Heap overflow in csum_replace4() – tcpreplay 4.3
Loginsoft-2018-18407
November 2, 2018
CVE Number
CVE-2018-18407
CWE
CWE-122: Heap-based Buffer Overflow
Product Details
Tcpreplay is a suite of free Open Source utilities for editing and replaying previously captured network traffic.
URL:https://tcpreplay.appneta.com/
Vulnerable Versions
4.3 branch
Vulnerability Details
During our research tcpreplay, A heap-based buffer over-read was discovered in the tcpreplay-edit binary of Tcpreplay 4.3.0 beta1, during the incremental checksum operation. The issue gets triggered in the function csum_replace4() in incremental_checksum.h, causing a denial of service.
SYNOPSIS
The function csum_replace4() in tcp-edit.c checks for the checksum for level 4 headers, basically it is a header which consists of 16pcap header, 14 ethernet header ,20 IPV4 header and 12 truncated TCP header total makes up to a 62-byte buffer. when a crafted tcp packet is sent the code, access the checksum of 16th offset in tcp header and a 66 relative to the buffer start, it doesn't check for the complete TCP header as tcp header consists of a minimum of 20-byte header. These checksum are done in function ipv4_l34_csum_replace().when the crafted packet consists of an invalid IP header, which increases the size of ip header dynamically by which a heap overflow has been triggered.This issue was triggered by improper validation of the headers in function ipv4_l34_csum_replace(). As it doesn't check for available buffer space before any packet edits.
Analysis
static inline void csum_replace4(__sum16 *sum, __be32 from, __be32 to)
{
// sum=0xbfffe8f0 -> [...] -> 0xa8c0b0af
*sum = csum_fold(csum_add(csum_sub(~csum_unfold(*sum), from), to));
}
gef> p (unsigned short *)sum
$20 = (unsigned short *) 0xb6001742
gef> x 0xb6001742
0xb6001742: 391171182
ASAN Output
==10880==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb6001742 at pc 0x0806a35c bp 0xbfcc3ce8 sp 0xbfcc3cd8
READ of size 2 at 0xb6001742 thread T0
tcpdump: invalid snaplen ome
#0 0x806a35b in csum_replace4 /home/loginsoft/ACE/tcpreplay/src/tcpedit/incremental_checksum.h:97
#1 0x806acf1 in ipv4_l34_csum_replace /home/loginsoft/ACE/tcpreplay/src/tcpedit/edit_packet.c:181
#2 0x806afdb in ipv4_addr_csum_replace /home/loginsoft/ACE/tcpreplay/src/tcpedit/edit_packet.c:251
#3 0x806b633 in randomize_ipv4 /home/loginsoft/ACE/tcpreplay/src/tcpedit/edit_packet.c:343
#4 0x806661b in tcpedit_packet /home/loginsoft/ACE/tcpreplay/src/tcpedit/tcpedit.c:272
#5 0x805158a in send_packets /home/loginsoft/ACE/tcpreplay/src/send_packets.c:554
#6 0x8063193 in replay_file /home/loginsoft/ACE/tcpreplay/src/replay.c:188
#7 0x8061fb0 in tcpr_replay_index /home/loginsoft/ACE/tcpreplay/src/replay.c:61
#8 0x8060e80 in tcpreplay_replay /home/loginsoft/ACE/tcpreplay/src/tcpreplay_api.c:1135
#9 0x80586ea in main /home/loginsoft/ACE/tcpreplay/src/tcpreplay.c:139
#10 0xb77c2636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#11 0x804a985 (/usr/local/bin/tcpreplay-edit+0x804a985)
0xb6001742 is located 4 bytes to the right of 62-byte region [0xb6001700,0xb600173e)
allocated by thread T0 here:
#0 0xb7a5ddee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
#1 0x808c354 in _our_safe_malloc /home/loginsoft/ACE/tcpreplay/src/common/utils.c:50
#2 0x805515d in get_next_packet /home/loginsoft/ACE/tcpreplay/src/send_packets.c:1044
#3 0x80506d1 in preload_pcap_file /home/loginsoft/ACE/tcpreplay/src/send_packets.c:445
#4 0x8058626 in main /home/loginsoft/ACE/tcpreplay/src/tcpreplay.c:126
#5 0xb77c2636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/loginsoft/ACE/tcpreplay/src/tcpedit/incremental_checksum.h:97 csum_replace4
Shadow bytes around the buggy address:
0x36c00290: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 04
0x36c002a0: fa fa fa fa 00 00 00 00 00 00 00 04 fa fa fa fa
0x36c002b0: 00 00 00 00 00 00 00 04 fa fa fa fa 00 00 00 00
0x36c002c0: 00 00 00 04 fa fa fa fa 00 00 00 00 00 00 00 04
0x36c002d0: fa fa fa fa 00 00 00 00 00 00 00 06 fa fa fa fa
=>0x36c002e0: 00 00 00 00 00 00 00 06[fa]fa fa fa 00 00 00 00
0x36c002f0: 00 00 04 fa fa fa fa fa 00 00 00 00 00 00 04 fa
0x36c00300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36c00310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36c00320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36c00330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==10880==ABORTING
Proof of Concept
tcpreplay-edit --portmap=80:8000 --seed=10 --cachefile=example.cache --intf1=eno1 --intf2=eno3 --decode=some --preload-pcap --verbose $POC
Timeline
Vendor Disclosure: 2018-11-02
Public Disclosure: 2018-11-03
Credit
Discovered by ACE Team - Loginsoft
