We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Heap-based Buffer Overflow in rup0rt/pcapfix

Valid

Reported on

Jun 23rd 2021

Description

A heap over flow was found in pcapfix in function fix_pcapng() in pcapng.c at line 216

Test version : 1.1.6 [2fe168e] Test env: gcc 9.3.0 ubuntu 20.04 x86-64

Proof of Concept

CFLAGS="-fsanitize=address" make

./pcapfix poc

poc is attatched in reference link

==603793==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000017 at pc 0x000000322134 bp 0x7fff77333d70 sp 0x7fff77333d68
WRITE of size 8 at 0x602000000017 thread T0
#0 0x322133 in fix_pcapng /home/chiba/pcapfix/pcapng.c:216:5
#1 0x303b1c in main /home/chiba/pcapfix/pcapfix.c
#2 0x7f5fe13380b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#3 0x255f7d in _start (/home/chiba/pcapfix/pcapfix-afl+0x255f7d)

0x602000000017 is located 1 bytes to the right of 6-byte region [0x602000000010,0x602000000016)
allocated by thread T0 here:
#0 0x2cffed in malloc (/home/chiba/pcapfix/pcapfix-afl+0x2cffed)
#1 0x311fa0 in fix_pcapng /home/chiba/pcapfix/pcapng.c:213:17
#2 0x303b1c in main /home/chiba/pcapfix/pcapfix.c
#3 0x7f5fe13380b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/chiba/pcapfix/pcapng.c:216:5 in fix_pcapng
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa[06]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==603793==ABORTING

Impact

This vulnerability is capable of crashing the software, causing memory corruption, and any other unintended consequences of reading past the end of the buffer.

Occurrences

References

We have contacted a member of the rup0rt/pcapfix team and are waiting to hear back 2 years ago
chiba
2 years ago

Researcher

The CVSS was wrong , accurate score: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

chiba modified the report
2 years ago
Robert Krause
2 years ago

Maintainer

Thanks for the report. I start handling this crash after the proper CVS score has been set.

Robert Krause validated this vulnerability 2 years ago
chiba has been awarded the disclosure bounty
The fix bounty is now up for grabs
Robert Krause marked this as fixed with commit c3f12c 2 years ago
Robert Krause has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation