GeeknikH1:724217Internet Bug Bounty: tcpdump: CVE-2018-14879 - buffer overflow in tcpdump.c:get_next_file()
7 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
45.4%
The release of tcpdump 4.9.3 brought many bug fixes, including one I submitted, CVE-2018-14879.
The command-line argument parser in tcpdump before 4.9.3 has a buffer overflow in tcpdump.c:get_next_file().
==2288==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe363769bf at pc 0x56336d544e69 bp 0x7ffe36376260 sp 0x7ffe36376258
READ of size 1 at 0x7ffe363769bf thread T0
#0 0x56336d544e68 in get_next_file tcpdump.c:853
#1 0x56336d53ab63 in main tcpdump.c:1956
#2 0x7f83cae7c2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#3 0x56336d543169 in _start (/root/tcpdump/tcpdump+0x16d169)
Address 0x7ffe363769bf is located in stack of thread T0 at offset 1727 in frame
#0 0x56336d53828f in main tcpdump.c:1411
This frame has 15 object(s):
[32, 36) 'localnet'
[96, 100) 'netmask'
[160, 168) 'endp'
[224, 232) 'end'
[288, 296) 'devlist'
[352, 360) 'end'
[416, 424) 'dlts'
[480, 496) 'fcode'
[544, 576) 'timer'
[608, 648) 'dumpinfo'
[704, 848) 'buf'
[896, 1096) 'Ndo'
[1152, 1408) 'ebuf'
[1440, 1696) 'ebuf'
[1728, 5825) 'VFileLine' <== Memory access at offset 1727 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow tcpdump.c:853 in get_next_file
Reported: 2018 May 14 (via email to [email protected])
Fix Released: 2018 September 30
CVE: https://nvd.nist.gov/vuln/detail/CVE-2018-14879
Credit: https://www.tcpdump.org/public-cve-list.txt
CVSS v3.1 Severity and Metrics:
Base Score: 9.8 CRITICAL
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (V3.1 legend)
Impact Score: 5.9
Exploitability Score: 3.9
Impact
Stack buffer overflow can be caused deliberately as part of an attack known as stack smashing. If the affected program is running with special privileges, or accepts data from untrusted network hosts (e.g. a webserver) then the bug is a potential security vulnerability. If the stack buffer is filled with data supplied from an untrusted user then that user can corrupt the stack in such a way as to inject executable code into the running program and take control of the process. This is one of the oldest and more reliable methods for attackers to gain unauthorized access to a computer.
Related
7 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
45.4%