what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Tcpreplay 4.1.2 tcpcapinfo Buffer Overflow

Tcpreplay 4.1.2 tcpcapinfo Buffer Overflow
Posted Mar 6, 2017
Authored by AromalUllas

Tcpreplay version 4.1.2 suffers from a buffer overflow vulnerability in tcpcapinfo.

tags | advisory, overflow
advisories | CVE-2017-6429
SHA-256 | 26aca01b147be6d1bc7a1c3df46044ca809646f346d4de44fbbe2712901ef36a

Tcpreplay 4.1.2 tcpcapinfo Buffer Overflow

Change Mirror Download
Document Title:
===============
CVE-2017-6429: Buffer overflow vulnerability in Tcpreplay tcpcapinfo utility

Vendor:
=======
Appneta (https://www.appneta.com/)

Product and Versions Affected:
==============================
Tcpreplay 4.1.2 and possibly prior.

Fixed Version:
==============
4.2.0 Beta 1

Product Description:
====================
Tcpreplay is a suite of GPLv3 licensed utilities for UNIX (and Win32 under Cygwin) operating systems for editing and replaying network traffic which was previously captured by tools like tcpdump and Ethereal/Wireshark.

Vulnerability Type:
===================
Buffer Overflow

CVE Reference:
==============
CVE-2017-6429

Vulnerability Details:
======================
Tcpcapinfo utility of Tcpreplay have a buffer overflow vulnerability associated with parsing a crafted pcap file. This occurs in the src/tcpcapinfo.c file when capture has a packet that is too large to handle.

GDB Dump:
=========
---------Backtrace:-----------
/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7ffff7a8838f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff7b1fc9c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7ffff7b1eb60]
/lib/x86_64-linux-gnu/libc.so.6(+0x109fed)[0x7ffff7b1efed]
/home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x40228c]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff7a36ec5]
/home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x4028dc]
======= Memory map: ========
00400000-0041b000 r-xp 00000000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo
0061a000-0061b000 r--p 0001a000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo
0061b000-0061c000 rw-p 0001b000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo
0061c000-0063e000 rw-p 00000000 00:00 0 [heap]
7ffff77fe000-7ffff7814000 r-xp 00000000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7814000-7ffff7a13000 ---p 00016000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a13000-7ffff7a14000 r--p 00015000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a14000-7ffff7a15000 rw-p 00016000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a15000-7ffff7bd0000 r-xp 00000000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7bd0000-7ffff7dcf000 ---p 001bb000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dcf000-7ffff7dd3000 r--p 001ba000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd3000-7ffff7dd5000 rw-p 001be000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd5000-7ffff7dda000 rw-p 00000000 00:00 0
7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7fd5000-7ffff7fd8000 rw-p 00000000 00:00 0
7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
1 1260 134217964 575b56ff.0
Program received signal SIGABRT, Aborted.

[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x70 ('p')
RCX: 0xffffffffffffffff
RDX: 0x6
RSI: 0xcc0b
RDI: 0xcc0b
RBP: 0x7fffffffb500 --> 0x7ffff7b944c2 ("buffer overflow detected")
RSP: 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff7a4bcc9 (<__GI_raise+57>: cmp rax,0xfffffffffffff000)
R8 : 0x7ffff7b8bdc0 ("0123456789abcdefghijklmnopqrstuvwxyz")
R9 : 0x61bd80 --> 0x7ffff7dd41c0 --> 0xfbad2086
R10: 0x8
R11: 0x246
R12: 0x7fffffffb370 --> 0x1
R13: 0x5
R14: 0x70 ('p')
R15: 0x5
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7a4bcbf <__GI_raise+47>: movsxd rdi,ecx
0x7ffff7a4bcc2 <__GI_raise+50>: mov eax,0xea
0x7ffff7a4bcc7 <__GI_raise+55>: syscall
=> 0x7ffff7a4bcc9 <__GI_raise+57>: cmp rax,0xfffffffffffff000
0x7ffff7a4bccf <__GI_raise+63>: ja 0x7ffff7a4bcea <__GI_raise+90>
0x7ffff7a4bcd1 <__GI_raise+65>: repz ret
0x7ffff7a4bcd3 <__GI_raise+67>: nop DWORD PTR [rax+rax*1+0x0]
0x7ffff7a4bcd8 <__GI_raise+72>: test eax,eax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10)
0008| 0x7fffffffb1f0 --> 0x20 (' ')
0016| 0x7fffffffb1f8 --> 0x0
0024| 0x7fffffffb200 --> 0x0
0032| 0x7fffffffb208 --> 0x0
0040| 0x7fffffffb210 --> 0x0
0048| 0x7fffffffb218 --> 0x0
0056| 0x7fffffffb220 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.


Patch:
======
src/tcpcapinfo.c
@@ -281,6 +281,15 @@ main(int argc, char *argv[])
caplen = pcap_ph.caplen;
}

+ if (caplentoobig) {
+ printf("\n\nCapture file appears to be damaged or corrupt.\n"
+ "Contains packet of size %u, bigger than snap length %u\n",
+ caplen, pcap_fh.snaplen);
+
+ close(fd);
+ break;
+ }
+
/* check to make sure timestamps don't go backwards */
if (last_sec > 0 && last_usec > 0) {
if ((pcap_ph.ts.tv_sec == last_sec) ?
@@ -306,7 +315,7 @@ main(int argc, char *argv[])
}

close(fd);
- continue;
+ break;
}

/* print the frame checksum */


References:
===========
https://github.com/appneta/tcpreplay/issues/278
https://github.com/appneta/tcpreplay/releases/tag/v4.2.0-beta1


Vulnerability Disclosure Timeline:
==================================
2017-02-08: Bug Report Submission & Coordination
2017-03-05: Public Disclosure

Credit:
=======
AromalUllas
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close