CVE-2017-13050: The RPKI-Router parser in tcpdump before 4.9.2 has a buffer over-read in print-rpki-rtr.c:rpki_rtr_pdu_print()

Hello, The vulnerable code portion is linked below. The linked function is responsible for printing RPKI-Router packet payload information to the terminal (e.g., stdout) https://github.com/the-tcpdump-group/tcpdump/commit/83c64fce3a5226b080e535f5131a8a318f30e79b The issue may be reproduced as follows Check out vulnerable tcpdump commit (< 4.9.2) as follows ``` $ git clone -b 289c672020280529fd382f3502efab7100d638ec https://github.com/the-tcpdump-group/tcpdump ``` Build it with afl and AddressSanitizer as follows (please install libpcap before this step) ``` $ CC=afl-gcc $ AFL_USE_ASAN=1 make -j ``` Run tcpdump against linked payload (link: https://github.com/the-tcpdump-group/tcpdump/blob/83c64fce3a5226b080e535f5131a8a318f30e79b/tests/rpki-rtr-oob.pcap?raw=true) ``` $ tcpdump -nvr <payload> reading from file /tmp/rpki-rtr-oob.pcap, link-type EN10MB (Ethernet) ================================================================= ==3569==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000000e2 at pc 0x562a16588231 bp 0x7ffc51f88550 sp 0x7ffc51f88540 READ of size 4 at 0x6070000000e2 thread T0 #0 0x562a16588230 in EXTRACT_32BITS extract.h:190 #1 0x562a16588230 in rpki_rtr_pdu_print print-rpki-rtr.c:243 #2 0x562a16588230 in rpki_rtr_print print-rpki-rtr.c:355 #3 0x562a165bfb52 in tcp_print print-tcp.c:725 #4 0x562a1645f9e7 in ip_print_demux print-ip.c:396 #5 0x562a1645f9e7 in ip_print print-ip.c:673 #6 0x562a16413cef in ethertype_print print-ether.c:334 #7 0x562a164167e1 in ether_print print-ether.c:237 #8 0x562a164167e1 in ether_if_print print-ether.c:262 #9 0x562a1637b01e in pretty_print_packet print.c:332 #10 0x562a16353f8d in print_packet tcpdump.c:2590 #11 0x562a16627168 in pcap_offline_read savefile.c:561 #12 0x562a166160de in pcap_loop pcap.c:2737 #13 0x562a1634794d in main tcpdump.c:2093 #14 0x7f1aefe87b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #15 0x562a1634f969 in _start (/home/bhargava/work/github/tcpdump/tcpdump+0x17c969) 0x6070000000e2 is located 13 bytes to the right of 69-byte region [0x607000000090,0x6070000000d5) allocated by thread T0 here: #0 0x7f1af054bb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x562a16627efa in pcap_check_header sf-pcap.c:404 SUMMARY: AddressSanitizer: heap-buffer-overflow extract.h:190 in EXTRACT_32BITS Shadow bytes around the buggy address: 0x0c0e7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0e7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0e7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa =>0x0c0e7fff8010: fa fa 00 00 00 00 00 00 00 00 05 fa[fa]fa fa fa 0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa 0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0e7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3569==ABORTING ``` It is acknowledged here(link: https://github.com/the-tcpdump-group/tcpdump/commit/83c64fce3a5226b080e535f5131a8a318f30e79b) that I (Bhargava Shastry) am the original reporter of the issue. To prove that this hackerone account belongs to me, I have hosted a file with the following message on my github page(link: https://bshastry.github.io/.well-known/hackerone.txt) ``` hello @turtle_shell @hackerone ``` If you have any further queries, please let me know. Tracked as CVE-2017-13050: https://nvd.nist.gov/vuln/detail/CVE-2017-13050 ## Impact I believe that information disclosure is possible.