Stack-based Buffer Overflow in rup0rt/pcapfix

Valid
Reported on Jun 23rd 2021

Description

A stack over flow was found in pcapfix in function fix_pcap_packets() in pcap.c at line 550

The root cause seem at line 458 , there is an int overflow if filesize-pos-sizeof(packet_hdr) is negative.

Test version : 1.1.6 [2fe168e] Test env: gcc 9.3.0 ubuntu 20.04 x86-64

Proof of Concept

CFLAGS="-fsanitize=address" make ./pcapfix -s poc poc is attatched in reference link

==2243596==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee62c5d60 at pc 0x0000002cf447 bp 0x7ffee6285b10 sp 0x7ffee62852d8
READ of size 4294967295 at 0x7ffee62c5d60 thread T0
#0 0x2cf446 in __asan_memcpy (/home/chiba/pcapfix/pcapfix+0x2cf446)
#1 0x3094dd in fix_pcap_packets /home/chiba/pcapfix/pcap.c:550:7
#2 0x3063b1 in fix_pcap /home/chiba/pcapfix/pcap.c:348:10
#3 0x303bbe in main /home/chiba/pcapfix/pcapfix.c
#4 0x7f53653800b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x255f7d in _start (/home/chiba/pcapfix/pcapfix+0x255f7d)

Address 0x7ffee62c5d60 is located in stack of thread T0 at offset 262368 in frame
#0 0x306def in fix_pcap_packets /home/chiba/pcapfix/pcap.c:371

This frame has 5 object(s):
[32, 56) 'global_hdr.byval'
[96, 112) 'packet_hdr' (line 372)
[128, 144) 'next_packet_hdr' (line 373)
[160, 192) 'hdrbuffer' (line 374)
[224, 262368) 'buffer' (line 376) <== Memory access at offset 262368 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/chiba/pcapfix/pcapfix+0x2cf446) in __asan_memcpy
Shadow bytes around the buggy address:
0x10005cc50b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc50b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc50b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc50b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc50b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10005cc50ba0: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3
0x10005cc50bb0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x10005cc50bc0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
0x10005cc50bd0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10005cc50be0: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x10005cc50bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2243596==ABORTING

Impact

This vulnerability is capable of crashing the software, causing memory corruption, and any other unintended consequences of reading past the end of the buffer.

We have contacted a member of the rup0rt/pcapfix team and are waiting to hear back a month ago
chiba of topsec alphalab modified their report
a month ago
chiba of topsec alphalab modified their report
a month ago
chiba of topsec alphalab modified their report
a month ago
Robert Krause
a month ago

Maintainer


Thanks for the report. I start handling this crash after the proper CVS score has been set.

a month ago

Researcher


Hello, is this : AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
or this: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H or other one that you think is suitable

Robert Krause validated this vulnerability 23 days ago
chiba of topsec alphalab has been awarded the disclosure bounty
$25
The fix bounty is now up for grabs
$6.25
Robert Krause confirmed that a fix has been merged on 3364cb 23 days ago
Robert Krause has been awarded the fix bounty
$6.25