Internet Bug Bounty: Tcpdump before 4.9.3 has a buffer over-read in print-dccp.c:dccp_print_option() (CVE-2018-16229)

Tcpdump before 4.9.3 has a buffer over-read in print-dccp.c:dccp_print_option(). This vulnerability was disclosed to the tpcdump maintainers and was fixed in version 4.9.3 and disclosed as CVE-2018-16229.

I was credited with finding and disclosing this vulnerability: https://www.tcpdump.org/public-cve-list.txt

CVE-2018-16229,tcpdump,dccp_options-oobr.pcap,"Ryan Ackroyd",2018/05/26,Y,211124b972e74f0da66bc8b16f181f78793e2f66,4.9.3,,

This vulnerability was discovered in version 4.9.2 after compiling tcpdump with Address Sanitizer (ASAN) and fuzzing tcpdump with mutated packets. This vulnerability can be remotely exploited over the network by an attacker with no interaction needed from the victim.

I have attached test-case “fuzzer06:id:000018,sig:11,src:007353,op:havoc,rep:16” as a Proof of Concept to this report.

This vulnerability can be triggered using the following command:

tcpdump -e -vvvv -H -u -nn -r fuzzer06:id:000018,sig:11,src:007353,op:havoc,rep:16

The above command shows the following output from ASAN which notes this vulnerability as being a “heap-buffer-overflow”:

reading from file fuzzer06:id:000018,sig:11,src:007353,op:havoc,rep:16, link-type EN10MB (Ethernet)
17:59:25.816632 00:07:e9:bd:5d:1f > 00:14:22:59:55:51, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 65312, offset 0, flags [DF], proto DCCP (33), length 52)
    139.133.209.176.39420 > 139.133.209.65.5001: DCCP (CCVal 0, CsCov 0, cksum 0xaaf3 (incorrect -> 0x8bf3)) DCCP-Request (service=-189888898) seq 8 <nop, nop, nop, nop, change_l ack_ratio 2, change_r ccid 2, change_l ccid 2>
15:27:00.817006 00:14:22:59:55:51 > 00:07:e9:bd:5d:1f, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto DCCP (33), length 68)
    139.133.209.65.5001 > 139.133.209.176.39420: DCCP (CCVal 0, CsCov 0, ) DCCP-Response (service=0) (ack=38464816766) seq 1960341146 <nop, nop, change_l ack_ratio 2, [|dccp]>
15:27:00.817125 00:07:e9:bd:00:1f > 00:14:22:59:55:51, ethertype IPv4 (0x0800), length 32582: (tos 0x0, ttl 64, id 65313, offset 0, flags [DF], proto DCCP (33), length 56)
=================================================================
==5790==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4a01bf4 at pc 0x080fd4b6 bp 0xfff8c088 sp 0xfff8c078
READ of size 4 at 0xf4a01bf4 thread T0
    #0 0x80fd4b5 in EXTRACT_32BITS extract.h:190
    #1 0x80fd4b5 in dccp_print_option print-dccp.c:633
    #2 0x80fd4b5 in dccp_print print-dccp.c:496
    #3 0x816e21a in ip_print_demux print-ip.c:391
    #4 0x816e21a in ip_print print-ip.c:673
    #5 0x8124f70 in ethertype_print print-ether.c:333
    #6 0x8126065 in ether_print print-ether.c:236
    #7 0x80844b4 in pretty_print_packet print.c:332
    #8 0x8065ce8 in print_packet tcpdump.c:2497
    #9 0x83fcb6a in pcap_offline_read savefile.c:527
    #10 0x8346bfe in pcap_loop pcap.c:890
    #11 0x805afb8 in main tcpdump.c:2000
    #12 0xf6fda636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #13 0x806226a  (/home/user/targets/builds33/tcpdump-4.9.2/tcpdump+0x806226a)

0xf4a01bf6 is located 0 bytes to the right of 70-byte region [0xf4a01bb0,0xf4a01bf6)
allocated by thread T0 here:
    #0 0xf720edee in malloc (/usr/lib32/libasan.so.2+0x96dee)
    #1 0x8400752 in pcap_check_header sf-pcap.c:401

SUMMARY: AddressSanitizer: heap-buffer-overflow extract.h:190 EXTRACT_32BITS
Shadow bytes around the buggy address:
  0x3e940320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e940330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e940340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e940350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e940360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3e940370: fa fa fa fa fa fa 00 00 00 00 00 00 00 00[06]fa
  0x3e940380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e940390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9403a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9403b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9403c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==5790==ABORTING

More information about this vulnerability can be found in the following locations:

NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-16229
CVE: https://www.cvedetails.com/cve/CVE-2018-16229/
MITRE: https://vulners.com/cve/CVE-2018-16229

Impact

This vulnerability leads to significant information disclosure and allows an attacker to remotely modify system files. An attacker is easily able to exploit this vulnerability remotely across a network without interaction from the victim.

CVSS v3.1 Severity and Metrics:

Base Score: 9.8 CRITICAL
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (V3.1 legend)
Impact Score: 5.9
Exploitability Score: 3.9

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality ©: High
Integrity (I): High
Availability (A): High