[Dnsmasq-discuss] dnsmsaq potential vulnerability

Simon Kelley simon at thekelleys.org.uk
Thu Apr 9 21:56:33 BST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for this. The error is obvious, and I've just committed the
fix, to check the return value of skip_questions() in setup_reply().

This is a a potential DoS attack, but I'm not clear if it's worse than
that. The ability to read the dnsmasq heap seems to depend on details
on the addresss-space layout over which the attacker has no control.
(Plus, there's really not much in a dnsmasq process worth learning:
all the data in the cache is available with a DNS query anyway!) Or am
I being naive?


Cheers,

Simon.



On 07/04/15 08:49, Nick Sampanis wrote:
> Dear sirs, I discovered one potential vulnerability in dnsmasq. 
> More specifically, in tcp_request(), setup_reply() gets called and
> the returned value is used as a size argument in a write function.
> 
> m = setup_reply(header, (unsigned int)size, addrp, flags, 
> daemon->local_ttl); read_write(confd, packet, m + sizeof(u16), 0))
> 
> Although, setup_reply can't return a size variable greater than 
> packet[65535+ MAXDNAME + RRFIXEDSZ + sizeof(u16))], an ignored
> error value(NULL) of  skip_questions() might lead to a negative 
> pointer value(-header)
> 
> size_t setup_reply(struct dns_header *header, size_t qlen, struct
> all_addr *addrp, unsigned int flags, unsigned long ttl) { unsigned
> char *p = skip_questions(header, qlen) return p - (unsigned char
> *)header }
> 
> read_write checks if the size argument is positive. In case of a 32
> bit system size_t m would be 4 bytes and read_write will
> automatically exit. In case of 64 bit system size_t m is 8 bytes
> and may turn to positive if the sign bit of the 32 bit value is 0.
> 
> If m is less than 0xffffffff80000000, dnsmasq will be exploited by
> a potential attacker who will remotely read dnsmasq heap until it 
> crashes. If the above condition is not met, dnsmasq  exits
> properly.
> 
> 
> 
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlUm54EACgkQKPyGmiibgrdnEgCfeqhbm/ffwVT/Dz7QFEvFk1Le
XsgAnjs384CSfLHdt5iiMk8Gngbx56A1
=P7th
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list