CVE-2018-17582

Vulnerability

A heap-based buffer over-read vulnerability exists in Tcpreplay version 4.3.0 beta1 (and possibly other versions in the 4.3 branch). The flaw resides in the get_next_packet() function within send_packets.c. When processing a crafted pcap file, the function unsafely uses memcpy() to copy packet data from the source buffer pktdata to the destination (*prev_packet)->pktdata without adequate bounds checking, causing an over-read of heap memory. The vulnerability is triggered when pktlen is larger than the allocated buffer, as demonstrated in the debug output where pktlen is set to 8388670 while pktdata points to an empty string [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious pcap file with an oversized packet length value. The victim must use the tcpreplay utility to replay the crafted file (e.g., via sudo tcpreplay -i eno1 -t -K --loop 4 --unique-ip $POC). No authentication is required; the attacker only needs to deliver the file to the victim. The vulnerability is triggered during packet preloading when get_next_packet() processes the malformed packet, leading to a heap-based over-read [1][2].

Impact

Successful exploitation results in a denial-of-service (DoS) due to a crash, as the over-read can corrupt memory or cause an invalid access. Additionally, the over-read may leak sensitive heap memory contents, leading to information exposure. The impact is limited to the process running tcpreplay, and no privilege escalation is indicated in the references [1][2].

Mitigation

As of the available references, no patch has been officially released for this vulnerability. The affected version is tcpreplay 4.3.0 beta1. Users are advised to avoid processing untrusted pcap files with this version. Upgrading to a later stable release (post-4.3.0) may include a fix; however, no specific fixed version is mentioned. The issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].