Heap overflow in csum_replace4() – tcpreplay 4.3

Loginsoft-2018-18407
November 2, 2018

CVE Number

CVE-2018-18407

CWE

CWE-122: Heap-based Buffer Overflow

Product Details

Tcpreplay is a suite of free Open Source utilities for editing and replaying previously captured network traffic
URL: https://tcpreplay.appneta.com/

Vulnerable Versions

4.3 branch

Vulnerability Details

During our research on the gnuplot, we found A heap-based buffer over-read vulnerability. This bug can be triggered by sending a crafted pcap file to tcpreplay-edit. This allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified another impact when a victim opens a specially crafted file.

SYNOPSIS

The function csum_replace4() in tcp-edit.c checks for the checksum for level 4 headers, basically it is a header which consists of 16pcap header, 14 ethernet header ,20 IPV4 header and 12 truncated TCP header total makes up to a 62-byte buffer. when a crafted tcp packet is sent the code, access the checksum of 16th offset in tcp header and a 66 relative to the buffer start, it doesn’t check for the complete TCP header as tcp header consists of a minimum of 20-byte header. These checksum are done in function ipv4_l34_csum_replace().when the crafted packet consists of an invalid IP header, which increases the size of ip header dynamically by which a heap overflow has been triggered.This issue was triggered by improper validation of the headers in function ipv4_l34_csum_replace(). As it doesn’t check for available buffer space before any packet edits.

Analysis

 

static inline void csum_replace4(__sum16 *sum, __be32 from, __be32 to) 
{ 
                // sum=0xbfffe8f0 -> [...] -> 0xa8c0b0af 
       *sum = csum_fold(csum_add(csum_sub(~csum_unfold(*sum), from), to)); 
}

gef> p (unsigned short *)sum 
$20 = (unsigned short *) 0xb6001742 
gef> x 0xb6001742 
0xb6001742:     391171182
ASAN Output
==10880==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb6001742 at pc 0x0806a35c bp 0xbfcc3ce8 sp 0xbfcc3cd8 
READ of size 2 at 0xb6001742 thread T0 
tcpdump: invalid snaplen ome 
    #0 0x806a35b in csum_replace4 /home/loginsoft/ACE/tcpreplay/src/tcpedit/incremental_checksum.h:97 
    #1 0x806acf1 in ipv4_l34_csum_replace /home/loginsoft/ACE/tcpreplay/src/tcpedit/edit_packet.c:181 
    #2 0x806afdb in ipv4_addr_csum_replace /home/loginsoft/ACE/tcpreplay/src/tcpedit/edit_packet.c:251 
    #3 0x806b633 in randomize_ipv4 /home/loginsoft/ACE/tcpreplay/src/tcpedit/edit_packet.c:343 
    #4 0x806661b in tcpedit_packet /home/loginsoft/ACE/tcpreplay/src/tcpedit/tcpedit.c:272 
    #5 0x805158a in send_packets /home/loginsoft/ACE/tcpreplay/src/send_packets.c:554 
    #6 0x8063193 in replay_file /home/loginsoft/ACE/tcpreplay/src/replay.c:188 
    #7 0x8061fb0 in tcpr_replay_index /home/loginsoft/ACE/tcpreplay/src/replay.c:61 
    #8 0x8060e80 in tcpreplay_replay /home/loginsoft/ACE/tcpreplay/src/tcpreplay_api.c:1135 
    #9 0x80586ea in main /home/loginsoft/ACE/tcpreplay/src/tcpreplay.c:139 
    #10 0xb77c2636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) 
    #11 0x804a985  (/usr/local/bin/tcpreplay-edit+0x804a985) 
  
0xb6001742 is located 4 bytes to the right of 62-byte region [0xb6001700,0xb600173e) 
allocated by thread T0 here: 
    #0 0xb7a5ddee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee) 
    #1 0x808c354 in _our_safe_malloc /home/loginsoft/ACE/tcpreplay/src/common/utils.c:50 
    #2 0x805515d in get_next_packet /home/loginsoft/ACE/tcpreplay/src/send_packets.c:1044 
    #3 0x80506d1 in preload_pcap_file /home/loginsoft/ACE/tcpreplay/src/send_packets.c:445 
    #4 0x8058626 in main /home/loginsoft/ACE/tcpreplay/src/tcpreplay.c:126 
    #5 0xb77c2636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) 
  
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/loginsoft/ACE/tcpreplay/src/tcpedit/incremental_checksum.h:97 csum_replace4 
Shadow bytes around the buggy address: 
  0x36c00290: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 04 
  0x36c002a0: fa fa fa fa 00 00 00 00 00 00 00 04 fa fa fa fa 
  0x36c002b0: 00 00 00 00 00 00 00 04 fa fa fa fa 00 00 00 00 
  0x36c002c0: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 04 
  0x36c002d0: fa fa fa fa 00 00 00 00 00 00 00 06 fa fa fa fa 
=>0x36c002e0: 00 00 00 00 00 00 00 06[fa]fa fa fa 00 00 00 00 
  0x36c002f0: 00 00 04 fa fa fa fa fa 00 00 00 00 00 00 04 fa 
  0x36c00300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
  0x36c00310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
  0x36c00320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
  0x36c00330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
Shadow byte legend (one shadow byte represents 8 application bytes): 
  Addressable:           00 
  Partially addressable: 01 02 03 04 05 06 07  
  Heap left redzone:       fa 
  Heap right redzone:      fb 
  Freed heap region:       fd 
  Stack left redzone:      f1 
  Stack mid redzone:       f2 
  Stack right redzone:     f3 
  Stack partial redzone:   f4 
  Stack after return:      f5 
  Stack use after scope:   f8 
  Global redzone:          f9 
  Global init order:       f6 
  Poisoned by user:        f7 
  Container overflow:      fc 
  Array cookie:            ac 
  Intra object redzone:    bb 
  ASan internal:           fe 
==10880==ABORTING
Proof of Concept

tcpreplay-edit --portmap=80:8000 --seed=10 --cachefile=example.cache --intf1=eno1 --intf2=eno3 --decode=some --preload-pcap --verbose $POC

Timeline

Vendor Disclosure: 2018-11-02
Public Disclosure: 2018-11-03

Credit

Discovered by ACE Team – Loginsoft