0day.today - Größte Exploit-Datenbank der Welt.
![](/img/logo_green.jpg)
Wir benutzen eine Hauptdomain DOMAIN_LINK
Wenn Du den Exploit kaufen, oder für einen Service bezahlen möchtest, musst Du Gold kaufen. Wir wollen nicht, dass Du unsere Seite als ein Werkzeug für Aktivitäten wie Hacking verwendest. Illegale Aktionen, die andere Benutzer oder Webseiten betreffen, für die Du keine Zugriffsrechte hast, führen dazu, dass der Account gebannt und alle Daten von diesem unwiderruflich gelöscht werden.
Die Administratoren dieser Seite benutzen nur die offiziellen Kontaktdaten. Achte auf Betrüger!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Lies [ Vereinbarung ]
- Lies [ Senden ] Regeln
- Besuche [ FAQ ] page
- [ Registrieren ] Profil
- Bekommen [ GOLD ]
- Wenn Du möchtest [ Verkaufen ]
- Wenn Du möchtest [ Kaufen ]
- Wenn Du vergessen hast [ Account ]
- Fragen [ [email protected] ]
- Anmeldungsseite
- Registrierungsseite
- Seite für Accountwiederherstellung
- FAQ Seite
- Kontakt
- Regeln für Veröffentlichungen
- Vereinbarungsseite
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Tcpreplay 4.1.2 tcpcapinfo Buffer Overflow Vulnerability
Autor
Risiko
![](/img/risk/critlow_3.gif)
Security Risk High
]0day-ID
Kategorie
Datum hinzufügen
CVE
Betriebssystem
Document Title: =============== CVE-2017-6429: Buffer overflow vulnerability in Tcpreplay tcpcapinfo utility Vendor: ======= Appneta (https://www.appneta.com/) Product and Versions Affected: ============================== Tcpreplay 4.1.2 and possibly prior. Fixed Version: ============== 4.2.0 Beta 1 Product Description: ==================== Tcpreplay is a suite of GPLv3 licensed utilities for UNIX (and Win32 under Cygwin) operating systems for editing and replaying network traffic which was previously captured by tools like tcpdump and Ethereal/Wireshark. Vulnerability Type: =================== Buffer Overflow CVE Reference: ============== CVE-2017-6429 Vulnerability Details: ====================== Tcpcapinfo utility of Tcpreplay have a buffer overflow vulnerability associated with parsing a crafted pcap file. This occurs in the src/tcpcapinfo.c file when capture has a packet that is too large to handle. GDB Dump: ========= ---------Backtrace:----------- /lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7ffff7a8838f] /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff7b1fc9c] /lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7ffff7b1eb60] /lib/x86_64-linux-gnu/libc.so.6(+0x109fed)[0x7ffff7b1efed] /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x40228c] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff7a36ec5] /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo[0x4028dc] ======= Memory map: ======== 00400000-0041b000 r-xp 00000000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo 0061a000-0061b000 r--p 0001a000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo 0061b000-0061c000 rw-p 0001b000 08:01 453864 /home/raras/Desktop/Untitled Folder/tcpreplay-4.1.2/src/tcpcapinfo 0061c000-0063e000 rw-p 00000000 00:00 0 [heap] 7ffff77fe000-7ffff7814000 r-xp 00000000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7814000-7ffff7a13000 ---p 00016000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a13000-7ffff7a14000 r--p 00015000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a14000-7ffff7a15000 rw-p 00016000 08:01 660352 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7a15000-7ffff7bd0000 r-xp 00000000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7bd0000-7ffff7dcf000 ---p 001bb000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7dcf000-7ffff7dd3000 r--p 001ba000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7dd3000-7ffff7dd5000 rw-p 001be000 08:01 660238 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7dd5000-7ffff7dda000 rw-p 00000000 00:00 0 7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so 7ffff7fd5000-7ffff7fd8000 rw-p 00000000 00:00 0 7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0 7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar] 7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so 7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 660214 /lib/x86_64-linux-gnu/ld-2.19.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] 1 1260 134217964 575b56ff.0 Program received signal SIGABRT, Aborted. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x70 ('p') RCX: 0xffffffffffffffff RDX: 0x6 RSI: 0xcc0b RDI: 0xcc0b RBP: 0x7fffffffb500 --> 0x7ffff7b944c2 ("buffer overflow detected") RSP: 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10) RIP: 0x7ffff7a4bcc9 (<__GI_raise+57>: cmp rax,0xfffffffffffff000) R8 : 0x7ffff7b8bdc0 ("0123456789abcdefghijklmnopqrstuvwxyz") R9 : 0x61bd80 --> 0x7ffff7dd41c0 --> 0xfbad2086 R10: 0x8 R11: 0x246 R12: 0x7fffffffb370 --> 0x1 R13: 0x5 R14: 0x70 ('p') R15: 0x5 EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff7a4bcbf <__GI_raise+47>: movsxd rdi,ecx 0x7ffff7a4bcc2 <__GI_raise+50>: mov eax,0xea 0x7ffff7a4bcc7 <__GI_raise+55>: syscall => 0x7ffff7a4bcc9 <__GI_raise+57>: cmp rax,0xfffffffffffff000 0x7ffff7a4bccf <__GI_raise+63>: ja 0x7ffff7a4bcea <__GI_raise+90> 0x7ffff7a4bcd1 <__GI_raise+65>: repz ret 0x7ffff7a4bcd3 <__GI_raise+67>: nop DWORD PTR [rax+rax*1+0x0] 0x7ffff7a4bcd8 <__GI_raise+72>: test eax,eax [------------------------------------stack-------------------------------------] 0000| 0x7fffffffb1e8 --> 0x7ffff7a4f0d8 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10) 0008| 0x7fffffffb1f0 --> 0x20 (' ') 0016| 0x7fffffffb1f8 --> 0x0 0024| 0x7fffffffb200 --> 0x0 0032| 0x7fffffffb208 --> 0x0 0040| 0x7fffffffb210 --> 0x0 0048| 0x7fffffffb218 --> 0x0 0056| 0x7fffffffb220 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGABRT 0x00007ffff7a4bcc9 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. Patch: ====== src/tcpcapinfo.c @@ -281,6 +281,15 @@ main(int argc, char *argv[]) caplen = pcap_ph.caplen; } + if (caplentoobig) { + printf("\n\nCapture file appears to be damaged or corrupt.\n" + "Contains packet of size %u, bigger than snap length %u\n", + caplen, pcap_fh.snaplen); + + close(fd); + break; + } + /* check to make sure timestamps don't go backwards */ if (last_sec > 0 && last_usec > 0) { if ((pcap_ph.ts.tv_sec == last_sec) ? @@ -306,7 +315,7 @@ main(int argc, char *argv[]) } close(fd); - continue; + break; } /* print the frame checksum */ References: =========== https://github.com/appneta/tcpreplay/issues/278 https://github.com/appneta/tcpreplay/releases/tag/v4.2.0-beta1 Vulnerability Disclosure Timeline: ================================== 2017-02-08: Bug Report Submission & Coordination 2017-03-05: Public Disclosure Credit: ======= AromalUllas # 0day.today [2024-07-02] #