CVE-2017-13019: The PGM parser in tcpdump before 4.9.2 has a buffer over-read in print-pgm.c:pgm_print()

Hello, The vulnerable code portion is linked below. The linked function is responsible for printing PGM packet payload information to the terminal (e.g., stdout) https://github.com/the-tcpdump-group/tcpdump/commit/4601c685e7fd19c3724d5e499c69b8d3ec49933e The issue may be reproduced as follows Check out vulnerable tcpdump commit (< 4.9.2) as follows ``` $ git clone -b 26a6799b9ca80508c05cac7a9a3bef922991520b https://github.com/the-tcpdump-group/tcpdump ``` Build it with afl and AddressSanitizer as follows (please install libpcap before this step) ``` $ CC=afl-gcc $ AFL_USE_ASAN=1 make -j ``` Run tcpdump against linked payload (link: https://github.com/the-tcpdump-group/tcpdump/blob/4601c685e7fd19c3724d5e499c69b8d3ec49933e/tests/pgm_opts_asan_2.pcap?raw=true) ``` $ tcpdump -nvr <payload> reading from file /tmp/pgm_opts_asan_2.pcap, link-type EN10MB (Ethernet) ================================================================= ==3947==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000007d at pc 0x5560b85896f6 bp 0x7ffe420b1ca0 sp 0x7ffe420b1c90 READ of size 4 at 0x60800000007d thread T0 #0 0x5560b85896f5 in EXTRACT_32BITS extract.h:190 #1 0x5560b85896f5 in pgm_print print-pgm.c:697 #2 0x5560b849f20c in ip_print_demux print-ip.c:483 #3 0x5560b849f20c in ip_print print-ip.c:658 #4 0x5560b84506df in ethertype_print print-ether.c:334 #5 0x5560b84531d1 in ether_print print-ether.c:237 #6 0x5560b84531d1 in ether_if_print print-ether.c:262 #7 0x5560b83b76be in pretty_print_packet print.c:332 #8 0x5560b839062d in print_packet tcpdump.c:2590 #9 0x5560b8663ee8 in pcap_offline_read savefile.c:561 #10 0x5560b8652e5e in pcap_loop pcap.c:2737 #11 0x5560b8383fed in main tcpdump.c:2093 #12 0x7f7aaf546b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #13 0x5560b838c009 in _start (/home/bhargava/work/github/tcpdump/tcpdump+0x17c009) 0x60800000007f is located 0 bytes to the right of 95-byte region [0x608000000020,0x60800000007f) allocated by thread T0 here: #0 0x7f7aafc0ab50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x5560b8664c7a in pcap_check_header sf-pcap.c:404 SUMMARY: AddressSanitizer: heap-buffer-overflow extract.h:190 in EXTRACT_32BITS Shadow bytes around the buggy address: 0x0c107fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00[07] 0x0c107fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==3947==ABORTING ``` It is acknowledged here(link: https://github.com/the-tcpdump-group/tcpdump/commit/4601c685e7fd19c3724d5e499c69b8d3ec49933e) that I (Bhargava Shastry) am the original reporter of the issue. To prove that this hackerone account belongs to me, I have hosted a file with the following message on my github page(link: https://bshastry.github.io/.well-known/hackerone.txt) ``` hello @turtle_shell @hackerone ``` If you have any further queries, please let me know. Tracked as CVE-2017-13019: https://nvd.nist.gov/vuln/detail/CVE-2017-13019 ## Impact I believe that information disclosure is possible.