Troubleshooting Tcpdump Segmentation Fault CVE-2018-14881 BGP Vulnerability

Hey guys! Ever encountered the dreaded "Segmentation fault (core dumped)" error while working with network analysis tools like tcpdump? It's a common headache, and today, we're diving deep into a specific case related to CVE-2018-14881, which involves a bug in how tcpdump handles BGP (Border Gateway Protocol) capabilities. We'll break down the issue, analyze the error, and explore potential solutions. Buckle up; it's time to get nerdy!

Understanding the Segmentation Fault

Before we dive into the specifics, let's quickly recap what a segmentation fault is. Segmentation faults are errors that occur when a program tries to access memory it shouldn't. This can happen for a multitude of reasons, such as trying to write to read-only memory, accessing memory that hasn't been allocated, or, as in our case, a bug in the program's code that leads to an invalid memory access.

When you see "Segmentation fault (core dumped)," it means the program crashed, and the operating system created a "core dump" file. This file is essentially a snapshot of the program's memory at the time of the crash. Developers can use this file with debugging tools (like gdb) to pinpoint the exact location in the code where the crash occurred. Think of it as a crime scene investigation for software!

The CVE-2018-14881 Vulnerability

The specific issue we're tackling is related to CVE-2018-14881, a vulnerability in the print-bgp.c file of tcpdump, particularly within the bgp_capabilities_print() function. This vulnerability can be triggered when tcpdump processes a specially crafted BGP packet, leading to the segmentation fault we're seeing. BGP is the protocol that makes the internet work, routing traffic between different networks. It uses capabilities to negotiate optional features, and this is where the bug comes into play.

The error message print-bgp.c:bgp_capabilities_print() is your key clue. It tells you that the crash happened inside the bgp_capabilities_print() function, which is responsible for printing the BGP capabilities information from a packet. This strongly suggests there's an issue with how tcpdump parses or displays these capabilities. When analyzing network traffic, tcpdump relies on various functions to dissect different protocols. In the case of BGP, a complex protocol used for routing internet traffic, the bgp_capabilities_print() function within print-bgp.c is responsible for interpreting and displaying the BGP capabilities. These capabilities are essentially optional features that BGP peers can negotiate. A flaw in this function can lead to misinterpretation of the data within a BGP packet, causing the program to attempt an invalid memory access. Think of it like trying to fit a square peg in a round hole – the program is trying to handle data in a way it wasn't designed to, leading to a crash.

Recreating the Error: The Setup and Commands

Let's walk through the steps to reproduce this error. The user in the original report was running tcpdump version 4.9.2 with libpcap version 1.8.1, compiled with AddressSanitizer and GCC. AddressSanitizer is a powerful tool for detecting memory corruption bugs, which is super helpful in cases like this. Here's the breakdown of the commands used:

1. gcc tcpdump-bgp.c -o tcpdump-bgp: This command compiles the provided tcpdump-bgp.c file into an executable named tcpdump-bgp. It's essentially creating a custom version of tcpdump focused on BGP analysis. Compiling the tcpdump-bgp.c file is a crucial step because it creates the executable program that will be used to analyze the BGP packets. The -o tcpdump-bgp part specifies the name of the output file, which in this case is tcpdump-bgp. This compiled program will contain the code from tcpdump-bgp.c translated into machine-readable instructions.

2. ./tcpdump-bgp: This executes the compiled tcpdump-bgp program. Running this command directly might not show any output unless the program is designed to do something specific without any input arguments. However, it's a good step to ensure the program can at least start without immediately crashing. Executing the compiled program allows you to test it and see how it behaves. If there are any basic issues, such as missing libraries or incorrect setup, running this command can help you identify them early on.

3. tcpdump -e -XX -vvv -r bgp_capabilities_test.pcap: This is the key command that triggers the bug. Let's break it down:

   • tcpdump: The standard tcpdump command.
   • -e: Prints the link-layer header.
   • -XX: Prints the packet data in both ASCII and hexadecimal.
   • -vvv: Sets the verbosity level to maximum, providing the most detailed output.
   • -r bgp_capabilities_test.pcap: Reads packets from the bgp_capabilities_test.pcap file, which presumably contains a BGP packet designed to trigger the vulnerability.

This command tells tcpdump to analyze the packets in the bgp_capabilities_test.pcap file with a high level of detail. The -r option specifies that tcpdump should read the packets from a file rather than capturing them live from the network. The -e, -XX, and -vvv options increase the amount of information displayed, which can be helpful for debugging. However, in this case, the crafted BGP packet within bgp_capabilities_test.pcap is designed to exploit the vulnerability in bgp_capabilities_print(), leading to the segmentation fault.

The Culprit: bgp_capabilities_test.pcap

The bgp_capabilities_test.pcap file is the weapon of choice in this scenario. It contains a carefully crafted BGP packet that exploits the vulnerability in the bgp_capabilities_print() function. These specially crafted packets are designed to trigger specific bugs in network analysis tools. By providing this malicious input, researchers and security professionals can identify vulnerabilities and develop patches to prevent real-world attacks. The content of this file is what causes the crash. It likely contains a malformed BGP capabilities section that the bgp_capabilities_print() function can't handle correctly.

When tcpdump tries to parse the BGP capabilities in this packet, the bug in bgp_capabilities_print() is triggered, leading to an attempt to access invalid memory. This is why you see the "Segmentation fault (core dumped)" error. The program has essentially crashed because it tried to do something it wasn't allowed to do.

Analyzing the Output: "Segmentation fault (core dumped)"

The output "Segmentation fault (core dumped)" is the telltale sign of a memory access violation. As we discussed earlier, it signifies that the program attempted to read from or write to a memory location it didn't have permission to access. In this context, it's a direct result of the vulnerability in bgp_capabilities_print(). This error message is a critical clue for developers. It indicates that something went wrong during the execution of the program, and a core dump file has been created. This file can be used with debugging tools like gdb to pinpoint the exact location in the code where the crash occurred. The "Segmentation fault (core dumped)" message is like a red flag, alerting developers to a serious issue that needs to be addressed.

Diving Deeper: Using a Debugger (gdb)

To truly understand the root cause, a debugger like gdb is your best friend. You can load the core dump file into gdb and examine the program's state at the time of the crash. This will allow you to see the exact line of code that caused the segmentation fault and the values of variables involved. Think of gdb as a magnifying glass for your code, allowing you to see the intricate details of what's happening. Debuggers are essential tools for software developers. They allow you to step through the code line by line, inspect variables, and understand the program's flow. In the case of a segmentation fault, gdb can help you identify the exact memory location that was accessed illegally and the sequence of events that led to the crash. This information is invaluable for fixing the bug.

Here's a general idea of how you might use gdb:

gdb tcpdump core

This command starts gdb with the tcpdump executable and loads the core dump file. Once in gdb, you can use commands like bt (backtrace) to see the call stack, which shows the sequence of function calls that led to the crash. You can also inspect variables and step through the code to understand the exact flow of execution. The backtrace command is particularly useful because it shows you the path the program took to reach the point of failure. By examining the call stack, you can identify the functions involved and how they interact with each other. This can help you narrow down the source of the bug and understand why it's happening.

Potential Solutions and Mitigation

So, what can be done about this? The best solution is to update to a patched version of tcpdump. The vulnerability CVE-2018-14881 has been addressed in later versions of tcpdump, so upgrading is crucial. Upgrading tcpdump ensures that you have the latest security patches and bug fixes. This is the most effective way to protect yourself from known vulnerabilities. Software is constantly evolving, and updates often include critical security improvements. Staying up-to-date is essential for maintaining a secure system.

If upgrading isn't immediately possible, you might consider filtering BGP traffic from untrusted sources as a temporary workaround. However, this is not a foolproof solution and should only be used as a last resort. Filtering BGP traffic can help mitigate the risk of exploitation, but it's not a complete solution. Attackers can still find ways to bypass filters, so it's important to address the underlying vulnerability as soon as possible. Temporary workarounds are often necessary in situations where immediate patching is not feasible, but they should be seen as a stopgap measure rather than a permanent fix.

Key Takeaways

• Segmentation faults indicate memory access violations and often point to bugs in the code.
• CVE-2018-14881 is a vulnerability in tcpdump's bgp_capabilities_print() function.
• Crafted BGP packets can trigger this vulnerability.
• Update to a patched version of tcpdump to resolve the issue.
• Use debuggers like gdb to analyze core dump files and pinpoint the root cause of crashes.

In Conclusion

The "Segmentation fault (core dumped)" error can be intimidating, but by understanding the underlying causes and using the right tools, you can diagnose and resolve these issues. In the case of CVE-2018-14881, a crafted BGP packet exposed a vulnerability in tcpdump's BGP capabilities parsing. By updating to a patched version and employing debugging techniques, you can keep your network analysis tools secure and reliable. Keep exploring, keep learning, and happy packet analyzing!

Remember, guys, security is a continuous process. Stay vigilant, stay updated, and keep those packets flowing safely!