Tcpdump before 4.9.3 has a buffer over-read in print-802_11.c (CVE-2018-16227)

Versions of tcpdump before 4.9.3 are vulnerable to a buffer over-read in print-802_11.c. This vulnerability was disclosed to the tcpdump maintainers and was recently patched in version 4.9.3 and disclosed as (CVE-2018-16227). I was credited with finding and disclosing this vulnerability: https://www.tcpdump.org/public-cve-list.txt ``` CVE-2018-16227,tcpdump,ieee802.11_meshhdr-oobr.pcap,"Ryan Ackroyd",2018/05/26,Y,4846b3c5d0a850e860baf4f07340495d29837d09,4.9.3,, ``` This vulnerability was found and tested on tcpdump 4.9.2 after compiling tcpdump with Address Sanitizer (ASAN) support and fuzzing tcpdump with mutated packets, I have attached a working test-case as a Proof of Concept to this report named "fuzzer06:id:000021,sig:11,src:008627,op:havoc,rep:2". This vulnerability can be triggered using the following command: ``` tcpdump -e -vvvv -H -u -nn -r fuzzer06:id:000021,sig:11,src:008627,op:havoc,rep:2 ``` The above command produces the following output, ASAN marks this as a "heap-buffer-overflow ": ``` reading from file fuzzer06:id:000021,sig:11,src:008627,op:havoc,rep:2, link-type IEEE802_11_RADIO (802.11 plus radiotap header) 12:05:07.276297 15738588889088us tsft 4096 MHz 11n 19dBm signal antenna 20 52.0 Mb/s MCS 25 20 MHz long GI LDPC FEC More Data 44us BSSID:20:7c:8f:50:3f:3a DA:68:a3:c4:03:46:da SA:20:7c:8f:50:3f:3a ReAssoc Request[|802.11] ================================================================= ==5793==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4a01801 at pc 0x08090ae9 bp 0xffc10aa8 sp 0xffc10a98 READ of size 1 at 0xf4a01801 thread T0 #0 0x8090ae8 in ctrl_body_print print-802_11.c:1676 #1 0x8090ae8 in ieee802_11_print print-802_11.c:2092 #2 0x809297b in ieee802_11_radio_print print-802_11.c:3257 #3 0x809297b in ieee802_11_radio_if_print print-802_11.c:3352 #4 0x80844b4 in pretty_print_packet print.c:332 #5 0x8065ce8 in print_packet tcpdump.c:2497 #6 0x83fcb6a in pcap_offline_read savefile.c:527 #7 0x8346bfe in pcap_loop pcap.c:890 #8 0x805afb8 in main tcpdump.c:2000 #9 0xf700a636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636) #10 0x806226a (/home/user/targets/builds33/tcpdump-4.9.2/tcpdump+0x806226a) 0xf4a01801 is located 1 bytes to the right of 64-byte region [0xf4a017c0,0xf4a01800) allocated by thread T0 here: #0 0xf723edee in malloc (/usr/lib32/libasan.so.2+0x96dee) #1 0x8400752 in pcap_check_header sf-pcap.c:401 SUMMARY: AddressSanitizer: heap-buffer-overflow print-802_11.c:1676 ctrl_body_print Shadow bytes around the buggy address: 0x3e9402b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9402c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9402d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9402e0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd 0x3e9402f0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00 =>0x3e940300:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e940310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e940320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e940330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e940340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e940350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==5793==ABORTING ``` More information about this vulnerability can be found in the following locations: NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-16227 CVE details: https://www.cvedetails.com/cve/CVE-2018-16227/ ## Impact This vulnerability can lead to significant information disclosure and allow an attacker to modify system files remotely, across a network with no interaction from the victim. CVSS v3.1 Severity and Metrics: Base Score: 9.8 CRITICAL Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (V3.1 legend) Impact Score: 5.9 Exploitability Score: 3.9 Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None Scope (S): Unchanged Confidentiality (C): High Integrity (I): High Availability (A): High