## https://sploitus.com/exploit?id=7899990D-54A0-59D2-943B-C68DC3E8E714
# ENV-CVE-2020-8036 β tcpdump Vulnerability Reproduction Environment
This repository contains a snapshot of the reproducible vulnerability environment for **CVE-2020-8036** (tcpdump SOME/IP parser out-of-bounds read, CWE-125). It was exported from the corresponding container image `yan5ui/cve-2020-8036:tier1` (based on `ubuntu:20.04`). The environment was successfully built based on the **vulnerability versionβs source code**, with compilation artifacts, build scripts, and complete build logs preserved. It can be directly used for vulnerability reproduction and exploit validation.
## Vulnerability Information
| Item | Value |
|----|----|
| CVE | CVE-2020-8036 |
| Project | the-tcpdump-group/tcpdump |
| CWE | CWE-125 (Out-of-bounds Read) |
| Vulnerable Function | `tok2strbuf()` (called insecurely by the SOME/IP dissector) |
| Vulnerable File | `print-someip.c` |
| Source Repository | https://github.com/the-tcpdump-group/tcpdump |
## Compilation Tools and Vulnerability Types
The environment selects appropriate sanitizers based on the CWE category of each vulnerability, ensuring that triggered vulnerabilities can be reliably captured.
- **CWE-125 (Out-of-bounds Read) β ASan + UBSan**
- Compiler: `clang-10`
- Compilation options: `-O1 -g -fno-omit-frame-pointer -fsanitize=address,undefined`
- Linkage options: `-fsanitize=address,undefined`
AddressSanitizer is responsible for reporting memory access violations immediately upon occurrence of an out-of-bounds read, along with precise crash locations and call stacks. UndefinedBehaviorSanitizer covers undefined behaviors; together, these tools ensure that the out-of-bounds read triggers clear and determinable signals. The build artifact `compile/artifacts/tcpdump` contains the compiled tcpdump executable with the aforementioned sanitizers.
## Directory Structure
```
. βββ README.md This file
βββ description.md Vulnerability description, code snippet from the vulnerable function, and instructions for reproduction
βββ meta.json Structured metadata (project, CWE, commit, source code path, etc.)
βββ compile/ Build artifacts and logs
β βββ build.sh Reproducing build script (dependencies + configure + make + artifact collection)
β βββ deps.txt List of required apt dependencies for building
β βββ BUILD_OK Successful build checklist (build system, sanitizers, artifact path, binary size, etc.)
β βββ build.log Complete build log
β βββ binary_size.txt Main binary size
β βββ artifacts/
β βββ tcpdump Compiled tcpdump executable with ASan+UBSan (main binary)
β βββ main Symbolic link to tcpdump (default entry name)
βββ src/
β βββ tcpdump/ Complete source code tree at the vulnerable commit point, including locally compiled .o targets
βββ task/ Runtime directory for the exploit agent harness (empty in the image)
βββ workspace/ Runtime working directory for the exploit agent harness (empty in the image)
```
### About `task/` and `workspace/`
These are the working directories used by the exploit agent harness during reproduction/exploit execution. `workspace/` serves as the default working area for the agent, while `task/` holds inputs for individual reproduction tasks. Both directories are empty in the image; they are filled by the harness during runtime. These are standard directory conventions for the environment, and they do not contain build artifacts.
## Reproduction Method
Compilation is performed in a container using in-source compilation (`./configure && make`, see `compile/build.sh`). The source code is located at `/src/tcpdump/`, and the main binary is in `compile/artifacts/tcpdump`. By constructing inputs that trigger the SOME/IP parsing process (pcap packets) according to the instructions in `description.md`, you can observe out-of-bounds read crashes under ASan.