FastNetMon Community Edition Integer Overflow Vulnerability in Packet Capture Buffer Allocation

A heap corruption vulnerability due to a 32-bit integer overflow has been identified in FastNetMon Community Edition versions through 1.2.9. The issue arises in the packet capture buffer allocation within the 'allocate_buffer()' function of 'src/packet_storage.hpp'. The vulnerability allows for memory allocation that is significantly smaller than intended, leading to a buffer overflow when packets are written to the corrupted buffer. This flaw is caused by the 'buffer_size_in_packets' parameter, which is parsed from the configuration file without proper overflow checks.

Impact

Exploitation of this vulnerability causes heap corruption, which can lead to arbitrary code execution under the FastNetMon process user.

Reproduction

The vulnerability can be reproduced by setting the 'ban_details_records_count' parameter in the 'fastnetmon.conf' file to a value exceeding approximately 2,832,542. This can be done manually or through a configuration management tool that introduces such a value. After restarting FastNetMon, the 'allocate_buffer()' function will perform an incorrect memory allocation due to the integer overflow. Once the application is running, the vulnerability can be triggered by the normal operation of the application, which will result in writing packets to the improperly allocated buffer, causing the heap corruption.

Remediation

Users are advised to update FastNetMon to a version that addresses this vulnerability. As of now, no official patch has been released. In the meantime, configuration management tools can be used to validate and cap the 'ban_details_records_count' parameter at a reasonable level.