Heap Overflow Vulnerabilities and Concerned Threats

A flaw always attracts antagonism. The same implies for the software vulnerabilities which act as a gateway for cyber-attacks and increases the chance of code exploitation. Cyber security is the biggest threatening challenge that the present - day digital world is encountering each and every second. The frequency of the vulnerability occurrence is also rising rapidly. Till date, many different types of vulnerabilities have been found by different organizations and efforts have been taken to fix the patches.

Loginsoft is one such organization which strives and searches constantly to identify the vulnerability occurrence in any open source software system and informs the respective vendors to work on fixing the issues. So, Let us educate you on our most recent vulnerabilities findings and help you to have a clear understanding of the impact of the deviations.

Our Loginsoft research team has observed that, off all the software flaws we encounter, Buffer Overflow vulnerabilities are the most commonly faced hitches, which when ignored can bring down major complications to your code.

What is a Buffer Overflow Vulnerability?

A buffer is a temporary storage memory location with fixed capacity and handles the data during a software process. When more data is mounted on to this buffer beyond its capacity, an overflow occurs where the data is expected to leak or may over-ride other buffers. This entire scenario lays the path for over flow vulnerabilities which can be cashed by the cyber-attackers.

Impact Buffer Overflow Vulnerability:

• Unstable Program Behavior
• System crash
• Memory access errors
• Code over-riding
• Security exploitation threat
• Un-authorized data access
• Excursive privilege actions
• Data theft and Data loss

Types of Buffer Overflow Vulnerabilities:

Generally there are two types of Buffer vulnerabilities coined depending on specific feature categorization and structure of memory overflow.

1. Stack Overflow Vulnerabilities
2. Heap Overflow Vulnerabilities

Heap Overflow Vulnerabilities:

Heap handles the dynamic storage of the data. One has to manually allocate and de-allocate the memory in heap storage using the malloc() and calloc() functions. When the memory management process is neglected, a heap overflow occurs which can affect the entire system code drastically.

• When de-allocating the memory space is ignored after use
• When large data variables are allocated

1.Heap overflow in vulnerability-1 in Tcpreplay

CWE: 122 -Heap Based Buffer Overflow

‍CVE number: CVE-2018-18407

‍Identified in:https://tcpreplay.appneta.com/

‍Product Details: Tcpreplay is an open source software which helps to edit and replay the captured network traffic.

‍Vulnerability Specifics: The Tcpreplay research made by Loginsoft team has led to identify the heap overflow when a crafted pcap file is sent to Tcpreplay edit.

Read More

Epitome:

• Initially the csum_replace4() function of tcp_edit.c investigates for the checksum of level 4 headers.
• When such headers are sent , the code access the checksum of 16th offset in tcp header and a 66 relative to the buffer start.
• Ipv4_134_csum_replace() function is used to perform the checksum.
• Now, the heap overflow occurs when an invalid IP header is taken or when Ipv4_134_csum_replace() function ignores to check the buffer space before the editing of packets.

Click here for detailed report

‍Impact:

               Denial of Service

2.Heap based buffer over read vulnerability-2 in Tcpreplay

CWE: 126- Buffer Over-read

‍CVE number: CVE-2018-17974

‍Identified in:https://tcpreplay.appneta.com/

Product Details: Tcpreplay is an open source software which helps to edit and replay the captured network traffic.

Vulnerability Specifics: The heap buffer over-read was encountered in tcpreplay-edit which encompasses both Tcpreplay and tcprewrite.

Read More

Epitome:

• In the version 4.3.0 beta 1 while the function dlt_n10mb_encode() residing in the file plugins/dle_en10mb/en10mb.c is executed with the in appropriate values of memmove().
• The length of the heap assigned for packet receiving is less than the source size and is resulting in the data over-ride.

Click here for detailed report

‍Impact:

• Denial of Service
• Un-authorized access
• Memory leaks

3.Heap based buffer over read vulnerability-3 in Tcpreplay

CWE: 126- Buffer Over-read

‍CVE number: CVE-2018-17580

‍Identified in:https://tcpreplay.appneta.com/

Product Details: Tcpreplay is an open source software which helps to edit and replay the captured network traffic.

Vulnerability Specifics: The heap buffer over-read was encountered in when multiple data packets are sent into the same heap buffer with truncated packet lengths. The fast_edit_packet() function residing in the file send_packets.c which encompasses both Tcpreplay and tcprewrite.Read More

Epitome:

• In the version 4.3.0 , send_packets() function is responsible for packet management and the fast_edit_package () function is called to check and validate the IP address uniqueness which directly increases the flows per second.
• Unlike the previous mention CVE-2018-17974 issue where the input packet length was greater than the max limit, here the received packet size is truncated and then further processed resulting in heap overflow
• At last when such truncated packet is analyzed by wireshark, a message is being displayed to indicate about the truncation and also the third frame is corrupted as the total length of IP address field is not used.

Click here for detailed report

‍Impact:

‍Denial of Service

4.Heap based buffer over read vulnerability-4 in Tcpreplay

CWE:126- Buffer Over-read

‍CVE number: CVE-2018-17582

‍Identified in:https://tcpreplay.appneta.com/

Product Details: Tcpreplay is an open source software which helps to edit and replay the captured network traffic.

Vulnerability Specifics: When the get_next_packet() function in the send_packets.c file utilizes the memcpy() to copy the sequences un-safely, a heap buffer over read is experienced.Read More

Epitome:

• When a pcap file is loaded into the RAM by preload_pcap_file() function, it is invoked by the swith-[K] which enable sthe caching of packets into internal memory.
• Then the get_next_packet() function is called to send the next packet out.
• Here, the packet utilizes memcpy()[3] where the received length field is invalid. This causes the invalid buffer reading beyond the limitations leading to heap over read.

Click here for detailed report

‍Impact:

• Denial of Service
• Un-authorized access
• Memory leaks

5.Heap based buffer over read vulnerability in HDF5

CWE:126- Buffer Over-read

‍CVE number: CVE-2018-17435

‍Identified in:: https://www.hdfgroup.org/downloads

Product Details:HDF5 is totally into data managing side which effectively deals with all sorts of complex data and also provides tools and applications for analyzing the data in HDF5 format

Vulnerability Specifics:: A heap based buffer over-read is initialized when the function H5O_attr_decode() residing in H5Oattr.c file is executed through 1.10.3 library.Read More

Epitome:

• The h5LT_find_attribute()[1] is used to find the INTERLACE_MODE attribute to validate data sets and attributes whether they are attached with a particular name and an object loc_id.
• Then H5A_compact_build_table() is called to build a table which consists a list of attributes.
• Now, H5O_attr_decode() is called to decode the messages and return a pointer to memory struct. After few such attempts, the decode function attempts to get other data like data type and data space sizes by using HDmemcpy()[2].
• But due to incorrect and invalid inputs received in HDmemcpy() size filed, a heap buffer overflow occurs.

Click here for detailed report

‍Impact:

• Denial of Service
• Memory leaks

Protection from Heap overflows:

The listed heap over flow buffer vulnerabilities discovered by our research team at Loginsoft addresses most of the commonly faced issues by any software programmer or tester either in development phase or in testing phase. Such deviations when not fixed in timely manner can act as a source of malware entry points and attacks. We can prevent such vulnerabilities by following:

• Strong programming languages
• Frequent check of system behavior
• Updating security mechanisms
• Validating inputs and outputs

Conclusion:

Identifying the threats at right time before the invasion of malware can save you with lot of time, money and effort. For this, one has to be always on high alert mode and act immediately on the vulnerabilities. We suggest you the flowing tips to discover the vulnerability existence before the hacker's eye catches the miss-lead.

• Update the software security as soon as the latest version is released.
• Always observe the response time and code behavior keenly.
• Try to hack your own network frequently to check about the leakages
• Train all the resources on security issues.
• Maintain a trusted anti-virus and a separate wing of threat detection team.

Now let us assist you to understand how Loginsoft helps to find out the vulnerabilities and the cyber security services we offer:

• Vulnerability Assessment
• Static Application Security Testing
• Dynamic Application Security Testing
• Threat Modeling
• Discovering Zero-day vulnerabilities

Loginsoft values the privacy of its clients and open source vendors. As soon as we notice vulnerability in any of the softwares, we immediately inform the concerned vendors and after they close the issues by fixing the patches successfully, we then publish the discovered vulnerabilities with detailed reports in our website to educate our visitors on cyber-attacks.

Credit: Security Research Team