Stack buffer overflow vulnerability in setbit() – tcpflow 1.5.0

Loginsoft-2018-18409
October 30, 2018

CVE Number

CVE-2018-18409

CWE

CWE-121: Stack-based Buffer Overflow

Product Details

tcpflow is an open source program which is used to capture the data transmitted as part of TCP connections, it also stores the data for the protocol analysis and for debugging issue
URL: https://github.com/simsong/tcpflow/wiki

Vulnerable Versions

1.5.0 branch

Vulnerability Details

A stack buffer over flow was discovered in the tcpflow binary of tcpflow 1.5.0. The issue gets triggered in the function setbit() at iptree.h, causing a denial of service.

SYNOPSIS

In this method when a pcap files is passed as an input to the binary where it reads the packets, analyze and plot it to a output pdf file, Once the packet stream is passed into the binary then it shutdowns all the scanners using the function be13::plugin::phase_shutdown() , it also gets the current version of the package using . It initialize the report generator using the one_page_report::render_pass::render_header() function and also uses <address_histogram::address_histogram() which converts into a suitable vector for count histogram then starts a histogram tree by starting a particular node. Histogram is reported for every node. The function setbit() tries to set the i’th bit to one. The signed integer value of “i” is 127 which is the limit for that and when a crafted packet is been injected which makes the value of “i” to 128 which has overwritten the memory and triggered a Stack-based buffer overflow vulnerability.

Analysis

 

/* set the ith bit to 1 */
     static void setbit(uint8_t *addr,size_t i){
         addr[i / 8] |= (1<<((7-i)&7));   //Buffer overflow
     }

 gef➤  p/d i
 $6 = 127
 gef➤  p/d (1<<((7-i)&7))
 $8 = 1
 gef➤  p/d addr[127 / 8]
 $14 = 0
 gef➤  p/d addr[126 / 8]
 $15 = 0
 gef➤  p/d addr[128 / 8]
 $16 = 96

 gef➤  p/d (1<<((7-127)&7))
 $18 = 1
 gef➤  p/d (1<<((7-128)&7))
 $19 = 128
ASAN Output
SUMMARY: AddressSanitizer: stack-buffer-overflow iptree.h:245 iptreet::setbit(unsigned char*, unsigned long) 
Shadow bytes around the buggy address: 
  0x10000c60b0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
  0x10000c60b0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
  0x10000c60b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
  0x10000c60b110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 
  0x10000c60b120: f1 f1 00 00 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00 
=>0x10000c60b130: f4 f4 f2 f2 f2 f2 00 00[f4]f4 f3 f3 f3 f3 00 00 
  0x10000c60b140: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 
  0x10000c60b150: 00 00 00 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 
  0x10000c60b160: f2 f2 00 00 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 
  0x10000c60b170: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 f4 
  0x10000c60b180: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 
Shadow byte legend (one shadow byte represents 8 application bytes): 
  Addressable:           00 
  Partially addressable: 01 02 03 04 05 06 07  
  Heap left redzone:       fa 
  Heap right redzone:      fb 
  Freed heap region:       fd 
  Stack left redzone:      f1 
  Stack mid redzone:       f2 
  Stack right redzone:     f3 
  Stack partial redzone:   f4 
  Stack after return:      f5 
  Stack use after scope:   f8 
  Global redzone:          f9 
  Global init order:       f6 
  Poisoned by user:        f7 
  Container overflow:      fc 
  Array cookie:            ac 
  Intra object redzone:    bb 
  ASan internal:           fe 
==3757==ABORTING
Proof of Concept

tcpflow -a -D -b -m -Fk -r $POC

Timeline

Vendor Disclosure: 2018-10-02
Public Disclosure: 2018-10-03

Credit

Discovered by ACE Team – Loginsoft