Integer Overflow in tcpdump

Bug #1656690 reported by alexis on 2017-01-15
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tcpdump
Fix Released
Unknown
tcpdump (Ubuntu)
Undecided
Unassigned

Bug Description

Hello,

During some fuzzing tests, I discovered an integer overflow that causes a Segmentation fault in tcpdump when reading a malicious pcap file. The issue arises when relts_print(netdissect_options *ndo, int secs) in util-print.c:362 is passed INT_MAX (2147483648);

user@lab:~$ lsb_release -rd
Description: Ubuntu 16.04.1 LTS
Release: 16.04

user@lab:~$ apt-cache policy tcpdump
tcpdump:
  Installed: 4.7.4-1ubuntu1
  Candidate: 4.7.4-1ubuntu1
  Version table:
 *** 4.7.4-1ubuntu1 500
        500 http://gb.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

Here is an example output:

user@lab:~$ tcpdump -rv segfault.pcap
reading from file segfault.pcap, link-type EN10MB (Ethernet)
05:27:12.808464432 IP (tos 0x30, ttl 48, id 12336, offset 0, flags [DF], proto IGMP (2), length 12336, bad cksum 3030 (->29ac)!)
Segmentation fault (core dumped)

gdb output:
Program received signal SIGSEGV, Segmentation fault.
0x000000000063935c in relts_print (ndo=0x7fffffffd2e0, secs=-2147483648) at ./util-print.c:362
362 if (secs >= *s) {
(gdb) bt
#0 0x000000000063935c in relts_print (ndo=0x7fffffffd2e0, secs=-2147483648) at ./util-print.c:362
#1 0x00000000004cd7a3 in igmp_print (ndo=ndo@entry=0x7fffffffd2e0, bp=0x7ffff7fab032 "\023\a", '0' <repeats 14 times>, "\200", len=12316) at ./print-igmp.c:312
#2 0x00000000004d360f in ip_print_demux (ndo=0x7fffffffd2e0, ipds=0x7fffffffcff0) at ./print-ip.c:425
#3 0x00000000004d0809 in ip_print (ndo=0x7fffffffd2e0, bp=bp@entry=0x7ffff7fab01e "E00000@", length=<optimised out>) at ./print-ip.c:646
#4 0x000000000049b7d6 in ethertype_print (ndo=ndo@entry=0x7fffffffd2e0, ether_type=<optimised out>, p=p@entry=0x7ffff7fab01e "E00000@", length=length@entry=808464418,
    caplen=caplen@entry=176) at ./print-ether.c:323
#5 0x000000000049c541 in ether_print (ndo=0x7fffffffd2e0, p=0x7ffff7fab01e "E00000@", length=808464418, caplen=176, print_encap_header=0x0, encap_header_arg=0x0)
    at ./print-ether.c:227
#6 0x0000000000428a97 in pretty_print_packet (ndo=0x7fffffffd2e0, h=0x7fffffffd190, sp=0x7ffff7fab010 '0' <repeats 12 times>, "\b", packets_captured=<optimised out>)
    at ./print.c:339
#7 0x0000000000410b99 in print_packet (user=<optimised out>, h=<optimised out>, sp=<optimised out>) at ./tcpdump.c:2262
#8 0x00000000006bffe6 in pcap_offline_read (p=p@entry=0xadd2e0, cnt=cnt@entry=-1, callback=callback@entry=0x410b30 <print_packet>, user=user@entry=0x7fffffffd2e0 "")
    at ./savefile.c:527
#9 0x0000000000653bd4 in pcap_loop (p=0xadd2e0, cnt=cnt@entry=-1, callback=callback@entry=0x410b30 <print_packet>, user=user@entry=0x7fffffffd2e0 "") at ./pcap.c:890
#10 0x000000000040c352 in main (argc=<optimised out>, argv=<optimised out>) at ./tcpdump.c:1766

I have also attached a PoC to help replicate the issue.

I look forward to any updates,

Alexis Vanden Eijnde

alexis (vandeneijnde) wrote :
affects: tcpick (Ubuntu) → tcpdump (Ubuntu)
Marc Deslauriers (mdeslaur) wrote :

Hi! Thanks for reporting this issue.

Please report this issue to the tcpdump authors here:

http://www.tcpdump.org/

Once they've provided a fix, we will backport it to tcpdump in Ubuntu.

Thanks!

Marc Deslauriers (mdeslaur) wrote :

Hi! Have you reported this issue to the uptream tcpdump developers yet?

Leonidas S. Barbosa (leosilvab) wrote :

This is public now in the github bug report.

information type: Private Security → Public Security
Changed in tcpdump (Ubuntu):
status: New → Fix Released
Changed in tcpdump:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.