Jessie

Antoine Cervoise Tue, 19 Nov 2019 05:55:15 -0800

Package: tcpxtract
Versions: 1.0.1-13

Dear Maintainer,


tcpxtract when analyzing the following file (crash.tcpdump). Crash exists on 
Debian Jessie, Stretch and Buster (Bullseye and Sid seems to use the same 
package as Buster).

Versions are 1.0.1-13 (buster), 1.0.1-11 (stretch), 1.0.1-8 (jessie)

Package info (jessie):
$ dpkg --list tcpxtract
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                   Version          Architecture     Description
+++-======================-================-================-=================================================
ii  tcpxtract              1.0.1-8          amd64            extracts files 
from network traffic based on file

Package info (stretch):
$ dpkg --list tcpxtract
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                   Version          Architecture     Description
+++-======================-================-================-=================================================
ii  tcpxtract              1.0.1-11         amd64            extract files from 
network traffic based on file

Package info (buster):
$ dpkg --list tcpxtract
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-===========================================================
ii  tcpxtract      1.0.1-13     amd64        extract files from network traffic 
based on file signatures

File info:
$ md5sum crash.tcpdump
26514548ac04f47ec610e255d15d5e2f  crash.tcpdump
$ sha1sum crash.tcpdump
c5a0377d1c4f9f5f6d9c60839ed1b44388b90525  crash.tcpdump
$ sha256sum crash.tcpdump
eca339965dc64154029c7b8f3dd64e7710d04cde3850666df0b025a07c3fbad3  crash.tcpdump
$ file crash.tcpdump
crash.tcpdump: tcpdump capture file (little-endian) - version 2.4 (Ethernet, 
capture length 262144)


Crash (same result on Buster, Stretch and Jessie):
$ tcpxtract -f crash.tcpdump
Segmentation fault

Trace from crash (gdb with peda plugin) - Buster:
Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x7ffff79e903a --> 0x10000013f2f
RBX: 0x37bfc6
RCX: 0x0
RDX: 0x0
RSI: 0x0
RDI: 0x7ffff7d6ac40 --> 0x0
RBP: 0x5555555a3b40 --> 0x5555555a41a0 --> 0x5555555a3c20 --> 0x0
RSP: 0x7fffffffdf20 --> 0x7fffffffdf40 --> 0x5555555a3c60 --> 0x5555555a3c90 
--> 0x5555555a3cc0 --> 0x5555555a3cf0 (--> ...)
RIP: 0x555555558b9c (movzx  r12d,BYTE PTR [rax+rbx*1])
R8 : 0x5555555a41a0 --> 0x5555555a3c20 --> 0x0
R9 : 0x0
R10: 0x0
R11: 0x30 ('0')
R12: 0x555555567ee0 --> 0x0
R13: 0x37bfc6
R14: 0x0
R15: 0x5555555a41a0 --> 0x5555555a3c20 --> 0x0
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction 
overflow)
[-------------------------------------code-------------------------------------]
   0x555555558b90:    mov    rax,QWORD PTR [rsp+0x8]
   0x555555558b95:    mov    r15,QWORD PTR [rbp+0x0]
   0x555555558b99:    mov    r13d,ebx
=> 0x555555558b9c:    movzx  r12d,BYTE PTR [rax+rbx*1]
   0x555555558ba1:    test   r15,r15
   0x555555558ba4:    jne    0x555555558bc4
   0x555555558ba6:    jmp    0x555555558c10
   0x555555558ba8:    nop    DWORD PTR [rax+rax*1+0x0]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdf20 --> 0x7fffffffdf40 --> 0x5555555a3c60 --> 0x5555555a3c90 
--> 0x5555555a3cc0 --> 0x5555555a3cf0 (--> ...)
0008| 0x7fffffffdf28 --> 0x7ffff79e903a --> 0x10000013f2f
0016| 0x7fffffffdf30 --> 0xffffffffffffffdc
0024| 0x7fffffffdf38 --> 0x5555555635b0 --> 0x0
0032| 0x7fffffffdf40 --> 0x5555555a3c60 --> 0x5555555a3c90 --> 0x5555555a3cc0 
--> 0x5555555a3cf0 --> 0x5555555a3d20 (--> ...)
0040| 0x7fffffffdf48 --> 0x8292a0abdb3fa400
0048| 0x7fffffffdf50 --> 0xffffffffffffffdc
0056| 0x7fffffffdf58 --> 0x7ffff79e903a --> 0x10000013f2f
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555558b9c in ?? ()

Trace from crash (gdb with peda plugin) - Stretch:
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7f9a03a --> 0x10000013f2f
RBX: 0x555555765c90 --> 0x0
RCX: 0x7ffff7b91b08 --> 0x0
RDX: 0x0
RSI: 0x0
RDI: 0x0
RBP: 0x44fc6
RSP: 0x7fffffffdef0 --> 0x7fffffffdf10 --> 0x0
RIP: 0x555555557c2f (movzx  ebx,BYTE PTR [rax+rbp*1])
R8 : 0x5555557a17e0 --> 0x5555557a1820 --> 0x0
R9 : 0x20 (' ')
R10: 0x5555557a1890 --> 0x4000000000006
R11: 0x40000
R12: 0x5555557a17c0 --> 0x5555557a17e0 --> 0x5555557a1820 --> 0x0
R13: 0x44fc6
R14: 0x0
R15: 0x5555557a17e0 --> 0x5555557a1820 --> 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction 
overflow)
[-------------------------------------code-------------------------------------]
   0x555555557c24:    mov    rax,QWORD PTR [rsp+0x8]
   0x555555557c29:    mov    r13d,ebp
   0x555555557c2c:    test   r15,r15
=> 0x555555557c2f:    movzx  ebx,BYTE PTR [rax+rbp*1]
   0x555555557c33:    jne    0x555555557c66
   0x555555557c35:    jmp    0x555555557c9e
   0x555555557c37:    nop    WORD PTR [rax+rax*1+0x0]
   0x555555557c40:    mov    edx,DWORD PTR [rsi+0x4]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdef0 --> 0x7fffffffdf10 --> 0x0
0008| 0x7fffffffdef8 --> 0x7ffff7f9a03a --> 0x10000013f2f
0016| 0x7fffffffdf00 --> 0xffffffffffffffdc
0024| 0x7fffffffdf08 --> 0x555555761360 --> 0x0
0032| 0x7fffffffdf10 --> 0x0
0040| 0x7fffffffdf18 --> 0xf72fab7b70145400
0048| 0x7fffffffdf20 --> 0x55555575b1d0 --> 0x5555557a1780 --> 0x0
0056| 0x7fffffffdf28 --> 0x7ffff7f9a03a --> 0x10000013f2f
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000555555557c2f in ?? ()

Trace from crash (gdb with peda plugin) - Jessie:
Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
RAX: 0x43fc6
RBX: 0x649870 --> 0x649890 --> 0x6498b0 --> 0x0
RCX: 0x3
RDX: 0x0
RSI: 0x7ffff7b96620 --> 0x0
RDI: 0x0
RBP: 0x43fc6
RSP: 0x7fffffffe020 --> 0x649830 --> 0x0
RIP: 0x40374f (movzx  r15d,BYTE PTR [r12+rax*1])
R8 : 0x649890 --> 0x6498b0 --> 0x0
R9 : 0x649890 --> 0x6498b0 --> 0x0
R10: 0x7fffffffdde0 --> 0x0
R11: 0x7ffff786d600 (<__GI___libc_free>:    mov    rax,QWORD PTR [rip+0x3288e1] 
       # 0x7ffff7b95ee8)
R12: 0x7ffff7f9a03a --> 0x10000013f2f
R13: 0x649890 --> 0x6498b0 --> 0x0
R14: 0x0
R15: 0x0
EFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction 
overflow)
[-------------------------------------code-------------------------------------]
   0x403742:    nop    WORD PTR [rax+rax*1+0x0]
   0x403748:    mov    r13,QWORD PTR [rbx]
   0x40374b:    mov    DWORD PTR [rsp+0xc],ebp
=> 0x40374f:    movzx  r15d,BYTE PTR [r12+rax*1]
   0x403754:    test   r13,r13
   0x403757:    jne    0x40376c
   0x403759:    jmp    0x4037a0
   0x40375b:    nop    DWORD PTR [rax+rax*1+0x0]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe020 --> 0x649830 --> 0x0
0008| 0x7fffffffe028 --> 0x43fc6f7f9a03a
0016| 0x7fffffffe030 --> 0x60a360 --> 0x0
0024| 0x7fffffffe038 --> 0xffffffffffffffdc
0032| 0x7fffffffe040 --> 0xc2132400
0040| 0x7fffffffe048 --> 0x0
0048| 0x7fffffffe050 --> 0x7ffff7f9a010 --> 0x8b85d1684afd7ba
0056| 0x7fffffffe058 --> 0x649830 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000040374f in ?? ()

Trace from crash (Debian package with patches compiled with Address Sanitizer) 
- only for Buster (result is similar on Jessie and Stretch):
Note: for Buster compilation using make failed, I had to run manually the last 
compilation command manually by adding -ll
==16635==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x7f1157def800 at pc 0x556ed42c2831 bp 0x7ffc20e59310 sp 0x7ffc20e59308
READ of size 1 at 0x7f1157def800 thread T0
    #0 0x556ed42c2830 in search 
(/home/ace/fuzz/tcpxtract/asan/tcpxtract_1.0.1.orig/tcpxtract-1.0.1/tcpxtract+0xd830)
    #1 0x556ed42bae45 in got_packet 
(/home/ace/fuzz/tcpxtract/asan/tcpxtract_1.0.1.orig/tcpxtract-1.0.1/tcpxtract+0x5e45)
    #2 0x7f115a7ab328  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1f328)
    #3 0x556ed42bbb59 in main 
(/home/ace/fuzz/tcpxtract/asan/tcpxtract_1.0.1.orig/tcpxtract-1.0.1/tcpxtract+0x6b59)
    #4 0x7f115a5ef09a in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #5 0x556ed42ba489 in _start 
(/home/ace/fuzz/tcpxtract/asan/tcpxtract_1.0.1.orig/tcpxtract-1.0.1/tcpxtract+0x5489)

0x7f1157def800 is located 0 bytes to the right of 262144-byte region 
[0x7f1157daf800,0x7f1157def800)
allocated by thread T0 here:
    #0 0x7f115aab7330 in __interceptor_malloc 
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:86
    #1 0x7f115a7abec1  (/lib/x86_64-linux-gnu/libpcap.so.0.8+0x1fec1)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
(/home/ace/fuzz/tcpxtract/asan/tcpxtract_1.0.1.orig/tcpxtract-1.0.1/tcpxtract+0xd830)
 in search
Shadow bytes around the buggy address:
  0x0fe2aafb5eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe2aafb5ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe2aafb5ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe2aafb5ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe2aafb5ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe2aafb5f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe2aafb5f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe2aafb5f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe2aafb5f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe2aafb5f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe2aafb5f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16635==ABORTING

About LTS versions:
As buffer overflow is considered as a security issue, this crash may be patch 
regarding the LTS of Debian Jessie & Strecth.

Kind regards,
Antoine

crash.tcpdump
Description: crash.tcpdump

Bug#945092: Security: tcpxtract crash (heap-buffer-overflow) on Buster/Stretch/Jessie

Reply via email to