CVE-2019-8377: NULL POINTER DEREFERENCE Vulnerability in function get_ipv6_l4proto()

CVE-2019-8377: NULL POINTER DEREFERENCE Vulnerability in function get_ipv6_l4proto() - tcpreplay-4.3.1

case TCPR_IPV6_NH_ROUTING: case TCPR_IPV6_NH_DESTOPTS: case TCPR_IPV6_NH_HBH: dbgx(3, "Jumping to next extension header (0x%hhx)", proto); exthdr = get_ipv6_next ((struct tcpr_ipv6_ext_hdr_base *)ptr, len); proto = exthdr->ip_nh; ptr = (u_char *)exthdr; break;

GDB - Program received signal SIGSEGV, Segmentation fault. [ Legend: Modified register | Code | Heap | Stack | String ] ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]──── $rax : 0x0 $rbx : 0x5555557aac20 → 0x00005555557b56a0 → 0x0000337330706e65 ("enp0s3"?) $rcx : 0xed $rdx : 0x8 $rsp : 0x7fffffffdad0 → 0x000000c5ffffdb20 $rbp : 0x7fffffffdb00 → 0x00007fffffffdb70 → 0x00007fffffffdbb0 → 0x00007fffffffdc50 → 0x00007fffffffdda0 → 0x00007fffffffdef0 → 0x00007fffffffdf20 → 0x00007fffffffdfb0 $rsi : 0xc5 $rdi : 0x7ffff7fcd6ae → 0x7ffff7b8f5600000 $rip : 0x55555557694c → movzx eax, BYTE PTR [rax] $r8 : 0x2f $r9 : 0x7ffff7e4d010 → 0x0000000000000000 $r10 : 0x5555557b9700 → 0x0000000000000000 $r11 : 0x7ffff78d6000 → push r13 $r12 : 0x5555555599e0 → xor ebp, ebp $r13 : 0x7fffffffe4d0 → 0x000000000000000e $r14 : 0x0 $r15 : 0x0 $eflags: [zero CARRY PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification] $fs: 0x0000 $ds: 0x0000 $ss: 0x002b $es: 0x0000 $gs: 0x0000 $cs: 0x0033 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]──── 0x00007fffffffdad0│+0x00: 0x000000c5ffffdb20 ← $rsp 0x00007fffffffdad8│+0x08: 0x00007ffff7e4d01e → 0x80000000ed000062 ("b"?) 0x00007fffffffdae0│+0x10: 0x00000a555c5ace1f 0x00007fffffffdae8│+0x18: 0x00fdebbbffffdb70 0x00007fffffffdaf0│+0x20: 0x00007ffff7fcd6ae → 0x7ffff7b8f5600000 0x00007fffffffdaf8│+0x28: 0x0000000000000000 0x00007fffffffdb00│+0x30: 0x00007fffffffdb70 → 0x00007fffffffdbb0 → 0x00007fffffffdc50 → 0x00007fffffffdda0 → 0x00007fffffffdef0 → 0x00007fffffffdf20 → 0x00007fffffffdfb0 ← $rbp 0x00007fffffffdb08│+0x38: 0x0000555555569599 → movzx eax, al ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]──── 0x55555557693f call 0x555555576798 0x555555576944 mov QWORD PTR [rbp-0x8], rax 0x555555576948 mov rax, QWORD PTR [rbp-0x8] → 0x55555557694c movzx eax, BYTE PTR [rax] 0x55555557694f mov BYTE PTR [rbp-0x11], al 0x555555576952 mov rax, QWORD PTR [rbp-0x8] 0x555555576956 mov QWORD PTR [rbp-0x10], rax 0x55555557695a jmp 0x555555576962 0x55555557695c movzx eax, BYTE PTR [rbp-0x11] ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ source:get.c+539 ]──── 534 case TCPR_IPV6_NH_ROUTING: 535 case TCPR_IPV6_NH_DESTOPTS: 536 case TCPR_IPV6_NH_HBH: 537 dbgx(3, "Jumping to next extension header (0x%hhx)", proto); 538 exthdr = get_ipv6_next((struct tcpr_ipv6_ext_hdr_base *)ptr, len); // exthdr=0x00007fffffffdaf8 → 0x0000000000000000 → 539 proto = exthdr->ip_nh; 540 ptr = (u_char *)exthdr; 541 break; 542 543 /* should be TCP, UDP or the like */ 544 default: ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]──── [#0] Id 1, Name: "tcpreplay-edit", stopped, reason: SIGSEGV ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]──── [#0] 0x55555557694c → Name: get_ipv6_l4proto(ip6_hdr=0x7ffff7e4d01e, len=0xc5) [#1] 0x555555569599 → Name: do_checksum(tcpedit=0x5555557b86c0, data=0x7ffff7e4d01e "b", proto=0x0, len=0xed) [#2] 0x555555565fbc → Name: fix_ipv4_checksums(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdd30, ip_hdr=0x7ffff7e4d01e) [#3] 0x555555564991 → Name: tcpedit_packet(tcpedit=0x5555557b86c0, pkthdr=0x7fffffffdca0, pktdata=0x7fffffffdc90, direction=TCPR_DIR_C2S) [#4] 0x55555555c589 → Name: send_packets(ctx=0x5555557aa260, pcap=0x5555557ba860, idx=0x0) [#5] 0x555555563169 → Name: replay_file(ctx=0x5555557aa260, idx=0x0) [#6] 0x555555562a1b → Name: tcpr_replay_index(ctx=0x5555557aa260) [#7] 0x555555562341 → Name: tcpreplay_replay(ctx=0x5555557aa260) [#8] 0x55555555f112 → Name: main(argc=0x1, argv=0x7fffffffe540) gef➤ p exthdr Cannot access memory at address 0x0

CVE-2019-8377: NULL POINTER DEREFERENCE Vulnerability in function get_ipv6_l4proto() - tcpreplay-4.3.1

NULL POINTER DEREFERENCE Vulnerability in function get_ipv6_l4proto() - tcpreplay-4.3.1

CVE Number

CWE

Product Details

Vulnerable Versions

Vulnerability Details

SYNOPSIS

Vulnerable code

Analysis

Tested environment

Proof of Concept

Timeline

Credit

The Rise of INTERLOCK Ransomware

Fortifying the Cloud: A Guide to Securing Vulnerable Cloud Environments

The Emergence of Mallox v1.0

CVE-2019-8377: NULL POINTER DEREFERENCE Vulnerability in function get_ipv6_l4proto() - tcpreplay-4.3.1

NULL POINTER DEREFERENCE Vulnerability in function get_ipv6_l4proto() - tcpreplay-4.3.1

CVE Number

CWE

Product Details

Vulnerable Versions

Vulnerability Details

SYNOPSIS

Vulnerable code

Analysis

Tested environment

Proof of Concept

Timeline

Credit

Related Resources

The Rise of INTERLOCK Ransomware

Fortifying the Cloud: A Guide to Securing Vulnerable Cloud Environments

The Emergence of Mallox v1.0

Sign up to our Newsletter