0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Tcpreplay 4.1.2 tcpcapinfo Buffer Overflow Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Document Title: =============== CVE-2017-6429: Buffer overflow vulnerability in Tcpreplay tcpcapinfo utility Vendor: ======= Appneta (https://www.appneta.com/) Product and Versions Affected: ============================== Tcpreplay 4.1.2 and possibly prior. Fixed Version: ============== 4.2.0 Beta 1 Product Description: ==================== Tcpreplay is a suite of GPLv3 licensed utilities for UNIX (and Win32 under Cygwin) operating systems for editing and replaying network traffic which was previously captured by tools like tcpdump and Ethereal/Wireshark. Vulnerability Type: =================== Buffer Overflow CVE Reference: ============== CVE-2017-6429 Vulnerability Details: ====================== Tcpcapinfo utility of Tcpreplay have a buffer overflow vulnerability associated with parsing a crafted pcap file. This occurs in the src/tcpcapinfo.c file when capture has a packet that is too large to handle. GDB Dump: ========= ---------Backtrace:----------- /lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7ffff7a8838f] /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff7b1fc9c] /lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7ffff7b1eb60] /lib/x86_64-linux-gnu/libc.so.6(+0x109fed)[0x7ffff7b1efed] /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x40228c] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff7a36ec5] /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x4028dc] ======= Memory map: ======== 00400000-0041b000 r-xp 00000000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo 0061a000-0061b000 r--p 0001a000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo 0061b000-0061c000 rw-p 0001b000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo 0061c000-0063e000 rw-p 00000000 00:00 0 [heap] 7ffff77fe000-7ffff7814000 r-xp 00000000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7814000-7ffff7a13000 ---p 00016000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a13000-7ffff7a14000 r--p 00015000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a14000-7ffff7a15000 rw-p 00016000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a15000-7ffff7bd0000 r-xp 00000000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7bd0000-7ffff7dcf000 ---p 001bb000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7dcf000-7ffff7dd3000 r--p 001ba000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7dd3000-7ffff7dd5000 rw-p 001be000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7dd5000-7ffff7dda000 rw-p 00000000 00:00 0 7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so 7ffff7fd5000-7ffff7fd8000 rw-p 00000000 00:00 0 7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0 7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar] 7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so 7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] 1 1260 134217964 575b56ff.0 Program received signal SIGABRT, Aborted. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x70 ('p') RCX: 0xffffffffffffffff RDX: 0x6 RSI: 0xcc0b RDI: 0xcc0b RBP: 0x7fffffffb500 --> 0x7ffff7b944c2 ("buffer overflow detected") RSP: 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10) RIP: 0x7ffff7a4bcc9 (<__GI_raise+57>: cmp rax,0xfffffffffffff000) R8 : 0x7ffff7b8bdc0 ("0123456789abcdefghijklmnopqrstuvwxyz") R9 : 0x61bd80 --> 0x7ffff7dd41c0 --> 0xfbad2086 R10: 0x8 R11: 0x246 R12: 0x7fffffffb370 --> 0x1 R13: 0x5 R14: 0x70 ('p') R15: 0x5 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7a4bcbf <__GI_raise+47>: movsxd rdi,ecx 0x7ffff7a4bcc2 <__GI_raise+50>: mov eax,0xea 0x7ffff7a4bcc7 <__GI_raise+55>: syscall => 0x7ffff7a4bcc9 <__GI_raise+57>: cmp rax,0xfffffffffffff000 0x7ffff7a4bccf <__GI_raise+63>: ja 0x7ffff7a4bcea <__GI_raise+90> 0x7ffff7a4bcd1 <__GI_raise+65>: repz ret 0x7ffff7a4bcd3 <__GI_raise+67>: nop DWORD PTR [rax+rax*1+0x0] 0x7ffff7a4bcd8 <__GI_raise+72>: test eax,eax [------------------------------------stack-------------------------------------] 0000| 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10) 0008| 0x7fffffffb1f0 --> 0x20 (' ') 0016| 0x7fffffffb1f8 --> 0x0 0024| 0x7fffffffb200 --> 0x0 0032| 0x7fffffffb208 --> 0x0 0040| 0x7fffffffb210 --> 0x0 0048| 0x7fffffffb218 --> 0x0 0056| 0x7fffffffb220 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGABRT 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. Patch: ====== src/tcpcapinfo.c @@ -281,6 +281,15 @@ main(int argc, char *argv[]) caplen = pcap_ph.caplen; } + if (caplentoobig) { + printf("\n\nCapture file appears to be damaged or corrupt.\n" + "Contains packet of size %u, bigger than snap length %u\n", + caplen, pcap_fh.snaplen); + + close(fd); + break; + } + /* check to make sure timestamps don't go backwards */ if (last_sec > 0 && last_usec > 0) { if ((pcap_ph.ts.tv_sec == last_sec) ? @@ -306,7 +315,7 @@ main(int argc, char *argv[]) } close(fd); - continue; + break; } /* print the frame checksum */ References: =========== https://github.com/appneta/tcpreplay/issues/278 https://github.com/appneta/tcpreplay/releases/tag/v4.2.0-beta1 Vulnerability Disclosure Timeline: ================================== 2017-02-08: Bug Report Submission & Coordination 2017-03-05: Public Disclosure Credit: ======= AromalUllas # 0day.today [2024-12-25] #