Appneta TcpReplay Use-After-Free Vulnerability in Tcprewrite Component

A use-after-free vulnerability has been identified in the Appneta TcpReplay utility, specifically in the Tcprewrite component, versions through 4.5.2-beta2. The issue arises in the 'untrunc_packet' function within 'src/tcpedit/edit_packet.c', where improper handling of packet data after memory reallocation leads to heap memory being accessed after it has been freed. This vulnerability is triggered during the IPv4 checksum calculation process, causing the application to crash unexpectedly.

Impact

Exploitation of this vulnerability leads to a heap use-after-free condition, where the application attempts to read memory that has already been freed, causing a crash. However, such use-after-free vulnerabilities can often be exploited to execute arbitrary code under certain conditions.

Reproduction

The vulnerability can be reproduced by compiling the TcpReplay 'tcprewrite' component with AddressSanitizer enabled, which helps detect memory errors. After compiling, the 'tcprewrite' tool can be run with the '--fixlen pad' option, along with a crafted input file that triggers the vulnerability by causing the program to access freed memory while recalculating IPv4 checksums.

Remediation

Users are advised to update to TcpReplay version 4.5.2-beta3, where this vulnerability has been fixed.