GeeknikH1:268805Internet Bug Bounty: CVE-2017-13008 The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-802_11.c:parse_elements().
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.006 Low
EPSS
Percentile
75.7%
Reported to the devs on 6 March 2017.
Tcpdump 4.9.2 released on 8 September 2017.
Patch: https://github.com/the-tcpdump-group/tcpdump/commit/5edf405d7ed9fc92f4f43e8a3d44baa4c6387562
The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read in print-802_11.c:parse_elements().
./tcpdump -n -r test000
==4043==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000dff7 at pc 0x00000048f0e0 bp 0x7ffe26d60590 sp 0x7ffe26d5fd50
READ of size 1 at 0x60700000dff7 thread T0
#0 0x48f0df in __asan_memcpy (/root/tcpdump/tcpdump+0x48f0df)
#1 0x4eb08b in parse_elements /root/tcpdump/./print-802_11.c:1192:4
#2 0x4e2fce in handle_beacon /root/tcpdump/./print-802_11.c:1252:8
#3 0x4e2fce in mgmt_body_print /root/tcpdump/./print-802_11.c:1654
#4 0x4e2fce in ieee802_11_print /root/tcpdump/./print-802_11.c:2098
#5 0x4e9142 in ieee802_11_radio_print /root/tcpdump/./print-802_11.c:3269:15
#6 0x4e9142 in ieee802_11_radio_if_print /root/tcpdump/./print-802_11.c:3364
#7 0x4de2e9 in pretty_print_packet /root/tcpdump/./print.c:339:18
#8 0x4cc5fb in print_packet /root/tcpdump/./tcpdump.c:2556:2
#9 0x773e10 in pcap_offline_read /root/libpcap/./savefile.c:527:4
#10 0x6a258c in pcap_loop /root/libpcap/./pcap.c:1657:8
#11 0x4c8a6e in main /root/tcpdump/./tcpdump.c:2059:12
#12 0x7f1166aa9b44 in __libc_start_main /build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
#13 0x4c3ccc in _start (/root/tcpdump/tcpdump+0x4c3ccc)
0x60700000dff7 is located 0 bytes to the right of 71-byte region [0x60700000dfb0,0x60700000dff7)
allocated by thread T0 here:
#0 0x4a664b in __interceptor_malloc (/root/tcpdump/tcpdump+0x4a664b)
#1 0x775763 in pcap_check_header /root/libpcap/./sf-pcap.c:401:14
#2 0x773472 in pcap_fopen_offline_with_tstamp_precision /root/libpcap/./savefile.c:400:7
#3 0x773204 in pcap_open_offline_with_tstamp_precision /root/libpcap/./savefile.c:307:6
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.006 Low
EPSS
Percentile
75.7%