Appneta TcpReplay Divide-By-Zero Vulnerability in Version 4.5.1

A critical division-by-zero vulnerability has been identified in the Appneta TcpReplay utility, specifically in version 4.5.1. The issue arises in the 'calc_sleep_time' function within 'send_packets.c', line 1125, when the program processes malformed Packets Per Second (PPS) parameters. This flaw leads to a floating-point exception, causing the program to terminate unexpectedly. The vulnerability is rooted in inadequate input validation, allowing extremely small packet rate values to be processed, which results in division by zero. This issue can be reproduced by compiling TcpReplay with AddressSanitizer enabled and executing the program with the malicious PPS parameter, using the provided proof-of-concept packet capture file.

Impact

Exploitation of this vulnerability causes a floating-point exception, represented by the SIGFPE signal, leading to immediate program termination. This creates a classic division-by-zero scenario, where the application crashes due to attempting to perform arithmetic operations with a zero divisor, particularly during packet rate limiting calculations.

Reproduction

To reproduce this vulnerability, first compile TcpReplay with AddressSanitizer enabled. Then, execute the TcpReplay command with the '-p' option, specifying a malformed PPS value of '0.000001' and the interface 'lo'. The program will process the provided proof-of-concept file, 'POC_tcpreplay_calc_sleep_time_pps_division_by_zero_1125', which contains the crafted PPS parameters that trigger the divide-by-zero condition. The exploitation will result in a crash due to the floating-point exception, which can be verified by the AddressSanitizer report.

Remediation

Upgrade to TcpReplay version 4.5.3-beta3, which addresses this vulnerability.