RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1468504 - There is a heap buffer overflow tcpdump. A crafted input will lead to remote denial of service attack.
Summary: There is a heap buffer overflow tcpdump. A crafted input will lead to remote...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: tcpdump
Version: 7.5
Hardware: All
OS: All
medium
medium
Target Milestone: rc
: ---
Assignee: Michal Ruprich
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-07 09:20 UTC by owl337
Modified: 2018-02-26 14:37 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-26 14:37:43 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Triggered by "./tcpdump -ntr POC2" (767 bytes, application/x-rar)
2017-07-07 09:20 UTC, owl337
no flags Details

Description owl337 2017-07-07 09:20:13 UTC
Created attachment 1295234 [details]
Triggered by  "./tcpdump -ntr POC2"

Description of problem:

The vulnerability was triggered in function EXTRACT_16BITS() at line extract.h:144. the value of pointer p 0x60600000efff overflow the heap region [0x60600000efc0,0x60600000effc).


Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./tcpdump -ntr POC2

Steps to Reproduce:

$./tcpdump -ntr POC2
IP 192.168.1.94.61358 > 239.255.255.250.1900: UDP, length 133
ARP, Reply 192.168.1.1 is-at 00:e0:20:1c:27:77, length 46
=================================================================
==64502==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000efff at pc 0x00000069737e bp 0x7ffcf4108f60 sp 0x7ffcf4108f58
READ of size 2 at 0x60600000efff thread T0
    #0 0x69737d  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x69737d)
    #1 0x5dda46  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x5dda46)
    #2 0x5702e5  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x5702e5)
    #3 0x5079d5  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x5079d5)
    #4 0x4f447b  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x4f447b)
    #5 0x7f2a32cafa4b  (/usr/local/lib/libpcap.so.1+0xaaa4b)
    #6 0x7f2a32c23763  (/usr/local/lib/libpcap.so.1+0x1e763)
    #7 0x4f04ce  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x4f04ce)
    #8 0x7f2a31d1382f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x41a118  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x41a118)

0x60600000efff is located 3 bytes to the right of 60-byte region [0x60600000efc0,0x60600000effc)
allocated by thread T0 here:
    #0 0x4ba248  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x4ba248)
    #1 0x7f2a32cb07d9  (/usr/local/lib/libpcap.so.1+0xab7d9)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x69737d) 
Shadow bytes around the buggy address:
  0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
=>0x0c0c7fff9df0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00[04]
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==64502==ABORTING

The GDB backtrack information is as follows:
(gdb) bt
#0  EXTRACT_16BITS (p=0x60600000efff) at ./extract.h:144
#1  stp_print (ndo=<optimized out>, p=<optimized out>, length=<optimized out>) at ./print-stp.c:478
#2  0x00000000005dda47 in llc_print (ndo=0x7fffffffe0c0, p=0x60600000efd1 "", length=175, caplen=4294967294, 
    src=<optimized out>, dst=<optimized out>) at ./print-llc.c:278
#3  0x00000000005702e6 in ether_print (ndo=<optimized out>, p=<optimized out>, length=<optimized out>, 
    caplen=<optimized out>, print_encap_header=<optimized out>, encap_header_arg=<optimized out>)
    at ./print-ether.c:179
#4  0x00000000005079d6 in pretty_print_packet (ndo=0x7fffffffe0c0, h=<optimized out>, sp=<optimized out>, 
    packets_captured=<optimized out>) at ./print.c:339
#5  0x00000000004f447c in print_packet (user=0x60600000efff "", h=0x60600000efd1, 
    sp=0x19062f0 <__afl_area_initial> "") at ./tcpdump.c:2598
#6  0x00007ffff7ba8a4c in pcap_offline_read (p=<optimized out>, cnt=<optimized out>, callback=<optimized out>, 
    user=<optimized out>) at ./savefile.c:527
#7  0x00007ffff7b1c764 in pcap_loop (p=<optimized out>, cnt=<optimized out>, callback=<optimized out>, 
    user=<optimized out>) at ./pcap.c:1708
#8  0x00000000004f04cf in main (argc=1, argv=<optimized out>) at ./tcpdump.c:2101


The vulnerability was triggered in function EXTRACT_16BITS() at line extract.h:144. the value of pointer p 0x60600000efff overflow the heap region [0x60600000efc0,0x60600000effc).

141 static inline uint16_t
142 EXTRACT_16BITS(const void *p)
143 {
144         return ((uint16_t)ntohs(*(const uint16_t *)(p)));
145 }


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.

Comment 2 Henri Salo 2017-07-08 22:27:20 UTC
Did you already report this to the upstream? From the manpage "To report a security issue please send an e-mail to security". This also affects latest SCM version (27634837cc57f864682b8a1d690f65faab005f0c Tue Feb 7 10:48:24 2017 -0800).

Comment 3 Henri Salo 2017-07-08 23:16:04 UTC
CVE-2017-11108 has been assigned for this issue.

Comment 4 owl337 2017-07-09 00:17:16 UTC
I have just sent security the related information about this vulnerability.

Comment 5 Henri Salo 2017-07-09 11:53:46 UTC
Then this case might be duplicate. Tcpdump has been fuzzed by many people. The non-critical issues are not fixed very fast in the upsream so different people are reporting same cases. I'm not even sure if it wise to request CVEs for tcpdump -ntr crashes if those issues can't be reproduced with analyzing network traffic. I asked opinion from MITRE to this in January but didn't receive any comments.

Comment 6 owl337 2017-07-09 12:06:19 UTC
I have carefully analyzed this heap overflow which was exactly different from that I reported before as follows.
https://bugzilla.redhat.com/show_bug.cgi?id=1464820

Comment 7 owl337 2017-07-09 12:23:30 UTC
I kindly advise that you'd better fix this buffer overflow problems as soon as possible. In fact, it's hard to evaluate the whole attack surface only though the simple trigger mode like "-ntr".

Comment 8 owl337 2017-07-09 12:23:59 UTC
I kindly advise that you'd better fix this buffer overflow problems as soon as possible. In fact, it's hard to evaluate the whole attack surface only though the simple trigger mode like "-ntr".

Comment 10 anarcat 2017-07-20 14:35:56 UTC
this was reported as CVE-2017-11108 with MITRE and upstream as https://github.com/the-tcpdump-group/tcpdump/issues/616

I worked on a patch in https://github.com/the-tcpdump-group/tcpdump/pull/617 as well.

Comment 11 Martin Sehnoutka 2017-07-21 07:31:46 UTC
Hello anarcat,

thanks for your patch.

Comment 12 Denis Ovsienko 2017-07-23 20:20:20 UTC
tcpdump 4.9.1 addresses this specific problem. Deliverables are in the usual places except the GPG signature, which will be added later.

Comment 13 Denis Ovsienko 2017-07-25 20:45:29 UTC
The GPG signature is now in place.


Note You need to log in before you can comment on or make changes to this bug.