Bug 1468504 - There is a heap buffer overflow tcpdump. A crafted input will lead to remote denial of service attack.
There is a heap buffer overflow tcpdump. A crafted input will lead to remote...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: tcpdump (Show other bugs)
7.5
All All
medium Severity medium
: rc
: ---
Assigned To: Michal Ruprich
BaseOS QE Security Team
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-07 05:20 EDT by owl337
Modified: 2018-02-26 09:37 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-02-26 09:37:43 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "./tcpdump -ntr POC2" (767 bytes, application/x-rar)
2017-07-07 05:20 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-07-07 05:20:13 EDT
Created attachment 1295234 [details]
Triggered by  "./tcpdump -ntr POC2"

Description of problem:

The vulnerability was triggered in function EXTRACT_16BITS() at line extract.h:144. the value of pointer p 0x60600000efff overflow the heap region [0x60600000efc0,0x60600000effc).


Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

./tcpdump -ntr POC2

Steps to Reproduce:

$./tcpdump -ntr POC2
IP 192.168.1.94.61358 > 239.255.255.250.1900: UDP, length 133
ARP, Reply 192.168.1.1 is-at 00:e0:20:1c:27:77, length 46
=================================================================
==64502==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000efff at pc 0x00000069737e bp 0x7ffcf4108f60 sp 0x7ffcf4108f58
READ of size 2 at 0x60600000efff thread T0
    #0 0x69737d  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x69737d)
    #1 0x5dda46  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x5dda46)
    #2 0x5702e5  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x5702e5)
    #3 0x5079d5  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x5079d5)
    #4 0x4f447b  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x4f447b)
    #5 0x7f2a32cafa4b  (/usr/local/lib/libpcap.so.1+0xaaa4b)
    #6 0x7f2a32c23763  (/usr/local/lib/libpcap.so.1+0x1e763)
    #7 0x4f04ce  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x4f04ce)
    #8 0x7f2a31d1382f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x41a118  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x41a118)

0x60600000efff is located 3 bytes to the right of 60-byte region [0x60600000efc0,0x60600000effc)
allocated by thread T0 here:
    #0 0x4ba248  (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x4ba248)
    #1 0x7f2a32cb07d9  (/usr/local/lib/libpcap.so.1+0xab7d9)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/icy/tcpdump-master-asan/install/sbin/tcpdump.4.10.0-PRE-GIT+0x69737d) 
Shadow bytes around the buggy address:
  0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
=>0x0c0c7fff9df0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00[04]
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==64502==ABORTING

The GDB backtrack information is as follows:
(gdb) bt
#0  EXTRACT_16BITS (p=0x60600000efff) at ./extract.h:144
#1  stp_print (ndo=<optimized out>, p=<optimized out>, length=<optimized out>) at ./print-stp.c:478
#2  0x00000000005dda47 in llc_print (ndo=0x7fffffffe0c0, p=0x60600000efd1 "", length=175, caplen=4294967294, 
    src=<optimized out>, dst=<optimized out>) at ./print-llc.c:278
#3  0x00000000005702e6 in ether_print (ndo=<optimized out>, p=<optimized out>, length=<optimized out>, 
    caplen=<optimized out>, print_encap_header=<optimized out>, encap_header_arg=<optimized out>)
    at ./print-ether.c:179
#4  0x00000000005079d6 in pretty_print_packet (ndo=0x7fffffffe0c0, h=<optimized out>, sp=<optimized out>, 
    packets_captured=<optimized out>) at ./print.c:339
#5  0x00000000004f447c in print_packet (user=0x60600000efff "", h=0x60600000efd1, 
    sp=0x19062f0 <__afl_area_initial> "") at ./tcpdump.c:2598
#6  0x00007ffff7ba8a4c in pcap_offline_read (p=<optimized out>, cnt=<optimized out>, callback=<optimized out>, 
    user=<optimized out>) at ./savefile.c:527
#7  0x00007ffff7b1c764 in pcap_loop (p=<optimized out>, cnt=<optimized out>, callback=<optimized out>, 
    user=<optimized out>) at ./pcap.c:1708
#8  0x00000000004f04cf in main (argc=1, argv=<optimized out>) at ./tcpdump.c:2101


The vulnerability was triggered in function EXTRACT_16BITS() at line extract.h:144. the value of pointer p 0x60600000efff overflow the heap region [0x60600000efc0,0x60600000effc).

141 static inline uint16_t
142 EXTRACT_16BITS(const void *p)
143 {
144         return ((uint16_t)ntohs(*(const uint16_t *)(p)));
145 }


Actual results:

crash

Expected results:

crash

Additional info:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 2 Henri Salo 2017-07-08 18:27:20 EDT
Did you already report this to the upstream? From the manpage "To report a security issue please send an e-mail to security@tcpdump.org". This also affects latest SCM version (27634837cc57f864682b8a1d690f65faab005f0c Tue Feb 7 10:48:24 2017 -0800).
Comment 3 Henri Salo 2017-07-08 19:16:04 EDT
CVE-2017-11108 has been assigned for this issue.
Comment 4 owl337 2017-07-08 20:17:16 EDT
I have just sent security@tcpdump.org the related information about this vulnerability.
Comment 5 Henri Salo 2017-07-09 07:53:46 EDT
Then this case might be duplicate. Tcpdump has been fuzzed by many people. The non-critical issues are not fixed very fast in the upsream so different people are reporting same cases. I'm not even sure if it wise to request CVEs for tcpdump -ntr crashes if those issues can't be reproduced with analyzing network traffic. I asked opinion from MITRE to this in January but didn't receive any comments.
Comment 6 owl337 2017-07-09 08:06:19 EDT
I have carefully analyzed this heap overflow which was exactly different from that I reported before as follows.
https://bugzilla.redhat.com/show_bug.cgi?id=1464820
Comment 7 owl337 2017-07-09 08:23:30 EDT
I kindly advise that you'd better fix this buffer overflow problems as soon as possible. In fact, it's hard to evaluate the whole attack surface only though the simple trigger mode like "-ntr".
Comment 8 owl337 2017-07-09 08:23:59 EDT
I kindly advise that you'd better fix this buffer overflow problems as soon as possible. In fact, it's hard to evaluate the whole attack surface only though the simple trigger mode like "-ntr".
Comment 10 anarcat 2017-07-20 10:35:56 EDT
this was reported as CVE-2017-11108 with MITRE and upstream as https://github.com/the-tcpdump-group/tcpdump/issues/616

I worked on a patch in https://github.com/the-tcpdump-group/tcpdump/pull/617 as well.
Comment 11 Martin Sehnoutka 2017-07-21 03:31:46 EDT
Hello anarcat,

thanks for your patch.
Comment 12 Denis Ovsienko 2017-07-23 16:20:20 EDT
tcpdump 4.9.1 addresses this specific problem. Deliverables are in the usual places except the GPG signature, which will be added later.
Comment 13 Denis Ovsienko 2017-07-25 16:45:29 EDT
The GPG signature is now in place.

Note You need to log in before you can comment on or make changes to this bug.