Vulners
Lucene search
Tcpreplay 4.1.2 tcpcapinfo Buffer Overflow Vulnerability
| Reporter | Title | Published | Views | Family All 27 |
|---|---|---|---|---|
 | [ASA-201706-29] tcpreplay: arbitrary code execution | 23 Jun 201700:00 | – | archlinux |
 | Tcpreplay 'Tcpcapinfo' Utility Buffer Overflow Vulnerability | 16 Mar 201700:00 | – | cnvd |
 | CVE-2017-6429 | 15 Mar 201715:00 | – | cve |
 | CVE-2017-6429 | 15 Mar 201715:00 | – | cvelist |
 | CVE-2017-6429 | 15 Mar 201715:00 | – | debiancve |
 | EUVD-2017-15486 | 7 Oct 202500:30 | – | euvd |
 | [SECURITY] Fedora 25 Update: tcpreplay-4.1.2-3.fc25 | 15 Mar 201718:25 | – | fedora |
| [SECURITY] Fedora 24 Update: tcpreplay-4.1.2-3.fc24 | 16 Mar 201721:19 | – | fedora |
| [SECURITY] Fedora 26 Update: tcpreplay-4.2.1-1.fc26 | 1 Apr 201718:11 | – | fedora |
| [SECURITY] Fedora 25 Update: tcpreplay-4.2.1-1.fc25 | 1 Apr 201722:22 | – | fedora |
10
Document Title:
===============
CVE-2017-6429: Buffer overflow vulnerability in Tcpreplay tcpcapinfo utility
Vendor:
=======
Appneta (https://www.appneta.com/)
Product and Versions Affected:
==============================
Tcpreplay 4.1.2 and possibly prior.
Fixed Version:
==============
4.2.0 Beta 1
Product Description:
====================
Tcpreplay is a suite of GPLv3 licensed utilities for UNIX (and Win32 under Cygwin) operating systems for editing and replaying network traffic which was previously captured by tools like tcpdump and Ethereal/Wireshark.
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
CVE-2017-6429
Vulnerability Details:
======================
Tcpcapinfo utility of Tcpreplay have a buffer overflow vulnerability associated with parsing a crafted pcap file. This occurs in the src/tcpcapinfo.c file when capture has a packet that is too large to handle.
GDB Dump:
=========
---------Backtrace:-----------
/lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7ffff7a8838f]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff7b1fc9c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7ffff7b1eb60]
/lib/x86_64-linux-gnu/libc.so.6(+0x109fed)[0x7ffff7b1efed]
/home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x40228c]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff7a36ec5]
/home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x4028dc]
======= Memory map: ========
00400000-0041b000 r-xp 00000000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo
0061a000-0061b000 r--p 0001a000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo
0061b000-0061c000 rw-p 0001b000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo
0061c000-0063e000 rw-p 00000000 00:00 0 [heap]
7ffff77fe000-7ffff7814000 r-xp 00000000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7814000-7ffff7a13000 ---p 00016000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a13000-7ffff7a14000 r--p 00015000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a14000-7ffff7a15000 rw-p 00016000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff7a15000-7ffff7bd0000 r-xp 00000000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7bd0000-7ffff7dcf000 ---p 001bb000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dcf000-7ffff7dd3000 r--p 001ba000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd3000-7ffff7dd5000 rw-p 001be000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so
7ffff7dd5000-7ffff7dda000 rw-p 00000000 00:00 0
7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7fd5000-7ffff7fd8000 rw-p 00000000 00:00 0
7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
1 1260 134217964 575b56ff.0
Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x70 ('p')
RCX: 0xffffffffffffffff
RDX: 0x6
RSI: 0xcc0b
RDI: 0xcc0b
RBP: 0x7fffffffb500 --> 0x7ffff7b944c2 ("buffer overflow detected")
RSP: 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10)
RIP: 0x7ffff7a4bcc9 (<__GI_raise+57>: cmp rax,0xfffffffffffff000)
R8 : 0x7ffff7b8bdc0 ("0123456789abcdefghijklmnopqrstuvwxyz")
R9 : 0x61bd80 --> 0x7ffff7dd41c0 --> 0xfbad2086
R10: 0x8
R11: 0x246
R12: 0x7fffffffb370 --> 0x1
R13: 0x5
R14: 0x70 ('p')
R15: 0x5
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7a4bcbf <__GI_raise+47>: movsxd rdi,ecx
0x7ffff7a4bcc2 <__GI_raise+50>: mov eax,0xea
0x7ffff7a4bcc7 <__GI_raise+55>: syscall
=> 0x7ffff7a4bcc9 <__GI_raise+57>: cmp rax,0xfffffffffffff000
0x7ffff7a4bccf <__GI_raise+63>: ja 0x7ffff7a4bcea <__GI_raise+90>
0x7ffff7a4bcd1 <__GI_raise+65>: repz ret
0x7ffff7a4bcd3 <__GI_raise+67>: nop DWORD PTR [rax+rax*1+0x0]
0x7ffff7a4bcd8 <__GI_raise+72>: test eax,eax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10)
0008| 0x7fffffffb1f0 --> 0x20 (' ')
0016| 0x7fffffffb1f8 --> 0x0
0024| 0x7fffffffb200 --> 0x0
0032| 0x7fffffffb208 --> 0x0
0040| 0x7fffffffb210 --> 0x0
0048| 0x7fffffffb218 --> 0x0
0056| 0x7fffffffb220 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff7a4bcc9 in __GI_raise ([email protected]=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
Patch:
======
src/tcpcapinfo.c
@@ -281,6 +281,15 @@ main(int argc, char *argv[])
caplen = pcap_ph.caplen;
}
+ if (caplentoobig) {
+ printf("\n\nCapture file appears to be damaged or corrupt.\n"
+ "Contains packet of size %u, bigger than snap length %u\n",
+ caplen, pcap_fh.snaplen);
+
+ close(fd);
+ break;
+ }
+
/* check to make sure timestamps don't go backwards */
if (last_sec > 0 && last_usec > 0) {
if ((pcap_ph.ts.tv_sec == last_sec) ?
@@ -306,7 +315,7 @@ main(int argc, char *argv[])
}
close(fd);
- continue;
+ break;
}
/* print the frame checksum */
References:
===========
https://github.com/appneta/tcpreplay/issues/278
https://github.com/appneta/tcpreplay/releases/tag/v4.2.0-beta1
Vulnerability Disclosure Timeline:
==================================
2017-02-08: Bug Report Submission & Coordination
2017-03-05: Public Disclosure
Credit:
=======
AromalUllas
# 0day.today [2018-01-03] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Mar 2017 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.00357