[Dnsmasq-discuss] Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly

Alexander E. Patrakov patrakov at gmail.com
Tue May 3 21:20:14 BST 2016


04.05.2016 00:02, Albert ARIBAUD пишет:
> Hi Alexander,
>
> Le Tue, 3 May 2016 22:56:45 +0500
> "Alexander E. Patrakov" <patrakov at gmail.com> a écrit:
>
>> 03.05.2016 22:28, Albert ARIBAUD wrote:
>>> Hi Alexander,
>>>
>>> Le Tue, 3 May 2016 21:45:00 +0500
>>> "Alexander E. Patrakov" <patrakov at gmail.com> a écrit:
>>>
>>>> 2016-05-03 20:37 GMT+05:00 Simon Kelley <simon at thekelleys.org.uk>:
>>>>> I'm pretty sure that this is fixed in the current code.
>>>>
>>>> It is indeed fixed in git! But distributions (including Ubuntu and
>>>> Arch) are still distributing a vulnerable version and are probably
>>>> unaware of it. Could you please apply for a CVE ID (if it doesn't
>>>> already exist) so that they fix their packages?
>>>
>>> A CVE ID? For a crash caused by a specific local name record which
>>> clashes with the public one? What's the vulnerability or exposure
>>> here?
>>
>> This is actually crashable by querying any CNAME that points to
>> localhost.localdomain, given that upstream is 8.8.8.8, because
>> localhost.localdomain nearly universally exists in /etc/hosts as ::1,
>> and 8.8.8.8 doesn't have an AAAA entry for it. So this is a security
>> issue.
>
> I am still not seeing what the *security* issue is. How can this problem
> be *exploited* in order to cause a DoS or compromise a host for
> instance?

The only security issue here is a DoS.

There are systems like antispam filters that resolve e.g. domains found 
in email messages. Also there are browsers that resolve names in order 
to e.g. display iframes for ads. So it is possible for a third party 
("hacker"), by sending an email to an email server or showing a bad ad 
to the user, to cause his antispam client or browser to try to resolve a 
domain of hacker's choice for an AAAA record. If this name happens to be 
a CNAME that points to localhost.localdomain., then dnsmasq (which was 
supposed to give the DNS answer to the antispam or the browser) gets 
crashed.

Or just consider a dnsmasq shared between several users. One of them 
tries to resolve an AAAA record for some name (which is actually a CNAME 
pointing to localhost.localdomain.), and crashes dnsmasq, thus causing 
irritation to other users until the admin restarts dnsmasq.

-- 
Alexander E. Patrakov



More information about the Dnsmasq-discuss mailing list