Document Title:
===============
CVE-2017-6429: Buffer overflow vulnerability in Tcpreplay tcpcapinfo utility

Vendor:
=======
Appneta (https://www.appneta.com/)

Product and Versions Affected:
==============================
Tcpreplay 4.1.2 and possibly prior.

Fixed Version:
==============
4.2.0 Beta 1

Product Description:
====================
Tcpreplay is a suite of GPLv3 licensed utilities for UNIX (and Win32 under Cygwin) operating systems for editing and replaying network traffic which was previously captured by tools like tcpdump and Ethereal/Wireshark. 

Vulnerability Type:
===================
Buffer Overflow

CVE Reference:
==============
CVE-2017-6429

Vulnerability Details:
======================
Tcpcapinfo utility of Tcpreplay have a buffer overflow vulnerability associated with parsing a crafted pcap file. This occurs in the src/tcpcapinfo.c file when capture has a packet that is too large to handle.

GDB Dump:
=========
---------Backtrace:-----------
/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7ffff7a8838f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff7b1fc9c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7ffff7b1eb60]
/lib/x86_64-linux-gnu/libc.so.6(+0x109fed)[0x7ffff7b1efed]
/home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x40228c]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff7a36ec5]
/home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x4028dc]
======= Memory map: ========
00400000-0041b000 r-xp 00000000 08:01 453864                             /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo
0061a000-0061b000 r--p 0001a000 08:01 453864                             /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo
0061b000-0061c000 rw-p 0001b000 08:01 453864                             /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo
0061c000-0063e000 rw-p 00000000 00:00 0                                  [heap]
7ffff77fe000-7ffff7814000 r-xp 00000000 08:01 660352                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7814000-7ffff7a13000 ---p 00016000 08:01 660352                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a13000-7ffff7a14000 r--p 00015000 08:01 660352                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a14000-7ffff7a15000 rw-p 00016000 08:01 660352                     /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a15000-7ffff7bd0000 r-xp 00000000 08:01 660238                     /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7bd0000-7ffff7dcf000 ---p 001bb000 08:01 660238                     /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dcf000-7ffff7dd3000 r--p 001ba000 08:01 660238                     /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd3000-7ffff7dd5000 rw-p 001be000 08:01 660238                     /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd5000-7ffff7dda000 rw-p 00000000 00:00 0 
7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 660214                     /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7fd5000-7ffff7fd8000 rw-p 00000000 00:00 0 
7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0 
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 660214                     /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 660214                     /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
1  1260    134217964    575b56ff.0
Program received signal SIGABRT, Aborted.

 [----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x70 ('p')
RCX: 0xffffffffffffffff 
RDX: 0x6 
RSI: 0xcc0b 
RDI: 0xcc0b 
RBP: 0x7fffffffb500 --> 0x7ffff7b944c2 ("buffer overflow detected")
RSP: 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>:  mov    rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff7a4bcc9 (<__GI_raise+57>:  cmp    rax,0xfffffffffffff000)
R8 : 0x7ffff7b8bdc0 ("0123456789abcdefghijklmnopqrstuvwxyz")
R9 : 0x61bd80 --> 0x7ffff7dd41c0 --> 0xfbad2086 
R10: 0x8 
R11: 0x246 
R12: 0x7fffffffb370 --> 0x1 
R13: 0x5 
R14: 0x70 ('p')
R15: 0x5
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7a4bcbf <__GI_raise+47>:  movsxd rdi,ecx
   0x7ffff7a4bcc2 <__GI_raise+50>:  mov    eax,0xea
   0x7ffff7a4bcc7 <__GI_raise+55>:  syscall 
=> 0x7ffff7a4bcc9 <__GI_raise+57>:  cmp    rax,0xfffffffffffff000
   0x7ffff7a4bccf <__GI_raise+63>:  ja     0x7ffff7a4bcea <__GI_raise+90>
   0x7ffff7a4bcd1 <__GI_raise+65>:  repz ret 
   0x7ffff7a4bcd3 <__GI_raise+67>:  nop    DWORD PTR [rax+rax*1+0x0]
   0x7ffff7a4bcd8 <__GI_raise+72>:  test   eax,eax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>:  mov    rdx,QWORD PTR fs:0x10)
0008| 0x7fffffffb1f0 --> 0x20 (' ')
0016| 0x7fffffffb1f8 --> 0x0 
0024| 0x7fffffffb200 --> 0x0 
0032| 0x7fffffffb208 --> 0x0 
0040| 0x7fffffffb210 --> 0x0 
0048| 0x7fffffffb218 --> 0x0 
0056| 0x7fffffffb220 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.


Patch:
======
 src/tcpcapinfo.c
 @@ -281,6 +281,15 @@ main(int argc, char *argv[])
                  caplen = pcap_ph.caplen;
              }
  
 +            if (caplentoobig) {
 +                printf("\n\nCapture file appears to be damaged or corrupt.\n"
 +                        "Contains packet of size %u, bigger than snap length %u\n",
 +                        caplen, pcap_fh.snaplen);
 +
 +                close(fd);
 +                break;
 +            }
 +
              /* check to make sure timestamps don't go backwards */
              if (last_sec > 0 && last_usec > 0) {
                  if ((pcap_ph.ts.tv_sec == last_sec) ? 
 @@ -306,7 +315,7 @@ main(int argc, char *argv[])
                  }
  
                  close(fd);
 -                continue;
 +                break;
              }
  
              /* print the frame checksum */

 
References:
===========
https://github.com/appneta/tcpreplay/issues/278
https://github.com/appneta/tcpreplay/releases/tag/v4.2.0-beta1


Vulnerability Disclosure Timeline:
==================================
2017-02-08: Bug Report Submission & Coordination 
2017-03-05: Public Disclosure

Credit:
=======
AromalUllas