7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
66.7%
Versions of tcpdump before 4.9.3 are vulnerable to a buffer over-read in print-802_11.c. This vulnerability was disclosed to the tcpdump maintainers and was recently patched in version 4.9.3 and disclosed as (CVE-2018-16227).
I was credited with finding and disclosing this vulnerability: https://www.tcpdump.org/public-cve-list.txt
CVE-2018-16227,tcpdump,ieee802.11_meshhdr-oobr.pcap,"Ryan Ackroyd",2018/05/26,Y,4846b3c5d0a850e860baf4f07340495d29837d09,4.9.3,,
This vulnerability was found and tested on tcpdump 4.9.2 after compiling tcpdump with Address Sanitizer (ASAN) support and fuzzing tcpdump with mutated packets, I have attached a working test-case as a Proof of Concept to this report named “fuzzer06:id:000021,sig:11,src:008627,op:havoc,rep:2”.
This vulnerability can be triggered using the following command:
tcpdump -e -vvvv -H -u -nn -r fuzzer06:id:000021,sig:11,src:008627,op:havoc,rep:2
The above command produces the following output, ASAN marks this as a "heap-buffer-overflow ":
reading from file fuzzer06:id:000021,sig:11,src:008627,op:havoc,rep:2, link-type IEEE802_11_RADIO (802.11 plus radiotap header)
12:05:07.276297 15738588889088us tsft 4096 MHz 11n 19dBm signal antenna 20 52.0 Mb/s MCS 25 20 MHz long GI LDPC FEC More Data 44us BSSID:20:7c:8f:50:3f:3a DA:68:a3:c4:03:46:da SA:20:7c:8f:50:3f:3a ReAssoc Request[|802.11]
=================================================================
==5793==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4a01801 at pc 0x08090ae9 bp 0xffc10aa8 sp 0xffc10a98
READ of size 1 at 0xf4a01801 thread T0
#0 0x8090ae8 in ctrl_body_print print-802_11.c:1676
#1 0x8090ae8 in ieee802_11_print print-802_11.c:2092
#2 0x809297b in ieee802_11_radio_print print-802_11.c:3257
#3 0x809297b in ieee802_11_radio_if_print print-802_11.c:3352
#4 0x80844b4 in pretty_print_packet print.c:332
#5 0x8065ce8 in print_packet tcpdump.c:2497
#6 0x83fcb6a in pcap_offline_read savefile.c:527
#7 0x8346bfe in pcap_loop pcap.c:890
#8 0x805afb8 in main tcpdump.c:2000
#9 0xf700a636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#10 0x806226a (/home/user/targets/builds33/tcpdump-4.9.2/tcpdump+0x806226a)
0xf4a01801 is located 1 bytes to the right of 64-byte region [0xf4a017c0,0xf4a01800)
allocated by thread T0 here:
#0 0xf723edee in malloc (/usr/lib32/libasan.so.2+0x96dee)
#1 0x8400752 in pcap_check_header sf-pcap.c:401
SUMMARY: AddressSanitizer: heap-buffer-overflow print-802_11.c:1676 ctrl_body_print
Shadow bytes around the buggy address:
0x3e9402b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9402c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9402d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e9402e0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
0x3e9402f0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
=>0x3e940300:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e940310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e940320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e940330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e940340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e940350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==5793==ABORTING
More information about this vulnerability can be found in the following locations:
NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-16227
CVE details: https://www.cvedetails.com/cve/CVE-2018-16227/
This vulnerability can lead to significant information disclosure and allow an attacker to modify system files remotely, across a network with no interaction from the victim.
CVSS v3.1 Severity and Metrics:
Base Score: 9.8 CRITICAL
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (V3.1 legend)
Impact Score: 5.9
Exploitability Score: 3.9
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality ©: High
Integrity (I): High
Availability (A): High
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
66.7%