Heap-based Buffer Overflow in rup0rt/pcapfix

Valid

Reported on

Jun 23rd 2021


Description

A heap over flow was found in pcapfix in function fix_pcapng() in pcapng.c at line 1571

Test version : 1.1.6 [2fe168e] Test env: gcc 9.3.0 ubuntu 20.04 x86-64

Proof of Concept

CFLAGS="-fsanitize=address" make ./pcapfix poc

poc is attatched in reference link


==618350==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f4e5f9ff800 at pc 0x0000002cf4fa bp 0x7ffe4c8ac310 sp 0x7ffe4c8abad8
WRITE of size 1045852 at 0x7f4e5f9ff800 thread T0
#0 0x2cf4f9 in __asan_memcpy (/home/chiba/pcapfix/pcapfix+0x2cf4f9)
#1 0x31be47 in fix_pcapng /home/chiba/pcapfix/pcapng.c:1571:7
#2 0x303b1c in main /home/chiba/pcapfix/pcapfix.c
#3 0x7f4e627580b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x255f7d in _start (/home/chiba/pcapfix/pcapfix+0x255f7d)

0x7f4e5f9ff800 is located 0 bytes to the right of 1024000-byte region [0x7f4e5f905800,0x7f4e5f9ff800)
allocated by thread T0 here:
#0 0x2cffed in malloc (/home/chiba/pcapfix/pcapfix+0x2cffed)
#1 0x31182c in fix_pcapng /home/chiba/pcapfix/pcapng.c:138:17
#2 0x303b1c in main /home/chiba/pcapfix/pcapfix.c
#3 0x7f4e627580b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/chiba/pcapfix/pcapfix+0x2cf4f9) in __asan_memcpy
Shadow bytes around the buggy address:
0x0fea4bf37eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fea4bf37ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fea4bf37ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fea4bf37ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fea4bf37ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fea4bf37f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea4bf37f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea4bf37f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea4bf37f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea4bf37f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea4bf37f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==618350==ABORTING

Impact

This vulnerability is capable of crashing the software, causing memory corruption, and any other unintended consequences of reading past the end of the buffer.

References

We have contacted a member of the rup0rt/pcapfix team and are waiting to hear back 5 months ago
5 months ago

Researcher


The CVSS was wrong , accurate score: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

chiba of topsec alphalab modified their report
5 months ago
Robert Krause
5 months ago

Maintainer


Thanks for the report. I start handling this crash after the proper CVS score has been set.

5 months ago

Researcher


Hello, which CVSS vector is the proper one , now the setting is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H .

5 months ago

Researcher


Sorry, commented on the wrong place , is this CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H suitable, according to the previous one.

5 months ago

Researcher


Seems Privileges Required is None , is this one suitable: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Robert Krause
5 months ago

Maintainer


I agree on your proposed one: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 7.8 is too high, but your second one of 6.7 is reasonable. (Priv required is "low" since you need some basic capabilities, otherwise there is no impact) Admin needs to change the value on all of your 4 reports of pcapfix

5 months ago

Researcher


OK,I will ask Jamie to update the CVSS

5 months ago

Researcher


Hello, all the 4 reports was updated with the help of Jamie.

Robert Krause validated this vulnerability 5 months ago
chiba of topsec alphalab has been awarded the disclosure bounty
The fix bounty is now up for grabs
Robert Krause confirmed that a fix has been merged on 09053e 5 months ago
Robert Krause has been awarded the fix bounty