CVE-2018-17580

Vulnerability

A heap-based buffer over-read vulnerability exists in the fast_edit_packet() function in send_packets.c of Tcpreplay v4.3.0 beta1. The function reads from an ip_hdr pointer without verifying that the packet data is large enough, leading to an out-of-bounds read when processing a crafted pcap file. The issue affects the 4.3 branch [1] [2].

Exploitation

An attacker can trigger the vulnerability by providing a specially crafted pcap file as input to the tcpreplay binary. No special privileges are required; the attacker only needs the ability to supply the malicious file. The specific command used for reproduction is sudo tcpreplay -i eno1 -t -K --loop 4 --unique-ip $POC. When fast_edit_packet() processes the crafted packet, it reads from an invalid memory region (heap buffer overflow) at line 290 of send_packets.c [2]. Additionally, a separate heap overflow in get_next_packet() (line 1045) can also be triggered [1].

Impact

Successful exploitation can cause a denial of service (DoS) due to application crash, and may lead to information exposure as heap memory contents could be read during the out-of-bounds access. The attacker does not gain code execution or elevated privileges based on the available information [1] [2].

Mitigation

As of the available references, no patch has been released for this vulnerability. The issue affects the 4.3 branch (including v4.3.0 beta1). Users are advised to avoid processing untrusted pcap files with the affected version until a fix is available. No workaround is documented. Monitor Tcpreplay updates for a patched release [1] [2].