0day.today - La plus grande base de données de Exploit dans le monde.
![](/img/logo_green.jpg)
Nous utilisons un domaine DOMAIN_LINK
Si vous voulez acheter un exploit ou payer un service vous avez besoins d'Or. Nous ne voulons pas que notre site soit utiliser comme outil de piratage , de sorte que touts types d'actions qui pourrais affecter illegalement d'autres utilisateurs ou sites web ou vous n'avez pas l'autorisation vous serez bannit et votre compte ainsi que vos donnees seront supprimees.
Les administrateur de 0day.today utilises des moyens de contacts officiels. Mefiez-vous des imposteurs!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Lire le [ J'accepte ]
- Lire le [ Envoyer ] Regles
- Visiter le [ faq ] page
- [ Enregistrement ] profil
- Obtenir [ GOLD ]
- Si vous voulez [ vendre ]
- Si vous voulez [ acheter ]
- Si vous vous perdez [ Compte ]
- Une questions [ [email protected] ]
- Connexion
- Page d'enregistrement
- Restauration de compte
- Foire aux questions
- Contactez-nous
- Regle de publication
- Page de contrat
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Vous pouvez nous contacter par:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Tcpreplay 4.1.2 tcpcapinfo Buffer Overflow Vulnerability
Auteur
Risque
![](/img/risk/critlow_3.gif)
Security Risk High
]0day-ID
Catégorie
Date d'ajout
CVE
Plateforme
Document Title: =============== CVE-2017-6429: Buffer overflow vulnerability in Tcpreplay tcpcapinfo utility Vendor: ======= Appneta (https://www.appneta.com/) Product and Versions Affected: ============================== Tcpreplay 4.1.2 and possibly prior. Fixed Version: ============== 4.2.0 Beta 1 Product Description: ==================== Tcpreplay is a suite of GPLv3 licensed utilities for UNIX (and Win32 under Cygwin) operating systems for editing and replaying network traffic which was previously captured by tools like tcpdump and Ethereal/Wireshark. Vulnerability Type: =================== Buffer Overflow CVE Reference: ============== CVE-2017-6429 Vulnerability Details: ====================== Tcpcapinfo utility of Tcpreplay have a buffer overflow vulnerability associated with parsing a crafted pcap file. This occurs in the src/tcpcapinfo.c file when capture has a packet that is too large to handle. GDB Dump: ========= ---------Backtrace:----------- /lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7ffff7a8838f] /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff7b1fc9c] /lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7ffff7b1eb60] /lib/x86_64-linux-gnu/libc.so.6(+0x109fed)[0x7ffff7b1efed] /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x40228c] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff7a36ec5] /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x4028dc] ======= Memory map: ======== 00400000-0041b000 r-xp 00000000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo 0061a000-0061b000 r--p 0001a000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo 0061b000-0061c000 rw-p 0001b000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo 0061c000-0063e000 rw-p 00000000 00:00 0 [heap] 7ffff77fe000-7ffff7814000 r-xp 00000000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7814000-7ffff7a13000 ---p 00016000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a13000-7ffff7a14000 r--p 00015000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a14000-7ffff7a15000 rw-p 00016000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a15000-7ffff7bd0000 r-xp 00000000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7bd0000-7ffff7dcf000 ---p 001bb000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7dcf000-7ffff7dd3000 r--p 001ba000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7dd3000-7ffff7dd5000 rw-p 001be000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7dd5000-7ffff7dda000 rw-p 00000000 00:00 0 7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so 7ffff7fd5000-7ffff7fd8000 rw-p 00000000 00:00 0 7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0 7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar] 7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so 7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] 1 1260 134217964 575b56ff.0 Program received signal SIGABRT, Aborted. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x70 ('p') RCX: 0xffffffffffffffff RDX: 0x6 RSI: 0xcc0b RDI: 0xcc0b RBP: 0x7fffffffb500 --> 0x7ffff7b944c2 ("buffer overflow detected") RSP: 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10) RIP: 0x7ffff7a4bcc9 (<__GI_raise+57>: cmp rax,0xfffffffffffff000) R8 : 0x7ffff7b8bdc0 ("0123456789abcdefghijklmnopqrstuvwxyz") R9 : 0x61bd80 --> 0x7ffff7dd41c0 --> 0xfbad2086 R10: 0x8 R11: 0x246 R12: 0x7fffffffb370 --> 0x1 R13: 0x5 R14: 0x70 ('p') R15: 0x5 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7a4bcbf <__GI_raise+47>: movsxd rdi,ecx 0x7ffff7a4bcc2 <__GI_raise+50>: mov eax,0xea 0x7ffff7a4bcc7 <__GI_raise+55>: syscall => 0x7ffff7a4bcc9 <__GI_raise+57>: cmp rax,0xfffffffffffff000 0x7ffff7a4bccf <__GI_raise+63>: ja 0x7ffff7a4bcea <__GI_raise+90> 0x7ffff7a4bcd1 <__GI_raise+65>: repz ret 0x7ffff7a4bcd3 <__GI_raise+67>: nop DWORD PTR [rax+rax*1+0x0] 0x7ffff7a4bcd8 <__GI_raise+72>: test eax,eax [------------------------------------stack-------------------------------------] 0000| 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10) 0008| 0x7fffffffb1f0 --> 0x20 (' ') 0016| 0x7fffffffb1f8 --> 0x0 0024| 0x7fffffffb200 --> 0x0 0032| 0x7fffffffb208 --> 0x0 0040| 0x7fffffffb210 --> 0x0 0048| 0x7fffffffb218 --> 0x0 0056| 0x7fffffffb220 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGABRT 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. Patch: ====== src/tcpcapinfo.c @@ -281,6 +281,15 @@ main(int argc, char *argv[]) caplen = pcap_ph.caplen; } + if (caplentoobig) { + printf("\n\nCapture file appears to be damaged or corrupt.\n" + "Contains packet of size %u, bigger than snap length %u\n", + caplen, pcap_fh.snaplen); + + close(fd); + break; + } + /* check to make sure timestamps don't go backwards */ if (last_sec > 0 && last_usec > 0) { if ((pcap_ph.ts.tv_sec == last_sec) ? @@ -306,7 +315,7 @@ main(int argc, char *argv[]) } close(fd); - continue; + break; } /* print the frame checksum */ References: =========== https://github.com/appneta/tcpreplay/issues/278 https://github.com/appneta/tcpreplay/releases/tag/v4.2.0-beta1 Vulnerability Disclosure Timeline: ================================== 2017-02-08: Bug Report Submission & Coordination 2017-03-05: Public Disclosure Credit: ======= AromalUllas # 0day.today [2024-07-02] #