Document Title:
===============
CVE-2017-6429: Buffer overflow vulnerability in Tcpreplay tcpcapinfo utility
Vendor:
=======
Appneta (https://www.appneta.com/)
Product and Versions Affected:
==============================
Tcpreplay 4.1.2 and possibly prior.
Fixed Version:
==============
4.2.0 Beta 1
Product Description:
====================
Tcpreplay is a suite of GPLv3 licensed utilities for UNIX (and Win32 under Cygwin) operating systems for editing and replaying network traffic which was previously captured by tools like tcpdump and Ethereal/Wireshark.
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
CVE-2017-6429
Vulnerability Details:
======================
Tcpcapinfo utility of Tcpreplay have a buffer overflow vulnerability associated with parsing a crafted pcap file. This occurs in the src/tcpcapinfo.c file when capture has a packet that is too large to handle.
GDB Dump:
=========
---------Backtrace:-----------
/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7ffff7a8838f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff7b1fc9c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7ffff7b1eb60]
/lib/x86_64-linux-gnu/libc.so.6(+0x109fed)[0x7ffff7b1efed]
/home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x40228c]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff7a36ec5]
/home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x4028dc]
======= Memory map: ========
00400000-0041b000 r-xp 00000000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo
0061a000-0061b000 r--p 0001a000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo
0061b000-0061c000 rw-p 0001b000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo
0061c000-0063e000 rw-p 00000000 00:00 0 [heap]
7ffff77fe000-7ffff7814000 r-xp 00000000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7814000-7ffff7a13000 ---p 00016000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a13000-7ffff7a14000 r--p 00015000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a14000-7ffff7a15000 rw-p 00016000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a15000-7ffff7bd0000 r-xp 00000000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7bd0000-7ffff7dcf000 ---p 001bb000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dcf000-7ffff7dd3000 r--p 001ba000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd3000-7ffff7dd5000 rw-p 001be000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd5000-7ffff7dda000 rw-p 00000000 00:00 0
7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7fd5000-7ffff7fd8000 rw-p 00000000 00:00 0
7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
1 1260 134217964 575b56ff.0
Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x70 ('p')
RCX: 0xffffffffffffffff
RDX: 0x6
RSI: 0xcc0b
RDI: 0xcc0b
RBP: 0x7fffffffb500 --> 0x7ffff7b944c2 ("buffer overflow detected")
RSP: 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff7a4bcc9 (<__GI_raise+57>: cmp rax,0xfffffffffffff000)
R8 : 0x7ffff7b8bdc0 ("0123456789abcdefghijklmnopqrstuvwxyz")
R9 : 0x61bd80 --> 0x7ffff7dd41c0 --> 0xfbad2086
R10: 0x8
R11: 0x246
R12: 0x7fffffffb370 --> 0x1
R13: 0x5
R14: 0x70 ('p')
R15: 0x5
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7a4bcbf <__GI_raise+47>: movsxd rdi,ecx
0x7ffff7a4bcc2 <__GI_raise+50>: mov eax,0xea
0x7ffff7a4bcc7 <__GI_raise+55>: syscall
=> 0x7ffff7a4bcc9 <__GI_raise+57>: cmp rax,0xfffffffffffff000
0x7ffff7a4bccf <__GI_raise+63>: ja 0x7ffff7a4bcea <__GI_raise+90>
0x7ffff7a4bcd1 <__GI_raise+65>: repz ret
0x7ffff7a4bcd3 <__GI_raise+67>: nop DWORD PTR [rax+rax*1+0x0]
0x7ffff7a4bcd8 <__GI_raise+72>: test eax,eax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10)
0008| 0x7fffffffb1f0 --> 0x20 (' ')
0016| 0x7fffffffb1f8 --> 0x0
0024| 0x7fffffffb200 --> 0x0
0032| 0x7fffffffb208 --> 0x0
0040| 0x7fffffffb210 --> 0x0
0048| 0x7fffffffb218 --> 0x0
0056| 0x7fffffffb220 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
Patch:
======
src/tcpcapinfo.c
@@ -281,6 +281,15 @@ main(int argc, char *argv[])
caplen = pcap_ph.caplen;
}
+ if (caplentoobig) {
+ printf("\n\nCapture file appears to be damaged or corrupt.\n"
+ "Contains packet of size %u, bigger than snap length %u\n",
+ caplen, pcap_fh.snaplen);
+
+ close(fd);
+ break;
+ }
+
/* check to make sure timestamps don't go backwards */
if (last_sec > 0 && last_usec > 0) {
if ((pcap_ph.ts.tv_sec == last_sec) ?
@@ -306,7 +315,7 @@ main(int argc, char *argv[])
}
close(fd);
- continue;
+ break;
}
/* print the frame checksum */
References:
===========
https://github.com/appneta/tcpreplay/issues/278
https://github.com/appneta/tcpreplay/releases/tag/v4.2.0-beta1
Vulnerability Disclosure Timeline:
==================================
2017-02-08: Bug Report Submission & Coordination
2017-03-05: Public Disclosure
Credit:
=======
AromalUllas