Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1468504

Summary: There is a heap buffer overflow tcpdump. A crafted input will lead to remote denial of service attack.
Product: Red Hat Enterprise Linux 7 Reporter: owl337 <v.owl337>
Component: tcpdumpAssignee: Michal Ruprich <mruprich>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.5CC: anarcat, denis, henri, msekleta, thozza
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-26 14:37:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Triggered by "./tcpdump -ntr POC2" none

Description owl337 2017-07-07 09:20:13 UTC 
Created attachment 1295234 [details]
Triggered by  "./tcpdump -ntr POC2"

Description of problem:

The vulnerability was triggered in function EXTRACT_16BITS() at line extract.h:144. the value of pointer p 0x60600000efff overflow the heap region [0x60600000efc0,0x60600000effc).


Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./tcpdump -ntr POC2

Steps to Reproduce:

$./tcpdump -ntr POC2
IP 192.168.1.94.61358 > 239.255.255.250.1900: UDP, length 133
ARP, Reply 192.168.1.1 is-at 00:e0:20:1c:27:77, length 46
=================================================================
==64502==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000efff at pc 0x00000069737e bp 0x7ffcf4108f60 sp 0x7ffcf4108f58
READ of size 2 at 0x60600000efff thread T0
    #0 0x69737d  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x69737d)
    #1 0x5dda46  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x5dda46)
    #2 0x5702e5  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x5702e5)
    #3 0x5079d5  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x5079d5)
    #4 0x4f447b  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x4f447b)
    #5 0x7f2a32cafa4b  (/usr/local/lib/libpcap.so.1+0xaaa4b)
    #6 0x7f2a32c23763  (/usr/local/lib/libpcap.so.1+0x1e763)
    #7 0x4f04ce  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x4f04ce)
    #8 0x7f2a31d1382f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x41a118  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x41a118)

0x60600000efff is located 3 bytes to the right of 60-byte region [0x60600000efc0,0x60600000effc)
allocated by thread T0 here:
    #0 0x4ba248  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x4ba248)
    #1 0x7f2a32cb07d9  (/usr/local/lib/libpcap.so.1+0xab7d9)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x69737d) 
Shadow bytes around the buggy address:
  0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
=>0x0c0c7fff9df0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00[04]
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==64502==ABORTING

The GDB backtrack information is as follows:
(gdb) bt
#0  EXTRACT_16BITS (p=0x60600000efff) at ./extract.h:144
#1  stp_print (ndo=<optimized out>, p=<optimized out>, length=<optimized out>) at ./print-stp.c:478
#2  0x00000000005dda47 in llc_print (ndo=0x7fffffffe0c0, p=0x60600000efd1 "", length=175, caplen=4294967294, 
    src=<optimized out>, dst=<optimized out>) at ./print-llc.c:278
#3  0x00000000005702e6 in ether_print (ndo=<optimized out>, p=<optimized out>, length=<optimized out>, 
    caplen=<optimized out>, print_encap_header=<optimized out>, encap_header_arg=<optimized out>)
    at ./print-ether.c:179
#4  0x00000000005079d6 in pretty_print_packet (ndo=0x7fffffffe0c0, h=<optimized out>, sp=<optimized out>, 
    packets_captured=<optimized out>) at ./print.c:339
#5  0x00000000004f447c in print_packet (user=0x60600000efff "", h=0x60600000efd1, 
    sp=0x19062f0 <__afl_area_initial> "") at ./tcpdump.c:2598
#6  0x00007ffff7ba8a4c in pcap_offline_read (p=<optimized out>, cnt=<optimized out>, callback=<optimized out>, 
    user=<optimized out>) at ./savefile.c:527
#7  0x00007ffff7b1c764 in pcap_loop (p=<optimized out>, cnt=<optimized out>, callback=<optimized out>, 
    user=<optimized out>) at ./pcap.c:1708
#8  0x00000000004f04cf in main (argc=1, argv=<optimized out>) at ./tcpdump.c:2101


The vulnerability was triggered in function EXTRACT_16BITS() at line extract.h:144. the value of pointer p 0x60600000efff overflow the heap region [0x60600000efc0,0x60600000effc).

141 static inline uint16_t
142 EXTRACT_16BITS(const void *p)
143 {
144         return ((uint16_t)ntohs(*(const uint16_t *)(p)));
145 }


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.
Comment 2 Henri Salo 2017-07-08 22:27:20 UTC 
Did you already report this to the upstream? From the manpage "To report a security issue please send an e-mail to security". This also affects latest SCM version (27634837cc57f864682b8a1d690f65faab005f0c Tue Feb 7 10:48:24 2017 -0800).
Comment 3 Henri Salo 2017-07-08 23:16:04 UTC 
CVE-2017-11108 has been assigned for this issue.
Comment 4 owl337 2017-07-09 00:17:16 UTC 
I have just sent security the related information about this vulnerability.
Comment 5 Henri Salo 2017-07-09 11:53:46 UTC 
Then this case might be duplicate. Tcpdump has been fuzzed by many people. The non-critical issues are not fixed very fast in the upsream so different people are reporting same cases. I'm not even sure if it wise to request CVEs for tcpdump -ntr crashes if those issues can't be reproduced with analyzing network traffic. I asked opinion from MITRE to this in January but didn't receive any comments.
Comment 6 owl337 2017-07-09 12:06:19 UTC 
I have carefully analyzed this heap overflow which was exactly different from that I reported before as follows.
https://bugzilla.redhat.com/show_bug.cgi?id=1464820
Comment 7 owl337 2017-07-09 12:23:30 UTC 
I kindly advise that you'd better fix this buffer overflow problems as soon as possible. In fact, it's hard to evaluate the whole attack surface only though the simple trigger mode like "-ntr".
Comment 8 owl337 2017-07-09 12:23:59 UTC 
I kindly advise that you'd better fix this buffer overflow problems as soon as possible. In fact, it's hard to evaluate the whole attack surface only though the simple trigger mode like "-ntr".
Comment 10 anarcat 2017-07-20 14:35:56 UTC 
this was reported as CVE-2017-11108 with MITRE and upstream as https://github.com/the-tcpdump-group/tcpdump/issues/616

I worked on a patch in https://github.com/the-tcpdump-group/tcpdump/pull/617 as well.
Comment 11 Martin Sehnoutka 2017-07-21 07:31:46 UTC 
Hello anarcat,

thanks for your patch.
Comment 12 Denis Ovsienko 2017-07-23 20:20:20 UTC 
tcpdump 4.9.1 addresses this specific problem. Deliverables are in the usual places except the GPG signature, which will be added later.
Comment 13 Denis Ovsienko 2017-07-25 20:45:29 UTC 
The GPG signature is now in place.