Use-after-free in post_args() – tcpreplay 4.3.0 beta1

Loginsoft-2018-18408
October 30, 2018

CVE Number

CVE-2018-18408

CWE

CWE-416: Use After Free

Product Details

tcpflow is an open source program which is used to capture the data transmitted as part of TCP connections, it also stores the data for the protocol analysis and for debugging issue
URL: https://github.com/simsong/tcpflow/wiki

Vulnerable Versions

4.3.0-beta1 branch

Vulnerability Details

A use-after-free was discovered in the tcpbridge binary of Tcpreplay 4.3.0 beta1. The issue gets triggered in the function post_args() at tcpbridge.c, causing a denial of service or possibly unspecified other impact.

Synopsis

In condition if (memcmp(options.intf1_mac, "\00\00\00\00\00\00", ETHER_ADDR_LEN) == 0).The options.intf1_mac has the value of {0,0,0,0,0,0} and ETHER_ADDR_LEN is ‘0’, which satisfies the condition and checks for the interface accessibility by comparing the packet value (sp) with NULL , if the packet value is NULL then there is problem with the interface and gives out the error. The same it checks for the MAC in the packet, if eth_buff value is NULL then it gives out an error. If the above two conditions are satisfied then the packet is sent to the function sendpacket_close() where it closes the packet by freeing the memory where the packet is been stored by using the function safe_free() from program “send_packets.c” which itself call the other function _our_safe_free() from “utils.c”. In section memcpy(options.intf1_mac, eth_buff, ETHER_ADDR_LEN) the value of “eth_buff” is copied to “options.intf1_mac”. Eth_buff is used to get mac from the packet using function sendpacket_get_hwaddr(). When a packet is sent to the binary tcpbinary which doesnt contain a valid MAC, the function memcpy(options.intf1_mac, eth_buff, ETHER_ADDR_LEN) memcpy tries to access “eth_buff” which in turn calls the function sendpacket_get_hwaddr() which uses “sp” where the memory was freed, and tries to access it which resulted in a heap use-after-free vulnerability.

Analysis

 

219            memcpy(options.intf1_mac, eth_buff, ETHER_ADDR_LEN); 
[ Legend: Modified register | Code | Heap | Stack | String ] 
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- registers ---- 
$eax   : 0x0        
$ebx   : 0xbffff700 -> 0x00000000 
$ecx   : 0x3d       
$edx   : 0x3c       
$esp   : 0xbffff1f0 -> 0x080aa480 -> 0xb50001f0 -> 0x316f6e65 -> 0x00000000 
$ebp   : 0xbffff6a8 -> 0xbffff6e8 -> 0x00000000 
$esi   : 0x0809fc20 -> 0x004d0028 ("("?) 
$edi   : 0xbffff690 -> 0xbffff6e8 -> 0x00000000 
$eip   : 0x0804e67b ->  mov ebx, DWORD PTR [ebp-0x47c] 
$eflags: [carry PARITY adjust zero SIGN trap INTERRUPT direction overflow resume virtualx86 identification] 
$cs: 0x0073 $ss: 0x007b $ds: 0x007b $es: 0x007b $fs: 0x0000 $gs: 0x0033  
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ stack ---- 
0xbffff1f0|+0x0000: 0x080aa480 -> 0xb50001f0 -> 0x316f6e65 -> 0x00000000     0x41b58ab3 
0xbffff204|+0x0014: 0xbffff230 -> 0x41b58ab3 
0xbffff208|+0x0018: 0xbffff690 -> 0xbffff6e8 -> 0x00000000 
0xbffff20c|+0x001c: 0xbffff79c -> 0x00000000 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ code:x86:32 ---- 
    0x804e66d  push   DWORD PTR [ebp-0x480] 
    0x804e673  call   0x807f0a3  
    0x804e678  add    esp, 0x10 
-> 0x804e67b  mov    ebx, DWORD PTR [ebp-0x47c] 
    0x804e681  mov    eax, ebx 
    0x804e683  shr    eax, 0x3 
    0x804e686  add    eax, 0x20000000 
    0x804e68b  movzx  edx, BYTE PTR [eax] 
    0x804e68e  test   dl, dl 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- source:tcpbridge.c+219 ---- 
    214             if ((eth_buff = sendpacket_get_hwaddr(sp)) == NULL) { 
    215                 warnx("Unable to get MAC address: %s", sendpacket_geterr(sp)); 
    216                 err(-1, "Please consult the man page for using the -M option."); 
    217             } 
    218             sendpacket_close(sp); 
        // eth_buff=0xbffff22c -> [...] -> 0x6d3acab8 
-> 219             memcpy(options.intf1_mac, eth_buff, ETHER_ADDR_LEN); 
    220         } 
    221      
    222         if (memcmp(options.intf2_mac, "\00\00\00\00\00\00", ETHER_ADDR_LEN) == 0) { 
    223             if ((sp = sendpacket_open(options.intf2, ebuf, TCPR_DIR_S2C, SP_TYPE_NONE, NULL)) == NULL) 
    224                 errx(-1, "Unable to open interface %s: %s", options.intf2, ebuf); 
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- threads ---- 
[#0] Id 1, Name: "tcpbridge", stopped, reason: SINGLE STEP 
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ trace ---- 
[#0] 0x804e67b->post_args(argc=0x0, argv=0xbffff79c) 
[#1] 0x804d48b->main(argc=0x0, argv=0xbffff79c) 
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 
gef> p sp 
$6 = (sendpacket_t *) 0xb4203680 
gef> x sp 
0xb4203680:    2 
gef> p/d options.intf1_mac 
$7 = {0, 0, 0, 0, 0, 0} 
gef> ptype eth_buff 
type = struct tcpr_ether_addr { 
    uint8_t ether_addr_octet[6]; 
} * 
  
gef> x/9i $pc 
=> 0x804e67b :    mov    ebx,DWORD PTR [ebp-0x47c] 
   0x804e681 :    mov    eax,ebx 
   0x804e683 :    shr    eax,0x3 
   0x804e686 :    add    eax,0x20000000 
   0x804e68b :    movzx  edx,BYTE PTR [eax] 
   0x804e68e :    test   dl,dl 
   0x804e690 :    setne  cl 
   0x804e693 :    mov    eax,ebx 
   0x804e695 :    and    eax,0x7 
  
gef> i r 
eax            0x0                 0x0 
ecx            0x3d                0x3d 
edx            0x3c                0x3c 
ebx            0xbffff700          0xbffff700 
esp            0xbffff1f0          0xbffff1f0 
ebp            0xbffff6a8          0xbffff6a8 
esi            0x809fc20           0x809fc20 
edi            0xbffff690          0xbffff690 
eip            0x804e67b           0x804e67b  
eflags         0x286               [ PF SF IF ] 
cs             0x73                0x73 
ss             0x7b                0x7b 
ds             0x7b                0x7b 
es             0x7b                0x7b 
fs             0x0                 0x0 
gs             0x33                0x33 

}
ASAN Output
==11084==ERROR: AddressSanitizer: heap-use-after-free on address 0xb4203b38 at pc 0x0804e6e3 bp 0xbffff1d8 sp 0xbffff1c8 
READ of size 6 at 0xb4203b38 thread T0 
    #0 0x804e6e2 in post_args /home/ACETEAM/tcpreplay/src/tcpbridge.c:219 
    #1 0x804d48a in main /home/ACETEAM/tcpreplay/src/tcpbridge.c:72 
    #2 0xb7832636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) 
    #3 0x804a955  (/usr/local/bin/tcpbridge+0x804a955) 
  
0xb4203b38 is located 1208 bytes inside of 1240-byte region [0xb4203680,0xb4203b58) 
freed by thread T0 here: 
    #0 0xb7acda84 in free (/usr/lib/i386-linux-gnu/libasan.so.2+0x96a84) 
->    #1 0x807b714 in _our_safe_free /home/ACETEAM/tcpreplay/src/common/utils.c:118 
    #2 0x807f34e in sendpacket_close /home/ACETEAM/tcpreplay/src/common/sendpacket.c:636 
    #3 0x804e677 in post_args /home/ACETEAM/tcpreplay/src/tcpbridge.c:218 
    #4 0x804d48a in main /home/ACETEAM/tcpreplay/src/tcpbridge.c:72 
    #5 0xb7832636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) 
  
previously allocated by thread T0 here: 
    #0 0xb7acddee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee) 
    #1 0x807b4b0 in _our_safe_malloc /home/ACETEAM/tcpreplay/src/common/utils.c:50 
    #2 0x807ff10 in sendpacket_open_pf /home/ACETEAM/tcpreplay/src/common/sendpacket.c:956 
    #3 0x807e932 in sendpacket_open /home/ACETEAM/tcpreplay/src/common/sendpacket.c:523 
    #4 0x804e4f3 in post_args /home/ACETEAM/tcpreplay/src/tcpbridge.c:211 
    #5 0x804d48a in main /home/ACETEAM/tcpreplay/src/tcpbridge.c:72 
    #6 0xb7832636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) 
  
SUMMARY: AddressSanitizer: heap-use-after-free /home/ACETEAM/tcpreplay/src/tcpbridge.c:219 post_args 
Shadow bytes around the buggy address: 
  0x36840710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
  0x36840720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
  0x36840730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
  0x36840740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
  0x36840750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
=>0x36840760: fd fd fd fd fd fd fd[fd]fd fd fd fa fa fa fa fa 
  0x36840770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
  0x36840780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
  0x36840790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
  0x368407a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
  0x368407b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
Shadow byte legend (one shadow byte represents 8 application bytes): 
  Addressable:           00 
  Partially addressable: 01 02 03 04 05 06 07  
  Heap left redzone:       fa 
  Heap right redzone:      fb 
  Freed heap region:       fd 
  Stack left redzone:      f1 
  Stack mid redzone:       f2 
  Stack right redzone:     f3 
  Stack partial redzone:   f4 
  Stack after return:      f5 
  Stack use after scope:   f8 
  Global redzone:          f9 
  Global init order:       f6 
  Poisoned by user:        f7 
  Container overflow:      fc 
  Array cookie:            ac 
  Intra object redzone:    bb 
  ASan internal:           fe 
==11084==ABORTING
Proof of Concept

tcpbridge --intf1=NETWORKINTERFACE
–inft1 = Primary interface (listen in uni-directional mode). This option may appear up to 1 times.

Timeline

Vendor Disclosure: 2018-10-02
Public Disclosure: 2018-10-03

Credit

Discovered by ACE Team – Loginsoft