CVE-2018-13112: heap-buffer-overflow in /src/common/get.c:174 function get_l2len · Issue #477 · appneta/tcpreplay

heap-buffer-overflow in /src/common/get.c:174 function get_l2len

command:

/tcpprep --auto=bridge --pcap=poc --cachefile=/dev/null

asan report:

 AddressSanitizer: heap-buffer-overflow in /src/common/get.c:174 get_l2len
=================================================================
==68006==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000effc at pc 0x4174d8 bp 0x7ffffffede30 sp 0x7ffffffede28
READ of size 2 at 0x60200000effc thread T0
    #0 0x4174d7 in get_l2len /opt/lxf/tcpreplay/tcpreplay-master/src/common/get.c:174
    #1 0x4176b4 in get_ipv4 /opt/lxf/tcpreplay/tcpreplay-master/src/common/get.c:229
    #2 0x405fe5 in process_raw_packets /opt/lxf/tcpreplay/tcpreplay-master/src/tcpprep.c:368
    #3 0x405152 in main /opt/lxf/tcpreplay/tcpreplay-master/src/tcpprep.c:146
    #4 0x7ffff66faf44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #5 0x4026c8 (/opt/lxf/tcpreplay/tcpreplay-master/src/tcpprep_asan+0x4026c8)

0x60200000effc is located 8 bytes to the right of 4-byte region [0x60200000eff0,0x60200000eff4)
allocated by thread T0 here:
    #0 0x7ffff6f59862 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54862)
    #1 0x7ffff6ce270c in pcap_check_header sf-pcap.c:401

SUMMARY: AddressSanitizer: heap-buffer-overflow /opt/lxf/tcpreplay/tcpreplay-master/src/common/get.c:174 get_l2len
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 04[fa]
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==68006==ABORTING

poc

What version is this? What OS? Please send the output of tcpprep -V.

Received the following which suggests the issue is in 4.3 beta1:

Source: tcpreplay
Version: 4.2.6-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/appneta/tcpreplay/issues/477

Hi,

The following vulnerability was published for tcpreplay.

CVE-2018-13112[0]:
| get_l2len in common/get.c in Tcpreplay 4.3.0 beta 1 allows remote
| attackers to cause a denial of service (heap-based buffer over-read and
| application crash) via crafted packets, as demonstrated by tcpprep.

its verifiable as well with the upstream attached poc and an ASAN
build of tcpreplay.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-13112
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13112
[1] https://github.com/appneta/tcpreplay/issues/477

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

tcpprep -V

tcpprep version: 4.2.6 (build git:)
Copyright 2013-2017 by Fred Klassen <tcpreplay at appneta dot com> - AppNeta
Copyright 2000-2012 by Aaron Turner <aturner at synfin dot net>
The entire Tcpreplay Suite is licensed under the GPLv3
Cache file supported: 04
Not compiled with libdnet.
Compiled against libpcap: 1.8.1
64 bit packet counters: enabled
Verbose printing via tcpdump: enabled

os :ubuntu 14.04
source code: commit 230d7aa

This is similar to #484. In this case, declared captured length is huge (837240390) but snaplen is only 4 so that libpcap truncates the packets to 4 bytes and sets pkthdr->caplen accordingly. The problem is get_l2len() not checking there is enough data for ethernet header.

AFAICS this has been fixed in branch 4.3 by commit 0253c47 (but the fix is missing in master branch). This commit is already in v4.3.0-beta1 so the CVE text is probably wrong unless they mean a different bug.

Duplicate of #408. Fixed in version 4.3.

4.3 automation moved this from In progress to Done

Oct 18, 2018