report this to the upstream? From the manpage "To report a security issue please send an e-mail to security". This also affects latest SCM version (27634837cc57f864682b8a1d690f65faab005f0c Tue Feb 7 10:48:24 2017 -0800). CVE-2017-11108 has been assigned for this issue. I have just sent security the related information about this vulnerability. Then this case might be duplicate. Tcpdump has been fuzzed by many people. The non-critical issues are not fixed very fast in the upsream so different people are reporting same cases. I'm not even sure if it wise to request CVEs for tcpdump -ntr crashes if those issues can't be reproduced with analyzing network traffic. I asked opinion from MITRE to this in January but didn't receive any comments. I have carefully analyzed this heap overflow which was exactly different from that I reported before as follows. https://bugzilla.redhat.com/show_bug.cgi?id=1464820 I kindly advise that you'd better fix this buffer overflow problems as soon as possible. In fact, it's hard to evaluate the whole attack surface only though the simple trigger mode like "-ntr". I kindly advise that you'd better fix this buffer overflow problems as soon as possible. In fact, it's hard to evaluate the whole attack surface only though the simple trigger mode like "-ntr". this was reported as CVE-2017-11108 with MITRE and upstream as https://github.com/the-tcpdump-group/tcpdump/issues/616 I worked on a patch in https://github.com/the-tcpdump-group/tcpdump/pull/617 as well. Hello anarcat, thanks for your patch. tcpdump 4.9.1 addresses this specific problem. Deliverables are in the usual places except the GPG signature, which will be added later. The GPG signature is now in place. |
Created attachment 1295234 [details] Triggered by "./tcpdump -ntr POC2" Description of problem: The vulnerability was triggered in function EXTRACT_16BITS() at line extract.h:144. the value of pointer p 0x60600000efff overflow the heap region [0x60600000efc0,0x60600000effc). Version-Release number of selected component (if applicable): <= latest version How reproducible: ./tcpdump -ntr POC2 Steps to Reproduce: $./tcpdump -ntr POC2 IP 192.168.1.94.61358 > 239.255.255.250.1900: UDP, length 133 ARP, Reply 192.168.1.1 is-at 00:e0:20:1c:27:77, length 46 ================================================================= ==64502==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000efff at pc 0x00000069737e bp 0x7ffcf4108f60 sp 0x7ffcf4108f58 READ of size 2 at 0x60600000efff thread T0 #0 0x69737d (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x69737d) #1 0x5dda46 (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x5dda46) #2 0x5702e5 (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x5702e5) #3 0x5079d5 (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x5079d5) #4 0x4f447b (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x4f447b) #5 0x7f2a32cafa4b (/usr/local/lib/libpcap.so.1+0xaaa4b) #6 0x7f2a32c23763 (/usr/local/lib/libpcap.so.1+0x1e763) #7 0x4f04ce (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x4f04ce) #8 0x7f2a31d1382f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #9 0x41a118 (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x41a118) 0x60600000efff is located 3 bytes to the right of 60-byte region [0x60600000efc0,0x60600000effc) allocated by thread T0 here: #0 0x4ba248 (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x4ba248) #1 0x7f2a32cb07d9 (/usr/local/lib/libpcap.so.1+0xab7d9) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x69737d) Shadow bytes around the buggy address: 0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd =>0x0c0c7fff9df0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00[04] 0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==64502==ABORTING The GDB backtrack information is as follows: (gdb) bt #0 EXTRACT_16BITS (p=0x60600000efff) at ./extract.h:144 #1 stp_print (ndo=<optimized out>, p=<optimized out>, length=<optimized out>) at ./print-stp.c:478 #2 0x00000000005dda47 in llc_print (ndo=0x7fffffffe0c0, p=0x60600000efd1 "", length=175, caplen=4294967294, src=<optimized out>, dst=<optimized out>) at ./print-llc.c:278 #3 0x00000000005702e6 in ether_print (ndo=<optimized out>, p=<optimized out>, length=<optimized out>, caplen=<optimized out>, print_encap_header=<optimized out>, encap_header_arg=<optimized out>) at ./print-ether.c:179 #4 0x00000000005079d6 in pretty_print_packet (ndo=0x7fffffffe0c0, h=<optimized out>, sp=<optimized out>, packets_captured=<optimized out>) at ./print.c:339 #5 0x00000000004f447c in print_packet (user=0x60600000efff "", h=0x60600000efd1, sp=0x19062f0 <__afl_area_initial> "") at ./tcpdump.c:2598 #6 0x00007ffff7ba8a4c in pcap_offline_read (p=<optimized out>, cnt=<optimized out>, callback=<optimized out>, user=<optimized out>) at ./savefile.c:527 #7 0x00007ffff7b1c764 in pcap_loop (p=<optimized out>, cnt=<optimized out>, callback=<optimized out>, user=<optimized out>) at ./pcap.c:1708 #8 0x00000000004f04cf in main (argc=1, argv=<optimized out>) at ./tcpdump.c:2101 The vulnerability was triggered in function EXTRACT_16BITS() at line extract.h:144. the value of pointer p 0x60600000efff overflow the heap region [0x60600000efc0,0x60600000effc). 141 static inline uint16_t 142 EXTRACT_16BITS(const void *p) 143 { 144 return ((uint16_t)ntohs(*(const uint16_t *)(p))); 145 } Actual results: crash Expected results: crash Additional info: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.