Heap-based Buffer Overflow in rup0rt/pcapfix

Valid

Reported on

Jun 23rd 2021


Description

A heap over flow was found in pcapfix in function fix_pcapng() in pcapng.c at line 216

Test version : 1.1.6 [2fe168e] Test env: gcc 9.3.0 ubuntu 20.04 x86-64

Proof of Concept

CFLAGS="-fsanitize=address" make

./pcapfix poc

poc is attatched in reference link

==603793==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000017 at pc 0x000000322134 bp 0x7fff77333d70 sp 0x7fff77333d68
WRITE of size 8 at 0x602000000017 thread T0
#0 0x322133 in fix_pcapng /home/chiba/pcapfix/pcapng.c:216:5
#1 0x303b1c in main /home/chiba/pcapfix/pcapfix.c
#2 0x7f5fe13380b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#3 0x255f7d in _start (/home/chiba/pcapfix/pcapfix-afl+0x255f7d)

0x602000000017 is located 1 bytes to the right of 6-byte region [0x602000000010,0x602000000016)
allocated by thread T0 here:
#0 0x2cffed in malloc (/home/chiba/pcapfix/pcapfix-afl+0x2cffed)
#1 0x311fa0 in fix_pcapng /home/chiba/pcapfix/pcapng.c:213:17
#2 0x303b1c in main /home/chiba/pcapfix/pcapfix.c
#3 0x7f5fe13380b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/chiba/pcapfix/pcapng.c:216:5 in fix_pcapng
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa[06]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==603793==ABORTING


Impact

This vulnerability is capable of crashing the software, causing memory corruption, and any other unintended consequences of reading past the end of the buffer.

Occurences

References

We have contacted a member of the rup0rt/pcapfix team and are waiting to hear back 5 months ago
5 months ago

Researcher


The CVSS was wrong , accurate score: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

chiba of topsec alphalab modified their report
5 months ago
Robert Krause
5 months ago

Maintainer


Thanks for the report. I start handling this crash after the proper CVS score has been set.

Robert Krause validated this vulnerability 5 months ago
chiba of topsec alphalab has been awarded the disclosure bounty
The fix bounty is now up for grabs
Robert Krause confirmed that a fix has been merged on c3f12c 5 months ago
Robert Krause has been awarded the fix bounty