Stack-based Buffer Overflow in rup0rt/pcapfix
Reported on
Jun 23rd 2021
Description
A stack over flow was found in pcapfix in function fix_pcap_packets() in pcap.c at line 550
The root cause seem at line 458 , there is an int overflow if filesize-pos-sizeof(packet_hdr) is negative.
Test version : 1.1.6 [2fe168e] Test env: gcc 9.3.0 ubuntu 20.04 x86-64
Proof of Concept
CFLAGS="-fsanitize=address" make ./pcapfix -s poc poc is attatched in reference link
==2243596==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee62c5d60 at pc 0x0000002cf447 bp 0x7ffee6285b10 sp 0x7ffee62852d8
READ of size 4294967295 at 0x7ffee62c5d60 thread T0
#0 0x2cf446 in __asan_memcpy (/home/chiba/pcapfix/pcapfix+0x2cf446)
#1 0x3094dd in fix_pcap_packets /home/chiba/pcapfix/pcap.c:550:7
#2 0x3063b1 in fix_pcap /home/chiba/pcapfix/pcap.c:348:10
#3 0x303bbe in main /home/chiba/pcapfix/pcapfix.c
#4 0x7f53653800b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x255f7d in _start (/home/chiba/pcapfix/pcapfix+0x255f7d)
Address 0x7ffee62c5d60 is located in stack of thread T0 at offset 262368 in frame
#0 0x306def in fix_pcap_packets /home/chiba/pcapfix/pcap.c:371
This frame has 5 object(s):
[32, 56) 'global_hdr.byval'
[96, 112) 'packet_hdr' (line 372)
[128, 144) 'next_packet_hdr' (line 373)
[160, 192) 'hdrbuffer' (line 374)
[224, 262368) 'buffer' (line 376) <== Memory access at offset 262368 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/chiba/pcapfix/pcapfix+0x2cf446) in __asan_memcpy
Shadow bytes around the buggy address:
0x10005cc50b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc50b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc50b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc50b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10005cc50b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10005cc50ba0: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3
0x10005cc50bb0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x10005cc50bc0: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
0x10005cc50bd0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10005cc50be0: 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x10005cc50bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2243596==ABORTING
Impact
This vulnerability is capable of crashing the software, causing memory corruption, and any other unintended consequences of reading past the end of the buffer.
Occurrences
References
Thanks for the report. I start handling this crash after the proper CVS score has been set.
Hello,
is this : AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
or this: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
or other one that you think is suitable