Stack-based Buffer Overflow in rup0rt/pcapfix

Valid

Reported on

Jun 23rd 2021


Description

A stack over flow was found in pcapfix in function fix_pcap_packets() in pcap.c at line 550

The root cause seem at line 458 , there is an int overflow if filesize-pos-sizeof(packet_hdr) is negative.

Test version : 1.1.6 [2fe168e] Test env: gcc 9.3.0 ubuntu 20.04 x86-64

Proof of Concept

CFLAGS="-fsanitize=address" make ./pcapfix -s poc poc is attatched in reference link

==2243596==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee62c5d60 at pc 0x0000002cf447 bp 0x7ffee6285b10 sp 0x7ffee62852d8
READ of size 4294967295 at 0x7ffee62c5d60 thread T0
#0 0x2cf446 in __asan_memcpy (/home/chiba/pcapfix/pcapfix+0x2cf446)
#1 0x3094dd in fix_pcap_packets /home/chiba/pcapfix/pcap.c:550:7
#2 0x3063b1 in fix_pcap /home/chiba/pcapfix/pcap.c:348:10
#3 0x303bbe in main /home/chiba/pcapfix/pcapfix.c
#4 0x7f53653800b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x255f7d in _start (/home/chiba/pcapfix/pcapfix+0x255f7d)

Address 0x7ffee62c5d60 is located in stack of thread T0 at offset 262368 in frame
#0 0x306def in fix_pcap_packets /home/chiba/pcapfix/pcap.c:371

This frame has 5 object(s):
[32, 56) 'global_hdr.byval'
[96, 112) 'packet_hdr' (line 372)
[128, 144) 'next_packet_hdr' (line 373)
[160, 192) 'hdrbuffer' (line 374)
[224, 262368) 'buffer' (line 376) <== Memory access at offset 262368 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/chiba/pcapfix/pcapfix+0x2cf446) in __asan_memcpy
Shadow bytes around the buggy address:
0x10005cc50b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc50b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc50b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc50b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc50b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10005cc50ba0: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3
0x10005cc50bb0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x10005cc50bc0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
0x10005cc50bd0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10005cc50be0: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x10005cc50bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2243596==ABORTING

Impact

This vulnerability is capable of crashing the software, causing memory corruption, and any other unintended consequences of reading past the end of the buffer.

Occurrences

References

We have contacted a member of the rup0rt/pcapfix team and are waiting to hear back a year ago
chiba modified the report
a year ago
chiba modified the report
a year ago
chiba modified the report
a year ago
Robert Krause
a year ago

Maintainer


Thanks for the report. I start handling this crash after the proper CVS score has been set.

chiba
a year ago

Researcher


Hello, is this : AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
or this: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H or other one that you think is suitable

Robert Krause validated this vulnerability a year ago
chiba has been awarded the disclosure bounty
The fix bounty is now up for grabs
Robert Krause confirmed that a fix has been merged on 3364cb a year ago
Robert Krause has been awarded the fix bounty
to join this conversation