BagsH1:802896Internet Bug Bounty: CVE-2017-13019: The PGM parser in tcpdump before 4.9.2 has a buffer over-read in print-pgm.c:pgm_print()
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
79.9%
Hello,
The vulnerable code portion is linked below. The linked function is responsible for printing PGM packet payload information to the terminal (e.g., stdout)
https://github.com/the-tcpdump-group/tcpdump/commit/4601c685e7fd19c3724d5e499c69b8d3ec49933e
The issue may be reproduced as follows
Check out vulnerable tcpdump commit (< 4.9.2) as follows
$ git clone -b 26a6799b9ca80508c05cac7a9a3bef922991520b https://github.com/the-tcpdump-group/tcpdump
Build it with afl and AddressSanitizer as follows (please install libpcap before this step)
$ CC=afl-gcc
$ AFL_USE_ASAN=1 make -j
Run tcpdump against linked payload (link: https://github.com/the-tcpdump-group/tcpdump/blob/4601c685e7fd19c3724d5e499c69b8d3ec49933e/tests/pgm_opts_asan_2.pcap?raw=true)
$ tcpdump -nvr <payload>
reading from file /tmp/pgm_opts_asan_2.pcap, link-type EN10MB (Ethernet)
=================================================================
==3947==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000007d at pc 0x5560b85896f6 bp 0x7ffe420b1ca0 sp 0x7ffe420b1c90
READ of size 4 at 0x60800000007d thread T0
#0 0x5560b85896f5 in EXTRACT_32BITS extract.h:190
#1 0x5560b85896f5 in pgm_print print-pgm.c:697
#2 0x5560b849f20c in ip_print_demux print-ip.c:483
#3 0x5560b849f20c in ip_print print-ip.c:658
#4 0x5560b84506df in ethertype_print print-ether.c:334
#5 0x5560b84531d1 in ether_print print-ether.c:237
#6 0x5560b84531d1 in ether_if_print print-ether.c:262
#7 0x5560b83b76be in pretty_print_packet print.c:332
#8 0x5560b839062d in print_packet tcpdump.c:2590
#9 0x5560b8663ee8 in pcap_offline_read savefile.c:561
#10 0x5560b8652e5e in pcap_loop pcap.c:2737
#11 0x5560b8383fed in main tcpdump.c:2093
#12 0x7f7aaf546b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#13 0x5560b838c009 in _start (/home/bhargava/work/github/tcpdump/tcpdump+0x17c009)
0x60800000007f is located 0 bytes to the right of 95-byte region [0x608000000020,0x60800000007f)
allocated by thread T0 here:
#0 0x7f7aafc0ab50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x5560b8664c7a in pcap_check_header sf-pcap.c:404
SUMMARY: AddressSanitizer: heap-buffer-overflow extract.h:190 in EXTRACT_32BITS
Shadow bytes around the buggy address:
0x0c107fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00[07]
0x0c107fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3947==ABORTING
It is acknowledged here(link: https://github.com/the-tcpdump-group/tcpdump/commit/4601c685e7fd19c3724d5e499c69b8d3ec49933e) that I (Bhargava Shastry) am the original reporter of the issue.
To prove that this hackerone account belongs to me, I have hosted a file with the following message on my github page(link: https://bshastry.github.io/.well-known/hackerone.txt)
hello @turtle_shell @hackerone
If you have any further queries, please let me know.
Tracked as CVE-2017-13019: https://nvd.nist.gov/vuln/detail/CVE-2017-13019
Impact
I believe that information disclosure is possible.
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
79.9%