[Dnsmasq-discuss] dnsmsaq potential vulnerability

Nick Sampanis nicksampanis at gmail.com
Tue Apr 14 10:02:01 BST 2015


For the current vulnerability CVE-2015-3294 will be used.

On 10 April 2015 at 22:41, Nick Sampanis <nicksampanis at gmail.com> wrote:

> Your are welcome. As I stated, the return value of setup_reply will be
> used as a size argument
> which might be a positive 32 bit value. It seems that two things can occur
> from that point.
>
> In case of a high integer write might return -1 with errno equal to
> EFAULT, in that case nothing
> significant happens from attacker's perspective. Otherwise m size bytes
> will be send to the attacker,
> which will reveal data, allocated after packet's allocation or previously
> freed data,
> which has not been initialized (zeroed out)
>
> On 9 April 2015 at 23:56, Simon Kelley <simon at thekelleys.org.uk> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Thanks for this. The error is obvious, and I've just committed the
>> fix, to check the return value of skip_questions() in setup_reply().
>>
>> This is a a potential DoS attack, but I'm not clear if it's worse than
>> that. The ability to read the dnsmasq heap seems to depend on details
>> on the addresss-space layout over which the attacker has no control.
>> (Plus, there's really not much in a dnsmasq process worth learning:
>> all the data in the cache is available with a DNS query anyway!) Or am
>> I being naive?
>>
>>
>> Cheers,
>>
>> Simon.
>>
>>
>>
>> On 07/04/15 08:49, Nick Sampanis wrote:
>> > Dear sirs, I discovered one potential vulnerability in dnsmasq.
>> > More specifically, in tcp_request(), setup_reply() gets called and
>> > the returned value is used as a size argument in a write function.
>> >
>> > m = setup_reply(header, (unsigned int)size, addrp, flags,
>> > daemon->local_ttl); read_write(confd, packet, m + sizeof(u16), 0))
>> >
>> > Although, setup_reply can't return a size variable greater than
>> > packet[65535+ MAXDNAME + RRFIXEDSZ + sizeof(u16))], an ignored
>> > error value(NULL) of  skip_questions() might lead to a negative
>> > pointer value(-header)
>> >
>> > size_t setup_reply(struct dns_header *header, size_t qlen, struct
>> > all_addr *addrp, unsigned int flags, unsigned long ttl) { unsigned
>> > char *p = skip_questions(header, qlen) return p - (unsigned char
>> > *)header }
>> >
>> > read_write checks if the size argument is positive. In case of a 32
>> > bit system size_t m would be 4 bytes and read_write will
>> > automatically exit. In case of 64 bit system size_t m is 8 bytes
>> > and may turn to positive if the sign bit of the 32 bit value is 0.
>> >
>> > If m is less than 0xffffffff80000000, dnsmasq will be exploited by
>> > a potential attacker who will remotely read dnsmasq heap until it
>> > crashes. If the above condition is not met, dnsmasq  exits
>> > properly.
>> >
>> >
>> >
>> > _______________________________________________ Dnsmasq-discuss
>> > mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
>> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>> >
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.22 (GNU/Linux)
>>
>> iEYEARECAAYFAlUm54EACgkQKPyGmiibgrdnEgCfeqhbm/ffwVT/Dz7QFEvFk1Le
>> XsgAnjs384CSfLHdt5iiMk8Gngbx56A1
>> =P7th
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150414/a1e520e2/attachment.html>


More information about the Dnsmasq-discuss mailing list