Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 184815 - net-analyzer/tcpdump <= 3.9.6 BGP dissector integer overflow (CVE-2007-3798)
Summary: net-analyzer/tcpdump <= 3.9.6 BGP dissector integer overflow (CVE-2007-3798)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.digit-labs.org/files/explo...
Whiteboard: A2? [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-07-10 10:16 UTC by mu-b
Modified: 2007-08-25 22:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description mu-b 2007-07-10 10:16:03 UTC
The return value of a call to snprintf is not sanitized before being used in an addition to calculate the number of bytes remaining the buffer within a loop. The result is a remotely exploitable buffer overflow since the length calculation will eventually underflow and thus make the length parameter of subsequent snprintf calls irrelevant. 

mu-b@mu-b ~ $ sudo gdb /usr/sbin/tcpdump
GNU gdb 6.6
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) r -i lo -s 16384 -vvv
Starting program: /usr/sbin/tcpdump -i lo -s 16384 -vvv
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 16384 bytes
15:46:54.464044 IP (tos 0x0, ttl 255, id 29122, offset 0, flags [none], proto: TCP (6), length: 552) 1.2.3.4.65535 >
mu-b.65535.com.bgp: P, cksum 0x0000 (incorrect (-> 0x01c9), 1732610923:1732611435(512) win 0: BGP, length: 512
        Update Message (2), length: 512
          Multi-Protocol Reach NLRI (14), length: 255
            AFI: Layer-2 VPN (196), SAFI: labeled VPN Unicast (128), nh-length: 0, no SNPA
              RD: unknown RD format, CE-ID: 65535, Label-Block Offset: 65535, Label Base 1048575

Program received signal SIGSEGV, Segmentation fault.
0x34313431 in ?? ()
(gdb) bt
#0  0x34313431 in ?? ()
#1  0x34313431 in ?? ()
#2  0x34313431 in ?? ()
#3  0x34313431 in ?? ()
#4  0x34313431 in ?? ()
#5  0x34313431 in ?? ()
#6  0x34313431 in ?? ()
#7  0x34313431 in ?? ()
#8  0x34313431 in ?? ()
#9  0x34313431 in ?? ()
#10 0x34313431 in ?? ()
#11 0x34313431 in ?? ()
#12 0x34313431 in ?? ()
#13 0x34313431 in ?? ()
#14 0x34313431 in ?? ()
#15 0x34313431 in ?? ()
#16 0x34313431 in ?? ()
#17 0x34313431 in ?? ()

Reproducible: Always

Steps to Reproduce:
1. run tcpdump within gdb.
2. execute the PoC against the machine.

Actual Results:  
mu-b@mu-b ~ $ sudo gdb /usr/sbin/tcpdump
GNU gdb 6.6
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) r -i lo -s 16384 -vvv
Starting program: /usr/sbin/tcpdump -i lo -s 16384 -vvv
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 16384 bytes
15:46:54.464044 IP (tos 0x0, ttl 255, id 29122, offset 0, flags [none], proto: TCP (6), length: 552) 1.2.3.4.65535 >
mu-b.65535.com.bgp: P, cksum 0x0000 (incorrect (-> 0x01c9), 1732610923:1732611435(512) win 0: BGP, length: 512
        Update Message (2), length: 512
          Multi-Protocol Reach NLRI (14), length: 255
            AFI: Layer-2 VPN (196), SAFI: labeled VPN Unicast (128), nh-length: 0, no SNPA
              RD: unknown RD format, CE-ID: 65535, Label-Block Offset: 65535, Label Base 1048575

Program received signal SIGSEGV, Segmentation fault.
0x34313431 in ?? ()
(gdb) bt
#0  0x34313431 in ?? ()
#1  0x34313431 in ?? ()
#2  0x34313431 in ?? ()
#3  0x34313431 in ?? ()
#4  0x34313431 in ?? ()
#5  0x34313431 in ?? ()
#6  0x34313431 in ?? ()
#7  0x34313431 in ?? ()
#8  0x34313431 in ?? ()
#9  0x34313431 in ?? ()
#10 0x34313431 in ?? ()
#11 0x34313431 in ?? ()
#12 0x34313431 in ?? ()
#13 0x34313431 in ?? ()
#14 0x34313431 in ?? ()
#15 0x34313431 in ?? ()
#16 0x34313431 in ?? ()
#17 0x34313431 in ?? ()


a patch is provided at:

http://www.digit-labs.org/files/patches/private/print-bgp.c-diff
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2007-07-10 10:32:30 UTC
Cool, nice find.

Netmon: please comment.
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2007-07-10 13:42:40 UTC
tcpdump-0.9.5-r3 and tcpdump-0.9.6-r1 are in the tree. Note, in this versions I've added feature requested in bug 176391, and now tcpdump by default drop its privileges to tcpdump user. The last question I have, did anybody reported this upstream? What upstream say on the issue. Before stabilization, personally I'd like to hear them... This bug seems to be open thus, I'll ask their opinion in tcpdump-workers.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2007-07-11 20:04:10 UTC
hi arches, please stable tcpdump-0.9.5-r3. thx!
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2007-07-11 20:05:07 UTC
hi arches, please stable tcpdump-0.9.5-r3. thx!(In reply to comment #3)
> hi arches, please stable tcpdump-0.9.5-r3. thx!
> 

bah, i'm out of training :/
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-11 20:20:09 UTC
Stabilize tcpdump-3.9.5-r3, and it should be open no?
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-11 20:42:47 UTC
sparc stable for 3.9.5-r3.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2007-07-11 21:44:51 UTC
alpha/ia64/x86 stable, thanks Tobias
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2007-07-12 17:36:41 UTC
Stable for HPPA.
Comment 9 Steve Dibb (RETIRED) gentoo-dev 2007-07-13 00:40:26 UTC
net-analyzer/tcpdump-3.9.5-r3 amd64 stable
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-15 20:47:50 UTC
ppc stable
Comment 11 Joshua Kinard gentoo-dev 2007-07-16 03:56:59 UTC
mips stable.
Comment 12 Peter Volkov (RETIRED) gentoo-dev 2007-07-16 08:25:42 UTC
Upstream unswered:

"I reviewed the fix - it seemed a bit cleaner to have it continue 
processing the TLVs, without adding to the string, if the string buffer 
is full."

I do not think we should change anythig right now, but in case we'll have another revision for this tcpdump version, I think it's worth to change the tcpdump-3.9.6-bgp-integer-overflow patch on:

http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-bgp.c?r1=1.91.2.11&r2=1.91.2.12
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2007-07-16 19:03:34 UTC
ppc64 stable
Comment 14 solar (RETIRED) gentoo-dev 2007-07-16 23:54:04 UTC
======================================================
Name: CVE-2007-3798
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798
Reference: CONFIRM:http://bugs.gentoo.org/show_bug.cgi?id=184815

Integer overflow in print-bgp.c in the BGP dissector in tcpdump 3.9.6
and earlier allows remote attackers to execute arbitrary code via
crafted TLVs in a BGP packet.
Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-07-28 22:43:47 UTC
GLSA 200707-14, thanks everybody