Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap overflow in dlt_en10mb_encode() #486

Closed
SegfaultMasters opened this issue Oct 3, 2018 · 2 comments
Closed

Heap overflow in dlt_en10mb_encode() #486

SegfaultMasters opened this issue Oct 3, 2018 · 2 comments
Assignees
@fklassen
Labels
bug

Comments

@SegfaultMasters
Copy link

SegfaultMasters commented Oct 3, 2018
edited
Loading

An heap overflow was triggered in function dlt_en10mb_encode() at file en10mb.c, due to inappropriate values in the function memmove(). The length (pktlen + ctx -> l2len) is larger than source value (packet + ctx->l2len) as the function failed to ensure the length of a packet is valid, causing segmentation fault.

Affected version:

4.3 branch

Command:

sudo tcpreplay-edit --cachefile=example.cache --intf1=ens33 --intf2=lo --enet-vlan=add --enet-vlan-tag=40 $POC

Debugging:

-----------------------------------------------------------------------------------------------------------------------------------------------[ code:i386 ]----
    0x8079355 <dlt_en10mb_encode+1548> mov    eax, DWORD PTR [eax+0x28]
    0x8079358 <dlt_en10mb_encode+1551> cmp    eax, DWORD PTR [ebp-0x44]
    0x807935b <dlt_en10mb_encode+1554> je     0x807938f <dlt_en10mb_encode+1606>
-> 0x807935d <dlt_en10mb_encode+1556> mov    eax, DWORD PTR [ebp+0x8]
    0x8079360 <dlt_en10mb_encode+1559> mov    eax, DWORD PTR [eax+0x28]
    0x8079363 <dlt_en10mb_encode+1562> mov    edx, DWORD PTR [ebp+0x10]
    0x8079366 <dlt_en10mb_encode+1565> sub    edx, eax
    0x8079368 <dlt_en10mb_encode+1567> mov    eax, edx
    0x807936a <dlt_en10mb_encode+1569> mov    ebx, eax
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


-------[ source:./plugins/dlt_en10mb/en10mb.c+488 ]----
    483          return TCPEDIT_ERROR;
    484      }
    485
    486      /* Make space for our new L2 header */
    487      if (newl2len != ctx->l2len)
                // ctx=0xbfffe6c0 -> [...] -> 0x00000001, packet=0xbfffe6c4 -> [...] -> 0xbfb32500, pktlen=0xbeL, newl2len=0x12L
-> 488           memmove(packet + newl2len, packet + ctx->l2len, pktlen - ctx->l2len);    // Buffer overflow
    489
    490      /* update the total packet length */
    491      pktlen += newl2len - ctx->l2len;
    492
    493      /* always set the src & dst address as the first 12 bytes */

-------[ source:./plugins/dlt_en10mb/en10mb.c+488 ]----

	
[#0] 0x807935d->Name: dlt_en10mb_encode(ctx=0xb4c01910, packet=0xb6001640 "", pktlen=0xbe, dir=TCPR_DIR_C2S)
[#1] 0x8075218->Name: tcpedit_dlt_encode(ctx=0xb4c01910, packet=0xb6001640 "", pktlen=0xbe, direction=TCPR_DIR_C2S)
[#2] 0x8074857->Name: tcpedit_dlt_process(ctx=0xb4c01910, packet=0xbfffe940, pktlen=0xbe, direction=TCPR_DIR_C2S)
[#3] 0x80655dd->Name: tcpedit_packet(tcpedit=0xb6402880, pkthdr=0xbfffe9c0, pktdata=0xbfffe940, direction=TCPR_DIR_C2S)
[#4] 0x805158b->Name: send_packets(ctx=0xb6403280, pcap=0xb4203000, idx=0x0)
[#5] 0x8063194->Name: replay_file(ctx=0xb6403280, idx=0x0)
[#6] 0x8061fb1->Name: tcpr_replay_index(ctx=0xb6403280)
[#7] 0x8060e81->Name: tcpreplay_replay(ctx=0xb6403280)
[#8] 0x80586eb->Name: main(argc=0x1, argv=0xbffff4d8)


//tcpedit.c:133
gef> p/d pktlen - ctx->l2len
$61 = 176
gef> p/d ctx->l2len
$62 = 14
gef> p/d newl2len
$63 = 18
gef> x packet
0xb6001640:     0

//tcpedit.c+133
gef> ptype pkthdr->caplen
type = unsigned int
gef> p/d pkthdr->caplen
$21 = 190

ASAN output

	=================================================================
==5237==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb600167e at pc 0xb7adbfc8 bp 0xbfffe628 sp 0xbfffe1fc
READ of size 76 at 0xb600167e thread T0
    #0 0xb7adbfc7 in __asan_memmove (/usr/lib/i386-linux-gnu/libasan.so.2+0x8afc7)
    #1 0xb7adc3df in __interceptor_memmove (/usr/lib/i386-linux-gnu/libasan.so.2+0x8b3df)
    #2 0x807938b in dlt_en10mb_encode plugins/dlt_en10mb/en10mb.c:488
    #3 0x8075217 in tcpedit_dlt_encode plugins/dlt_plugins.c:402
    #4 0x8074856 in tcpedit_dlt_process plugins/dlt_plugins.c:245
    #5 0x80655dc in tcpedit_packet /home/ace/ACE/tcpreplay/src/tcpedit/tcpedit.c:133
    #6 0x805158a in send_packets /home/ace/ACE/tcpreplay/src/send_packets.c:554
    #7 0x8063193 in replay_file /home/ace/ACE/tcpreplay/src/replay.c:188
    #8 0x8061fb0 in tcpr_replay_index /home/ace/ACE/tcpreplay/src/replay.c:61
    #9 0x8060e80 in tcpreplay_replay /home/ace/ACE/tcpreplay/src/tcpreplay_api.c:1135
    #10 0x80586ea in main /home/ace/ACE/tcpreplay/src/tcpreplay.c:139
    #11 0xb784c636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #12 0x804a985  (/usr/local/bin/tcpreplay-edit+0x804a985)

0xb600167e is located 0 bytes to the right of 62-byte region [0xb6001640,0xb600167e)
allocated by thread T0 here:
    #0 0xb7ae7dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0x808c354 in _our_safe_malloc /home/ace/ACE/tcpreplay/src/common/utils.c:50
    #2 0x805515d in get_next_packet /home/ace/ACE/tcpreplay/src/send_packets.c:1044
    #3 0x80506d1 in preload_pcap_file /home/ace/ACE/tcpreplay/src/send_packets.c:445
    #4 0x8058626 in main /home/ace/ACE/tcpreplay/src/tcpreplay.c:126
    #5 0xb784c636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memmove
Shadow bytes around the buggy address:
  0x36c00270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36c00280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36c00290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36c002a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36c002b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36c002c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00[06]
  0x36c002d0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x36c002e0: 00 00 00 00 00 00 04 fa fa fa fa fa 00 00 00 00
  0x36c002f0: 00 00 06 fa fa fa fa fa 00 00 00 00 00 00 04 fa
  0x36c00300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36c00310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==5237==ABORTING
[Inferior 1 (process 5237) exited with code 01]

Please check if you are able to reproduce the issue via the Reproducer file
@abergmann
Copy link

CVE-2018-17974 was assigned to this issue.

@fklassen fklassen self-assigned this Oct 8, 2018
@fklassen fklassen added the bug label Oct 8, 2018
fklassen added a commit that referenced this issue Oct 18, 2018
@fklassen
Bug #486 CVE-2018-17974 realloc memory if packet size increases
9062a91 
Also added check for packet size > cap len, although this may
be never be hit since #484
fklassen added a commit that referenced this issue Oct 19, 2018
@fklassen
Bug #486 Enforce max snaplen rather than doing realloc
af03987 
* increase MAX_SNAPLEN from 65535 to 262144
* increase MAXPACKET from 65549 to 262158
* exit on buffer overflow for adding VLAN tag (as opposed to realloc)
fklassen added a commit that referenced this issue Oct 19, 2018
@fklassen
Merge branch 'Enhancement_#493_codacy_fixes' into coverity_scan
a2cd56a 
* Enhancement_#493_codacy_fixes: (26 commits)
  Enhancement #493 - fixes for Codacy identified issues
  Bug #486 Enforce max snaplen rather than doing realloc
  Bug #486 CVE-2018-17974 realloc memory if packet size increases
  Bug #484 CVE-2018-17582 Check for corrupt PCAP files
  4.3 - revert travis updates from merge
  Remove dead code
  resolve possible null pointer dereference
  travis-ci: add autogen package
  Bug #461 build warnings (#462)
  #412 fix gcc 6.3 compiler warning
  #421 fix ms to ns conversion
  Bug #423 remove commented code
  Bug #423 Remove limit for tcpprep -S
  Bug #398 Rewrite of tcpdump.c (#457)
  Bug #402 memset dlt radiotap get 80211 (#454)
  #404 fix check_list return values (#453)
  #406 fix zero-length IP headers
  #416 apply STDIN restore to all programs
  #416 fix compile issue introduced by downstream PR
  #416 update CHANGELOG [ci skip]
  ...
fklassen added a commit that referenced this issue Oct 19, 2018
@fklassen
Bug #486 CVE-2018-17974 realloc memory if packet size increases (#492)
6d2fd96 
* Bug #486 CVE-2018-17974 realloc memory if packet size increases

Also added check for packet size > cap len, although this may
be never be hit since #484

* Bug #486 Enforce max snaplen rather than doing realloc

* increase MAX_SNAPLEN from 65535 to 262144
* increase MAXPACKET from 65549 to 262158
* exit on buffer overflow for adding VLAN tag (as opposed to realloc)
@fklassen
Copy link
Member

fixed in #492

fklassen added a commit that referenced this issue Oct 19, 2018
@fklassen
Merge branch '4.3' into Enhancement_#493_codacy_fixes
dcb6c0b 
* 4.3:
  Bug #486 CVE-2018-17974 realloc memory if packet size increases (#492)
fklassen added a commit that referenced this issue Oct 23, 2018
@fklassen
Merge branch '4.3' into Bug_#418_2nd_packet_no_delay
5a15050 
* 4.3: (22 commits)
  Bug #418 don't ignore 2nd packet timing
  Bug #411 allow TAP on all platforms
  Bug #174 ensure --with-testnic does not affect replay
  Bug #406 change packet length to network order
  Bug #413 fix manpage typos
  Bug #485 Heap overflow fixed in #484
  Enhancement_#482 update CHANGELOG/CREDITS
  Enhancement_#482 test Makefile merge error fixup
  Enhancement_#482 test Makefile cleanup
  Bug #489 free after memcpy
  Bug #488 heap overflow csum replace4 (#496)
  Bug #486 CVE-2018-17974 realloc memory if packet size increases (#492)
  Enhancement #493 - fixes for Codacy identified issues
  Bug #486 Enforce max snaplen rather than doing realloc
  Bug #486 CVE-2018-17974 realloc memory if packet size increases
  Bug #484 CVE-2018-17582 Check for corrupt PCAP files
  4.3 - revert travis updates from merge
  Simplify plugin Makefiles
  allow out-of-tree build
  Remove dead code
  ...
fklassen added a commit that referenced this issue Oct 23, 2018
@fklassen
Merge branch '4.3' into Enhancement_#425_edit_tcp_seq-ack_numbers_sta…
e143d00 
…ging

* 4.3: (36 commits)
  Enhancement #506 disable C99 and fix warnings (#507)
  Bug #418 don't ignore 2nd packet timing
  Bug #411 allow TAP on all platforms
  Bug #174 ensure --with-testnic does not affect replay
  Bug #406 change packet length to network order
  Bug #413 fix manpage typos
  Bug #485 Heap overflow fixed in #484
  Enhancement_#482 update CHANGELOG/CREDITS
  Enhancement_#482 test Makefile merge error fixup
  Enhancement_#482 test Makefile cleanup
  Bug #489 free after memcpy
  Bug #488 heap overflow csum replace4 (#496)
  Bug #486 CVE-2018-17974 realloc memory if packet size increases (#492)
  Enhancement #493 - fixes for Codacy identified issues
  Bug #486 Enforce max snaplen rather than doing realloc
  Bug #486 CVE-2018-17974 realloc memory if packet size increases
  Bug #484 CVE-2018-17582 Check for corrupt PCAP files
  4.3 - revert travis updates from merge
  Simplify plugin Makefiles
  allow out-of-tree build
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fklassen fklassen

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fklassen @abergmann @SegfaultMasters