Lucene search

K
hackeroneGeeknikH1:268803
HistorySep 15, 2017 - 11:34 p.m.

Internet Bug Bounty: CVE-2017-12985: The IPv6 parser in tcpdump before 4.9.2 has a buffer over-read in ip6_print()

2017-09-1523:34:37
geeknik
hackerone.com
14

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

75.7%

Reported to the devs on 4 February 2017.
Tcpdump 4.9.2 released on 8 September 2017.
Patch: https://github.com/the-tcpdump-group/tcpdump/commit/66df248b49095c261138b5a5e34d341a6bf9ac7f

The IPv6 parser in tcpdump before 4.9.2 has a buffer over-read in print-ip6.c.

./tcpdump -nr test003
reading from file test003, link-type IPV6 (Raw IPv6)
=================================================================
==31276==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e000 at pc 0x000000578cd5 bp 0x7ffe8e397cd0 sp 0x7ffe8e397cc8
READ of size 1 at 0x60400000e000 thread T0
    #0 0x578cd4 in ip6_print /root/tcpdump/./print-ip6.c:348:4
    #1 0x576fdc in ipN_print /root/tcpdump/./print-ip.c:700:3
    #2 0x626677 in raw_if_print /root/tcpdump/./print-raw.c:42:2
    #3 0x4de3c9 in pretty_print_packet /root/tcpdump/./print.c:339:18
    #4 0x4ccb0b in print_packet /root/tcpdump/./tcpdump.c:2555:2
    #5 0x775960 in pcap_offline_read /root/libpcap/./savefile.c:527:4
    #6 0x6a3f3c in pcap_loop /root/libpcap/./pcap.c:1623:8
    #7 0x4c8f1e in main /root/tcpdump/./tcpdump.c:2058:12
    #8 0x7efcfe253b44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
    #9 0x4c419c in _start (/root/tcpdump/tcpdump+0x4c419c)

0x60400000e000 is located 0 bytes to the right of 48-byte region [0x60400000dfd0,0x60400000e000)
allocated by thread T0 here:
    #0 0x4a6b1b in malloc (/root/tcpdump/tcpdump+0x4a6b1b)
    #1 0x7772b3 in pcap_check_header /root/libpcap/./sf-pcap.c:401:14
    #2 0x774fc2 in pcap_fopen_offline_with_tstamp_precision /root/libpcap/./savefile.c:400:7
    #3 0x774d54 in pcap_open_offline_with_tstamp_precision /root/libpcap/./savefile.c:307:6

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/tcpdump/./print-ip6.c:348 ip6_print

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

75.7%