Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NULL pointer dereference get_ipv6_l4proto() #536

Closed
SegfaultMasters opened this issue Feb 7, 2019 · 2 comments
Closed

NULL pointer dereference get_ipv6_l4proto() #536

SegfaultMasters opened this issue Feb 7, 2019 · 2 comments
Assignees
@fklassen
Labels
bug

Comments

@SegfaultMasters
Copy link

Description - we observed a NULL pointer dereference occured in function get_ipv6_l4proto() located at get.c .The same be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Command - tcpreplay-edit -r 80:84 -s 20 -b -C -m 1500 -P --oneatatime -i $INTERFACE $POC

POC - REPRODUCER

Debug -

GDB -

Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x0 
$rbx : 0x5555557aac20 → 0x00005555557b56a0 → 0x0000337330706e65 ("enp0s3"?)
$rcx : 0xed 
$rdx : 0x8 
$rsp : 0x7fffffffdad0 → 0x000000c5ffffdb20
$rbp : 0x7fffffffdb00 → 0x00007fffffffdb70 → 0x00007fffffffdbb0 → 0x00007fffffffdc50 → 0x00007fffffffdda0 → 0x00007fffffffdef0 → 0x00007fffffffdf20 → 0x00007fffffffdfb0
$rsi : 0xc5 
$rdi : 0x7ffff7fcd6ae → 0x7ffff7b8f5600000
$rip : 0x55555557694c → <get_ipv6_l4proto+194> movzx eax, BYTE PTR [rax]
$r8 : 0x2f 
$r9 : 0x7ffff7e4d010 → 0x0000000000000000
$r10 : 0x5555557b9700 → 0x0000000000000000
$r11 : 0x7ffff78d6000 → <__fread_chk+0> push r13
$r12 : 0x5555555599e0 → <_start+0> xor ebp, ebp
$r13 : 0x7fffffffe4d0 → 0x000000000000000e
$r14 : 0x0 
$r15 : 0x0 
$eflags: [zero CARRY PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$fs: 0x0000 $ds: 0x0000 $ss: 0x002b $es: 0x0000 $gs: 0x0000 $cs: 0x0033 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffdad0│+0x00: 0x000000c5ffffdb20 ← $rsp
0x00007fffffffdad8│+0x08: 0x00007ffff7e4d01e → 0x80000000ed000062 ("b"?)
0x00007fffffffdae0│+0x10: 0x00000a555c5ace1f
0x00007fffffffdae8│+0x18: 0x00fdebbbffffdb70
0x00007fffffffdaf0│+0x20: 0x00007ffff7fcd6ae → 0x7ffff7b8f5600000
0x00007fffffffdaf8│+0x28: 0x0000000000000000
0x00007fffffffdb00│+0x30: 0x00007fffffffdb70 → 0x00007fffffffdbb0 → 0x00007fffffffdc50 → 0x00007fffffffdda0 → 0x00007fffffffdef0 → 0x00007fffffffdf20 → 0x00007fffffffdfb0 ← $rbp
0x00007fffffffdb08│+0x38: 0x0000555555569599 → <do_checksum+201> movzx eax, al
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x55555557693f <get_ipv6_l4proto+181> call 0x555555576798 <get_ipv6_next>
0x555555576944 <get_ipv6_l4proto+186> mov QWORD PTR [rbp-0x8], rax
0x555555576948 <get_ipv6_l4proto+190> mov rax, QWORD PTR [rbp-0x8]
→ 0x55555557694c <get_ipv6_l4proto+194> movzx eax, BYTE PTR [rax]
0x55555557694f <get_ipv6_l4proto+197> mov BYTE PTR [rbp-0x11], al
0x555555576952 <get_ipv6_l4proto+200> mov rax, QWORD PTR [rbp-0x8]
0x555555576956 <get_ipv6_l4proto+204> mov QWORD PTR [rbp-0x10], rax
0x55555557695a <get_ipv6_l4proto+208> jmp 0x555555576962 <get_ipv6_l4proto+216>
0x55555557695c <get_ipv6_l4proto+210> movzx eax, BYTE PTR [rbp-0x11]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:get.c+539 ]────
534 case TCPR_IPV6_NH_ROUTING:
535 case TCPR_IPV6_NH_DESTOPTS:
536 case TCPR_IPV6_NH_HBH:
537 dbgx(3, "Jumping to next extension header (0x%hhx)", proto);
538 exthdr = get_ipv6_next((struct tcpr_ipv6_ext_hdr_base *)ptr, len);
// exthdr=0x00007fffffffdaf8 → 0x0000000000000000
→ 539 proto = exthdr->ip_nh;
540 ptr = (u_char *)exthdr;
541 break;
542 
543 /* should be TCP, UDP or the like */
544 default:
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "tcpreplay-edit", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x55555557694c → Name: get_ipv6_l4proto(ip6_hdr=0x7ffff7e4d01e, len=0xc5)
[#1] 0x555555569599 → Name: do_checksum(tcpedit=0x5555557b86c0, data=0x7ffff7e4d01e "b", proto=0x0, len=0xed)
[#2] 0x555555565fbc → Name: fix_ipv4_checksums(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdd30, ip_hdr=0x7ffff7e4d01e)
[#3] 0x555555564991 → Name: tcpedit_packet(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdca0, pktdata=0x7fffffffdc90, direction=TCPR_DIR_C2S)
[#4] 0x55555555c589 → Name: send_packets(ctx=0x5555557aa260, pcap=0x5555557ba860, idx=0x0)
[#5] 0x555555563169 → Name: replay_file(ctx=0x5555557aa260, idx=0x0)
[#6] 0x555555562a1b → Name: tcpr_replay_index(ctx=0x5555557aa260)
[#7] 0x555555562341 → Name: tcpreplay_replay(ctx=0x5555557aa260)
[#8] 0x55555555f112 → Name: main(argc=0x1, argv=0x7fffffffe540)


gef➤ p exthdr
Cannot access memory at address 0x0
gef➤ p exthdr->ip_nh 
Cannot access memory at address 0x0
@fklassen fklassen added the bug label Feb 7, 2019
@fklassen fklassen self-assigned this Feb 7, 2019
@carnil
Copy link

carnil commented Feb 17, 2019

CVE-2019-8377 was assigned for this issue.

GabrielGanne added a commit to GabrielGanne/tcpreplay that referenced this issue Mar 6, 2019
@GabrielGanne
fix NULL pointer dereference in get_layer4_v6()
c755e3e 
Both get_ipv6_next() and get_layer4_v6() return NULL on malformed
packets. Make get_layer4_v6() forward the NULL return value of
get_ipv6_next() on malformed packets.

This should fix issues appneta#536
GabrielGanne added a commit to GabrielGanne/tcpreplay that referenced this issue Mar 6, 2019
@GabrielGanne
fix NULL pointer dereference in get_layer4_v6()
5d6f191 
get_ipv6_next() returns NULL on malformed packets. If that happens
return the last header that could be read.

This should fix issue appneta#536
@GabrielGanne GabrielGanne mentioned this issue Mar 6, 2019
Merged
fklassen added a commit that referenced this issue Mar 12, 2019
@fklassen
Merge pull request #546 from appneta/Bugs_#536_#537
098ad88 
Bugs #536 #537
@fklassen
Copy link
Member

Fixed in PR #544 & #546

fklassen added a commit that referenced this issue Mar 12, 2019
@fklassen
Bugs #536 #537 update CHANGELOG/CREDITS
02b309f
GabrielGanne added a commit to GabrielGanne/tcpreplay that referenced this issue May 2, 2019
@GabrielGanne
fix NULL pointer dereference in get_layer4_v6()
595d46d 
get_ipv6_next() returns NULL on malformed packets. If that happens
return the last header that could be read.

This should fix issue appneta#536
GabrielGanne pushed a commit to GabrielGanne/tcpreplay that referenced this issue May 2, 2019
@fklassen @GabrielGanne
Bugs appneta#536 appneta#537 update CHANGELOG/CREDITS
41e857e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fklassen fklassen

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @fklassen @SegfaultMasters