You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
A heap-based buffer overflow was discovered in tcpreplay-edit binary, during the pointer 'ip' dereference operation. The issue is being triggered in the function randomize_iparp at edit_packet.c:1032.
To Reproduce
Steps to reproduce the behavior:
Compile tcpreplay according to the default configuration
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious pcap that exploits this issue. This will result in a Denial of Service (DoS), potentially Information Exposure when the application attempts to process the file.
Screenshots
ASAN Reports
==64974==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000edf6 at pc 0x000000425341 bp 0x7fffffffd5d0 sp 0x7fffffffd5c0
READ of size 4 at 0x60300000edf6 thread T0
#0 0x425340 in randomize_iparp /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/edit_packet.c:1032#1 0x41c71b in tcpedit_packet /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/tcpedit.c:329#2 0x40963b in send_packets /home/test/Desktop/evaulation/tcpreplay/src/send_packets.c:552#3 0x418e9a in replay_file /home/test/Desktop/evaulation/tcpreplay/src/replay.c:182#4 0x417e73 in tcpr_replay_index /home/test/Desktop/evaulation/tcpreplay/src/replay.c:59#5 0x416de4 in tcpreplay_replay /home/test/Desktop/evaulation/tcpreplay/src/tcpreplay_api.c:1136#6 0x40fb4f in main /home/test/Desktop/evaulation/tcpreplay/src/tcpreplay.c:139#7 0x7ffff687f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)#8 0x403508 in _start (/usr/local/bin/tcpreplay-edit+0x403508)
0x60300000edf6 is located 6 bytes to the right of 32-byte region [0x60300000edd0,0x60300000edf0)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)#1 0x7ffff6c484fe (/usr/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1f4fe)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/test/Desktop/evaulation/tcpreplay/src/tcpedit/edit_packet.c:1032 randomize_iparp
Shadow bytes around the buggy address:
0x0c067fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00[fa]fa
0x0c067fff9dc0: 00 00 00 fa fa fa fd fd fd fa fa fa fd fd fd fa
0x0c067fff9dd0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c067fff9de0: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
0x0c067fff9df0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa
0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==64974==ABORTING
I am unable to playback the poc file. It also gets the same failure if I attempt to open with wireshark or tcpdump.
PID: 128257
Warning in sendpacket.c:sendpacket_open_pf() line 943:
Unsupported physical layer type 0x0304 on lo. Maybe it works, maybe it won't. See tickets #123/318
Failed: From replay.c:replay_file() line 129:
Error opening pcap file: unsupported pcap savefile version 2.250
Describe the bug
A heap-based buffer overflow was discovered in tcpreplay-edit binary, during the pointer 'ip' dereference operation. The issue is being triggered in the function randomize_iparp at edit_packet.c:1032.
To Reproduce
Steps to reproduce the behavior:
./configure CFLAGS="-g -O0 -fsanitize=address"
tcpreplay-edit -r 80:84 -s 20 -b -C -m 1500 -P --oneatatime -i lo $poc
poc can be found here.
Expected behavior
An attacker can exploit this vulnerability by submitting a malicious pcap that exploits this issue. This will result in a Denial of Service (DoS), potentially Information Exposure when the application attempts to process the file.
Screenshots
ASAN Reports
Debug
System (please complete the following information):
The text was updated successfully, but these errors were encountered: