Lucene search

BugbasherH1:724243

HistoryOct 28, 2019 - 11:03 p.m.

Internet Bug Bounty: Tcpdump before 4.9.3 has a buffer over-read in print-802_11.c (CVE-2018-16227)

2019-10-2823:03:20

bugbasher

hackerone.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.003 Low

EPSS

Percentile

66.7%

JSON

Versions of tcpdump before 4.9.3 are vulnerable to a buffer over-read in print-802_11.c. This vulnerability was disclosed to the tcpdump maintainers and was recently patched in version 4.9.3 and disclosed as (CVE-2018-16227).

I was credited with finding and disclosing this vulnerability: https://www.tcpdump.org/public-cve-list.txt

CVE-2018-16227,tcpdump,ieee802.11_meshhdr-oobr.pcap,"Ryan Ackroyd",2018/05/26,Y,4846b3c5d0a850e860baf4f07340495d29837d09,4.9.3,,

This vulnerability was found and tested on tcpdump 4.9.2 after compiling tcpdump with Address Sanitizer (ASAN) support and fuzzing tcpdump with mutated packets, I have attached a working test-case as a Proof of Concept to this report named “fuzzer06:id:000021,sig:11,src:008627,op:havoc,rep:2”.

This vulnerability can be triggered using the following command:

tcpdump -e -vvvv -H -u -nn -r fuzzer06:id:000021,sig:11,src:008627,op:havoc,rep:2

The above command produces the following output, ASAN marks this as a "heap-buffer-overflow ":

reading from file fuzzer06:id:000021,sig:11,src:008627,op:havoc,rep:2, link-type IEEE802_11_RADIO (802.11 plus radiotap header)
12:05:07.276297 15738588889088us tsft 4096 MHz 11n 19dBm signal antenna 20 52.0 Mb/s MCS 25 20 MHz long GI LDPC FEC More Data 44us BSSID:20:7c:8f:50:3f:3a DA:68:a3:c4:03:46:da SA:20:7c:8f:50:3f:3a ReAssoc Request[|802.11]
=================================================================
==5793==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4a01801 at pc 0x08090ae9 bp 0xffc10aa8 sp 0xffc10a98
READ of size 1 at 0xf4a01801 thread T0
    #0 0x8090ae8 in ctrl_body_print print-802_11.c:1676
    #1 0x8090ae8 in ieee802_11_print print-802_11.c:2092
    #2 0x809297b in ieee802_11_radio_print print-802_11.c:3257
    #3 0x809297b in ieee802_11_radio_if_print print-802_11.c:3352
    #4 0x80844b4 in pretty_print_packet print.c:332
    #5 0x8065ce8 in print_packet tcpdump.c:2497
    #6 0x83fcb6a in pcap_offline_read savefile.c:527
    #7 0x8346bfe in pcap_loop pcap.c:890
    #8 0x805afb8 in main tcpdump.c:2000
    #9 0xf700a636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #10 0x806226a  (/home/user/targets/builds33/tcpdump-4.9.2/tcpdump+0x806226a)

0xf4a01801 is located 1 bytes to the right of 64-byte region [0xf4a017c0,0xf4a01800)
allocated by thread T0 here:
    #0 0xf723edee in malloc (/usr/lib32/libasan.so.2+0x96dee)
    #1 0x8400752 in pcap_check_header sf-pcap.c:401

SUMMARY: AddressSanitizer: heap-buffer-overflow print-802_11.c:1676 ctrl_body_print
Shadow bytes around the buggy address:
  0x3e9402b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9402c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9402d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9402e0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x3e9402f0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
=&gt;0x3e940300:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e940310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e940320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e940330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e940340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e940350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==5793==ABORTING

More information about this vulnerability can be found in the following locations:

NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-16227
CVE details: https://www.cvedetails.com/cve/CVE-2018-16227/

Impact

This vulnerability can lead to significant information disclosure and allow an attacker to modify system files remotely, across a network with no interaction from the victim.

CVSS v3.1 Severity and Metrics:

Base Score: 9.8 CRITICAL
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (V3.1 legend)
Impact Score: 5.9
Exploitability Score: 3.9

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality ©: High
Integrity (I): High
Availability (A): High