9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
79.9%
Hello,
The vulnerable code portion is linked below. The linked function is responsible for printing VTP packet payload information to the terminal (e.g., stdout)
The issue may be reproduced as follows
Check out vulnerable tcpdump commit (< 4.9.2) as follows
$ git clone -b e0d8ee571438c755ff988f70886f8c4f5e9a8434 https://github.com/the-tcpdump-group/tcpdump
Build it with afl and AddressSanitizer as follows (please install libpcap before this step)
$ CC=afl-gcc
$ AFL_USE_ASAN=1 make -j
Run tcpdump against linked payload (link: https://github.com/the-tcpdump-group/tcpdump/blob/ae83295915d08a854de27a88efac5dd7353e6d3f/tests/vtp_asan-3.pcap?raw=true)
$ tcpdump -nvr <payload>
reading from file /tmp/vtp_asan-3.pcap, link-type MFR (FRF.16 Frame Relay)
=================================================================
==3747==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000015c at pc 0x562e64fcc5d2 bp 0x7ffdd3033300 sp 0x7ffdd30332f0
READ of size 1 at 0x61200000015c thread T0
#0 0x562e64fcc5d1 in fn_printzp util-print.c:217
#1 0x562e64fb757e in vtp_print print-vtp.c:262
#2 0x562e64ea3aae in snap_print print-llc.c:493
#3 0x562e64e0cba5 in fr_print print-fr.c:336
#4 0x562e64e0dc9e in mfr_print print-fr.c:563
#5 0x562e64d57e1e in pretty_print_packet print.c:332
#6 0x562e64d30d8d in print_packet tcpdump.c:2590
#7 0x562e65003a78 in pcap_offline_read savefile.c:561
#8 0x562e64ff29ee in pcap_loop pcap.c:2737
#9 0x562e64d2474d in main tcpdump.c:2093
#10 0x7f9726cb6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#11 0x562e64d2c769 in _start (/home/bhargava/work/github/tcpdump/tcpdump+0x17b769)
0x61200000015c is located 0 bytes to the right of 284-byte region [0x612000000040,0x61200000015c)
allocated by thread T0 here:
#0 0x7f972737ab50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x562e6500480a in pcap_check_header sf-pcap.c:404
SUMMARY: AddressSanitizer: heap-buffer-overflow util-print.c:217 in fn_printzp
Shadow bytes around the buggy address:
0x0c247fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff8020: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0c247fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3747==ABORTING
It is acknowledged here(link: https://github.com/the-tcpdump-group/tcpdump/commit/ae83295915d08a854de27a88efac5dd7353e6d3f) that I (Bhargava Shastry) am the original reporter of the issue.
To prove that this hackerone account belongs to me, I have hosted a file with the following message on my github page(link: https://bshastry.github.io/.well-known/hackerone.txt)
hello @turtle_shell @hackerone
If you have any further queries, please let me know.
I believe that information disclosure is possible.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
79.9%