<div dir="ltr"><div>For the current vulnerability CVE-2015-3294 will be used.<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 10 April 2015 at 22:41, Nick Sampanis <span dir="ltr"><<a href="mailto:nicksampanis@gmail.com" target="_blank">nicksampanis@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Your are welcome. As I stated, the return value of setup_reply will be used as a size argument <br>which might be a positive 32 bit value. It seems that two things can occur from that point.<br></div><div><br>In case of a high integer write might return -1 with errno equal to EFAULT, in that case nothing<br></div><div>significant happens from attacker's perspective. Otherwise m size bytes will be send to the attacker,<br></div><div>which will reveal data, allocated after packet's allocation or previously freed data,<br>which has not been initialized (zeroed out) <br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 9 April 2015 at 23:56, Simon Kelley <span dir="ltr"><<a href="mailto:simon@thekelleys.org.uk" target="_blank">simon@thekelleys.org.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Thanks for this. The error is obvious, and I've just committed the<br>
fix, to check the return value of skip_questions() in setup_reply().<br>
<br>
This is a a potential DoS attack, but I'm not clear if it's worse than<br>
that. The ability to read the dnsmasq heap seems to depend on details<br>
on the addresss-space layout over which the attacker has no control.<br>
(Plus, there's really not much in a dnsmasq process worth learning:<br>
all the data in the cache is available with a DNS query anyway!) Or am<br>
I being naive?<br>
<br>
<br>
Cheers,<br>
<br>
Simon.<br>
<div><div><br>
<br>
<br>
On 07/04/15 08:49, Nick Sampanis wrote:<br>
> Dear sirs, I discovered one potential vulnerability in dnsmasq.<br>
> More specifically, in tcp_request(), setup_reply() gets called and<br>
> the returned value is used as a size argument in a write function.<br>
><br>
> m = setup_reply(header, (unsigned int)size, addrp, flags,<br>
> daemon->local_ttl); read_write(confd, packet, m + sizeof(u16), 0))<br>
><br>
> Although, setup_reply can't return a size variable greater than<br>
> packet[65535+ MAXDNAME + RRFIXEDSZ + sizeof(u16))], an ignored<br>
> error value(NULL) of skip_questions() might lead to a negative<br>
> pointer value(-header)<br>
><br>
> size_t setup_reply(struct dns_header *header, size_t qlen, struct<br>
> all_addr *addrp, unsigned int flags, unsigned long ttl) { unsigned<br>
> char *p = skip_questions(header, qlen) return p - (unsigned char<br>
> *)header }<br>
><br>
> read_write checks if the size argument is positive. In case of a 32<br>
> bit system size_t m would be 4 bytes and read_write will<br>
> automatically exit. In case of 64 bit system size_t m is 8 bytes<br>
> and may turn to positive if the sign bit of the 32 bit value is 0.<br>
><br>
> If m is less than 0xffffffff80000000, dnsmasq will be exploited by<br>
> a potential attacker who will remotely read dnsmasq heap until it<br>
> crashes. If the above condition is not met, dnsmasq exits<br>
> properly.<br>
><br>
><br>
><br>
</div></div>> _______________________________________________ Dnsmasq-discuss<br>
> mailing list <a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
> <a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.22 (GNU/Linux)<br>
<br>
iEYEARECAAYFAlUm54EACgkQKPyGmiibgrdnEgCfeqhbm/ffwVT/Dz7QFEvFk1Le<br>
XsgAnjs384CSfLHdt5iiMk8Gngbx56A1<br>
=P7th<br>
-----END PGP SIGNATURE-----<br>
<br>
_______________________________________________<br>
Dnsmasq-discuss mailing list<br>
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>