NULL POINTER DEREFERENCE Vulnerability in function get_ipv6_l4proto() – tcpreplay-4.3.1

Loginsoft-2018-1094

February 13, 2019

CVE Number

CVE-2019-8377

CWE

CWE-476: NULL Pointer Dereference

Product Details

tcpreplay is a tool for replaying network traffic from files saved with tcpdump or other tools which write pcap files. Tcpreplay is to resend all packets from the input files at the speed at which they were recorded, or a specified data rate, up to as fast as the hardware is capable.
URL: https://github.com/appneta/tcpreplay.git

Vulnerable Versions

4.3.1

Vulnerability Details

We observed a NULL pointer dereference occurred in function get_ipv6_l4proto() located at get.c .The same be triggered by sending a crafted pcap file to the tcpreplay-edit binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

SYNOPSIS

When we are parsing crafted file, we observed in the fix_ipv4_checksums () where this code re-calcs the IP and Layer 4 checksums the Layer 4 header is contiguous in memory after *ip_hdr we’re actually writing to the layer 4 header via the ip_hdr ptr, it consists of parameters, ret2 = do_checksum(tcpedit, (u_char *) ip_hdr, IPPROTO_IP, ip_len) here it calls to another function do_checksum (), now at line proto = get_ipv6_l4proto(ipv6, len); here it invokes to another function get_ipv6_l4proto() where it returns the protocol of the actual layer4 header by processing through the extension headers, the line proto = exthdr->ip_nh; where it is unsigned character pointer, pointing to a NULL and it triggers a NULL pointer dereference.

Vulnerable code
case TCPR_IPV6_NH_ROUTING:
case TCPR_IPV6_NH_DESTOPTS:
case TCPR_IPV6_NH_HBH:
dbgx(3, "Jumping to next extension header (0x%hhx)", proto);
exthdr = get_ipv6_next ((struct tcpr_ipv6_ext_hdr_base *)ptr, len);
proto = exthdr->ip_nh;
ptr = (u_char *)exthdr;
break;
Analysis

 

GDB -
Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax : 0x0 
$rbx : 0x5555557aac20 → 0x00005555557b56a0 → 0x0000337330706e65 ("enp0s3"?)
$rcx : 0xed 
$rdx : 0x8 
$rsp : 0x7fffffffdad0 → 0x000000c5ffffdb20
$rbp : 0x7fffffffdb00 → 0x00007fffffffdb70 → 0x00007fffffffdbb0 → 0x00007fffffffdc50 → 0x00007fffffffdda0 → 0x00007fffffffdef0 → 0x00007fffffffdf20 → 0x00007fffffffdfb0
$rsi : 0xc5 
$rdi : 0x7ffff7fcd6ae → 0x7ffff7b8f5600000
$rip : 0x55555557694c →  movzx eax, BYTE PTR [rax]
$r8 : 0x2f 
$r9 : 0x7ffff7e4d010 → 0x0000000000000000
$r10 : 0x5555557b9700 → 0x0000000000000000
$r11 : 0x7ffff78d6000 →  push r13
$r12 : 0x5555555599e0 →  xor ebp, ebp
$r13 : 0x7fffffffe4d0 → 0x000000000000000e
$r14 : 0x0 
$r15 : 0x0 
$eflags: [zero CARRY PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$fs: 0x0000 $ds: 0x0000 $ss: 0x002b $es: 0x0000 $gs: 0x0000 $cs: 0x0033 
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffdad0│+0x00: 0x000000c5ffffdb20 ← $rsp
0x00007fffffffdad8│+0x08: 0x00007ffff7e4d01e → 0x80000000ed000062 ("b"?)
0x00007fffffffdae0│+0x10: 0x00000a555c5ace1f
0x00007fffffffdae8│+0x18: 0x00fdebbbffffdb70
0x00007fffffffdaf0│+0x20: 0x00007ffff7fcd6ae → 0x7ffff7b8f5600000
0x00007fffffffdaf8│+0x28: 0x0000000000000000
0x00007fffffffdb00│+0x30: 0x00007fffffffdb70 → 0x00007fffffffdbb0 → 0x00007fffffffdc50 → 0x00007fffffffdda0 → 0x00007fffffffdef0 → 0x00007fffffffdf20 → 0x00007fffffffdfb0 ← $rbp
0x00007fffffffdb08│+0x38: 0x0000555555569599 →  movzx eax, al
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
0x55555557693f  call 0x555555576798 
0x555555576944  mov QWORD PTR [rbp-0x8], rax
0x555555576948  mov rax, QWORD PTR [rbp-0x8]
→ 0x55555557694c  movzx eax, BYTE PTR [rax]
0x55555557694f  mov BYTE PTR [rbp-0x11], al
0x555555576952  mov rax, QWORD PTR [rbp-0x8]
0x555555576956  mov QWORD PTR [rbp-0x10], rax
0x55555557695a  jmp 0x555555576962 
0x55555557695c  movzx eax, BYTE PTR [rbp-0x11]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:get.c+539 ]────
534 case TCPR_IPV6_NH_ROUTING:
535 case TCPR_IPV6_NH_DESTOPTS:
536 case TCPR_IPV6_NH_HBH:
537 dbgx(3, "Jumping to next extension header (0x%hhx)", proto);
538 exthdr = get_ipv6_next((struct tcpr_ipv6_ext_hdr_base *)ptr, len);
// exthdr=0x00007fffffffdaf8 → 0x0000000000000000
→ 539 proto = exthdr->ip_nh;
540 ptr = (u_char *)exthdr;
541 break;
542 
543 /* should be TCP, UDP or the like */
544 default:
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "tcpreplay-edit", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x55555557694c → Name: get_ipv6_l4proto(ip6_hdr=0x7ffff7e4d01e, len=0xc5)
[#1] 0x555555569599 → Name: do_checksum(tcpedit=0x5555557b86c0, data=0x7ffff7e4d01e "b", proto=0x0, len=0xed)
[#2] 0x555555565fbc → Name: fix_ipv4_checksums(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdd30, ip_hdr=0x7ffff7e4d01e)
[#3] 0x555555564991 → Name: tcpedit_packet(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdca0, pktdata=0x7fffffffdc90, direction=TCPR_DIR_C2S)
[#4] 0x55555555c589 → Name: send_packets(ctx=0x5555557aa260, pcap=0x5555557ba860, idx=0x0)
[#5] 0x555555563169 → Name: replay_file(ctx=0x5555557aa260, idx=0x0)
[#6] 0x555555562a1b → Name: tcpr_replay_index(ctx=0x5555557aa260)
[#7] 0x555555562341 → Name: tcpreplay_replay(ctx=0x5555557aa260)
[#8] 0x55555555f112 → Name: main(argc=0x1, argv=0x7fffffffe540)


gef➤ p exthdr
Cannot access memory at address 0x0
Tested environment

64-bit ubuntu 16.04 LTS

Proof of Concept

tcpreplay-edit -r 80:84 -s 20 -b -C -m 1500 -P --oneatatime -i $INTERFACE $POC

Timeline

Vendor Disclosure: 07-02-2019
Public Disclosure: 13-02-2019

Credit

Discovered by ACE Team – Loginsoft