Heap-based Buffer Overflow in rup0rt/pcapfix

Valid

Reported on

Jun 23rd 2021

Description

A heap over flow was found in pcapfix in function fix_pcapng() in pcapng.c at line 1571

Test version : 1.1.6 [2fe168e] Test env: gcc 9.3.0 ubuntu 20.04 x86-64

Proof of Concept

CFLAGS="-fsanitize=address" make ./pcapfix poc

poc is attatched in reference link


==618350==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f4e5f9ff800 at pc 0x0000002cf4fa bp 0x7ffe4c8ac310 sp 0x7ffe4c8abad8
WRITE of size 1045852 at 0x7f4e5f9ff800 thread T0
#0 0x2cf4f9 in __asan_memcpy (/home/chiba/pcapfix/pcapfix+0x2cf4f9)
#1 0x31be47 in fix_pcapng /home/chiba/pcapfix/pcapng.c:1571:7
#2 0x303b1c in main /home/chiba/pcapfix/pcapfix.c
#3 0x7f4e627580b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x255f7d in _start (/home/chiba/pcapfix/pcapfix+0x255f7d)

0x7f4e5f9ff800 is located 0 bytes to the right of 1024000-byte region [0x7f4e5f905800,0x7f4e5f9ff800)
allocated by thread T0 here:
#0 0x2cffed in malloc (/home/chiba/pcapfix/pcapfix+0x2cffed)
#1 0x31182c in fix_pcapng /home/chiba/pcapfix/pcapng.c:138:17
#2 0x303b1c in main /home/chiba/pcapfix/pcapfix.c
#3 0x7f4e627580b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/chiba/pcapfix/pcapfix+0x2cf4f9) in __asan_memcpy
Shadow bytes around the buggy address:
0x0fea4bf37eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fea4bf37ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fea4bf37ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fea4bf37ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fea4bf37ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fea4bf37f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea4bf37f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea4bf37f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea4bf37f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea4bf37f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fea4bf37f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==618350==ABORTING

Impact

This vulnerability is capable of crashing the software, causing memory corruption, and any other unintended consequences of reading past the end of the buffer.

Occurrences

References

We have contacted a member of the rup0rt/pcapfix team and are waiting to hear back 2 years ago
chiba
2 years ago

Researcher

The CVSS was wrong , accurate score: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

chiba modified the report
2 years ago
Robert Krause
2 years ago

Maintainer

Thanks for the report. I start handling this crash after the proper CVS score has been set.

chiba
2 years ago

Researcher

Hello, which CVSS vector is the proper one , now the setting is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H .

chiba
2 years ago

Researcher

Sorry, commented on the wrong place , is this CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H suitable, according to the previous one.

chiba
2 years ago

Researcher

Seems Privileges Required is None , is this one suitable: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Robert Krause
2 years ago

Maintainer

I agree on your proposed one: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 7.8 is too high, but your second one of 6.7 is reasonable. (Priv required is "low" since you need some basic capabilities, otherwise there is no impact) Admin needs to change the value on all of your 4 reports of pcapfix

chiba
2 years ago

Researcher

OK,I will ask Jamie to update the CVSS

chiba
2 years ago

Researcher

Hello, all the 4 reports was updated with the help of Jamie.

Robert Krause validated this vulnerability 2 years ago
chiba has been awarded the disclosure bounty
The fix bounty is now up for grabs
Robert Krause marked this as fixed with commit 09053e 2 years ago
Robert Krause has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation