Appneta TcpReplay Use-After-Free Vulnerability in Tcprewrite Component

A use-after-free vulnerability has been identified in the TcpReplay utility, specifically in versions through 4.5.1. The issue arises in the 'fix_ipv6_checksums' function within 'edit_packet.c' of the Tcprewrite component. This vulnerability is triggered during the processing of IPv6 packet data, particularly when the checksum is being recalculated. The problem occurs after the memory has been reallocated, leading to a heap use-after-free condition. As a result, the program crashes with a SIGABRT signal.

Impact

Exploitation of this vulnerability causes a heap use-after-free error, where the program attempts to read data from memory that has already been freed. This type of vulnerability can often be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced by compiling TcpReplay with AddressSanitizer enabled, and then running the TcpRewrite utility with a specific packet capture file that contains malformed IPv6 packets. This file should be processed in a way that triggers the vulnerability by accessing freed memory during checksum recalculation. The program will crash, revealing the use-after-free error.

Remediation

Users are advised to upgrade to TcpReplay version 4.5.2-beta3, which addresses this vulnerability.