Headline
CVE-2019-8377: CVE-2019-8377: NULL POINTER DEREFERENCE Vulnerability in function get_ipv6_l4proto() - tcpreplay-4.3.1 - Loginsoft Research
An issue was discovered in Tcpreplay 4.3.1. A NULL pointer dereference occurred in the function get_ipv6_l4proto() located at get.c. This can be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact.
NULL POINTER DEREFERENCE Vulnerability in function get_ipv6_l4proto() – tcpreplay-4.3.1
Loginsoft-2018-1094
February 13, 2019
CVE Number
CVE-2019-8377
CWE
CWE-476: NULL Pointer Dereference
Product Details
tcpreplay is a tool for replaying network traffic from files saved with tcpdump or other tools which write pcap files. Tcpreplay is to resend all packets from the input files at the speed at which they were recorded, or a specified data rate, up to as fast as the hardware is capable.
URL: https://github.com/appneta/tcpreplay.git
Vulnerable Versions
4.3.1
Vulnerability Details
We observed a NULL pointer dereference occurred in function get_ipv6_l4proto() located at get.c .The same be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
SYNOPSIS
When we are parsing crafted file, we observed in the fix_ipv4_checksums () where this code re-calcs the IP and Layer 4 checksums the Layer 4 header is contiguous in memory after *ip_hdr we’re actually writing to the layer 4 header via the ip_hdr ptr, it consists of parameters, ret2 = do_checksum(tcpedit, (u_char *) ip_hdr, IPPROTO_IP, ip_len) here it calls to another function do_checksum (), now at line proto = get_ipv6_l4proto(ipv6, len); here it invokes to another function get_ipv6_l4proto() where it returns the protocol of the actual layer4 header by processing through the extension headers, the line proto = exthdr->ip_nh; where it is unsigned character pointer, pointing to a NULL and it triggers a NULL pointer dereference.
Vulnerable code
case TCPR_IPV6_NH_ROUTING: case TCPR_IPV6_NH_DESTOPTS: case TCPR_IPV6_NH_HBH: dbgx(3, "Jumping to next extension header (0x%hhx)", proto); exthdr = get_ipv6_next ((struct tcpr_ipv6_ext_hdr_base *)ptr, len); proto = exthdr->ip_nh; ptr = (u_char *)exthdr; break;
Analysis
GDB - Program received signal SIGSEGV, Segmentation fault. [ Legend: Modified register | Code | Heap | Stack | String ] ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]──── $rax : 0x0 $rbx : 0x5555557aac20 → 0x00005555557b56a0 → 0x0000337330706e65 ("enp0s3"?) $rcx : 0xed $rdx : 0x8 $rsp : 0x7fffffffdad0 → 0x000000c5ffffdb20 $rbp : 0x7fffffffdb00 → 0x00007fffffffdb70 → 0x00007fffffffdbb0 → 0x00007fffffffdc50 → 0x00007fffffffdda0 → 0x00007fffffffdef0 → 0x00007fffffffdf20 → 0x00007fffffffdfb0 $rsi : 0xc5 $rdi : 0x7ffff7fcd6ae → 0x7ffff7b8f5600000 $rip : 0x55555557694c → movzx eax, BYTE PTR [rax] $r8 : 0x2f $r9 : 0x7ffff7e4d010 → 0x0000000000000000 $r10 : 0x5555557b9700 → 0x0000000000000000 $r11 : 0x7ffff78d6000 → push r13 $r12 : 0x5555555599e0 → xor ebp, ebp $r13 : 0x7fffffffe4d0 → 0x000000000000000e $r14 : 0x0 $r15 : 0x0 $eflags: [zero CARRY PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification] $fs: 0x0000 $ds: 0x0000 $ss: 0x002b $es: 0x0000 $gs: 0x0000 $cs: 0x0033 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]──── 0x00007fffffffdad0│+0x00: 0x000000c5ffffdb20 ← $rsp 0x00007fffffffdad8│+0x08: 0x00007ffff7e4d01e → 0x80000000ed000062 ("b"?) 0x00007fffffffdae0│+0x10: 0x00000a555c5ace1f 0x00007fffffffdae8│+0x18: 0x00fdebbbffffdb70 0x00007fffffffdaf0│+0x20: 0x00007ffff7fcd6ae → 0x7ffff7b8f5600000 0x00007fffffffdaf8│+0x28: 0x0000000000000000 0x00007fffffffdb00│+0x30: 0x00007fffffffdb70 → 0x00007fffffffdbb0 → 0x00007fffffffdc50 → 0x00007fffffffdda0 → 0x00007fffffffdef0 → 0x00007fffffffdf20 → 0x00007fffffffdfb0 ← $rbp 0x00007fffffffdb08│+0x38: 0x0000555555569599 → movzx eax, al ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]──── 0x55555557693f call 0x555555576798 0x555555576944 mov QWORD PTR [rbp-0x8], rax 0x555555576948 mov rax, QWORD PTR [rbp-0x8] → 0x55555557694c movzx eax, BYTE PTR [rax] 0x55555557694f mov BYTE PTR [rbp-0x11], al 0x555555576952 mov rax, QWORD PTR [rbp-0x8] 0x555555576956 mov QWORD PTR [rbp-0x10], rax 0x55555557695a jmp 0x555555576962 0x55555557695c movzx eax, BYTE PTR [rbp-0x11] ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:get.c+539 ]──── 534 case TCPR_IPV6_NH_ROUTING: 535 case TCPR_IPV6_NH_DESTOPTS: 536 case TCPR_IPV6_NH_HBH: 537 dbgx(3, "Jumping to next extension header (0x%hhx)", proto); 538 exthdr = get_ipv6_next((struct tcpr_ipv6_ext_hdr_base *)ptr, len); // exthdr=0x00007fffffffdaf8 → 0x0000000000000000 → 539 proto = exthdr->ip_nh; 540 ptr = (u_char *)exthdr; 541 break; 542 543 /* should be TCP, UDP or the like */ 544 default: ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]──── [#0] Id 1, Name: "tcpreplay-edit", stopped, reason: SIGSEGV ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]──── [#0] 0x55555557694c → Name: get_ipv6_l4proto(ip6_hdr=0x7ffff7e4d01e, len=0xc5) [#1] 0x555555569599 → Name: do_checksum(tcpedit=0x5555557b86c0, data=0x7ffff7e4d01e "b", proto=0x0, len=0xed) [#2] 0x555555565fbc → Name: fix_ipv4_checksums(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdd30, ip_hdr=0x7ffff7e4d01e) [#3] 0x555555564991 → Name: tcpedit_packet(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdca0, pktdata=0x7fffffffdc90, direction=TCPR_DIR_C2S) [#4] 0x55555555c589 → Name: send_packets(ctx=0x5555557aa260, pcap=0x5555557ba860, idx=0x0) [#5] 0x555555563169 → Name: replay_file(ctx=0x5555557aa260, idx=0x0) [#6] 0x555555562a1b → Name: tcpr_replay_index(ctx=0x5555557aa260) [#7] 0x555555562341 → Name: tcpreplay_replay(ctx=0x5555557aa260) [#8] 0x55555555f112 → Name: main(argc=0x1, argv=0x7fffffffe540)
gef➤ p exthdr Cannot access memory at address 0x0
Tested environment
64-bit ubuntu 16.04 LTS
Proof of Concept
tcpreplay-edit -r 80:84 -s 20 -b -C -m 1500 -P --oneatatime -i $INTERFACE $POC
Timeline
Vendor Disclosure: 07-02-2019
Public Disclosure: 13-02-2019
Credit
Discovered by ACE Team – Loginsoft