Headline
CVE-2023-31981: [bug] sngrep stack buffer overflow · Issue #430 · irontec/sngrep
Sngrep v1.6.0 was discovered to contain a stack buffer overflow via the function packet_set_payload at /src/packet.c.
How to trigger
Compile the program with AddressSanitizer
Run command $ ./sngrep -N -R -I $PoC
Details
ASAN report
$./sngrep -N -R -I $PoC
Dialog count: 0=================================================================
==974123==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fda5fffe9a0 at pc 0x00000049b787 bp 0x7fda5fff98d0 sp 0x7fda5fff9098
READ of size 57344 at 0x7fda5fffe9a0 thread T1
#0 0x49b786 in __asan_memcpy (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x49b786)
#1 0x4dc7f1 in packet_set_payload /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/packet.c:147:9
#2 0x4d1697 in parse_packet /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:430:9
#3 0x7fda61bad466 (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x23466)
#4 0x7fda61b9bf67 in pcap_loop (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x11f67)
#5 0x4cf5c9 in capture_thread /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:1042:5
#6 0x7fda61b6d608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#7 0x7fda61918132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Address 0x7fda5fffe9a0 is located in stack of thread T1 at offset 20512 in frame
#0 0x4d067f in parse_packet /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:321
This frame has 3 object(s):
[32, 20512) 'data' (line 333)
[20768, 20772) 'size_capture' (line 337) <== Memory access at offset 20512 partially underflows this variable
[20784, 20788) 'size_payload' (line 339) <== Memory access at offset 20512 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
Thread T1 created by T0 here:
#0 0x486a8c in pthread_create (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x486a8c)
#1 0x4d712c in capture_launch_thread /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/capture.c:1027:13
#2 0x4efb9e in main /home/root/FuzzDateset/sngrep/sngrep-1.6.0/src/main.c:433:9
#3 0x7fda6181d082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/root/randomFuzz/sngrep/sngrep/sngrep_N_R_I/sngrep+0x49b786) in __asan_memcpy
Shadow bytes around the buggy address:
0x0ffbcbff7ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffbcbff7cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffbcbff7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffbcbff7d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffbcbff7d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffbcbff7d30: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x0ffbcbff7d40: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x0ffbcbff7d50: f2 f2 f2 f2 04 f2 04 f3 00 00 00 00 00 00 00 00
0x0ffbcbff7d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffbcbff7d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffbcbff7d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==974123==ABORTING