[Dnsmasq-discuss] dnsmsaq potential vulnerability

Simon Kelley simon at thekelleys.org.uk
Thu Apr 16 12:46:46 BST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks, I'll note that in the changelog and git log.


Cheers,

Simon.

On 14/04/15 10:02, Nick Sampanis wrote:
> For the current vulnerability CVE-2015-3294 will be used.
> 
> On 10 April 2015 at 22:41, Nick Sampanis <nicksampanis at gmail.com>
> wrote:
> 
>> Your are welcome. As I stated, the return value of setup_reply
>> will be used as a size argument which might be a positive 32 bit
>> value. It seems that two things can occur from that point.
>> 
>> In case of a high integer write might return -1 with errno equal
>> to EFAULT, in that case nothing significant happens from
>> attacker's perspective. Otherwise m size bytes will be send to
>> the attacker, which will reveal data, allocated after packet's
>> allocation or previously freed data, which has not been
>> initialized (zeroed out)
>> 
>> On 9 April 2015 at 23:56, Simon Kelley <simon at thekelleys.org.uk>
>> wrote:
>> 
> Thanks for this. The error is obvious, and I've just committed the 
> fix, to check the return value of skip_questions() in
> setup_reply().
> 
> This is a a potential DoS attack, but I'm not clear if it's worse
> than that. The ability to read the dnsmasq heap seems to depend on
> details on the addresss-space layout over which the attacker has no
> control. (Plus, there's really not much in a dnsmasq process worth
> learning: all the data in the cache is available with a DNS query
> anyway!) Or am I being naive?
> 
> 
> Cheers,
> 
> Simon. CVE-2015-3294
> 
> 
> On 07/04/15 08:49, Nick Sampanis wrote:
>>>>> Dear sirs, I discovered one potential vulnerability in
>>>>> dnsmasq. More specifically, in tcp_request(), setup_reply()
>>>>> gets called and the returned value is used as a size
>>>>> argument in a write function.
>>>>> 
>>>>> m = setup_reply(header, (unsigned int)size, addrp, flags, 
>>>>> daemon->local_ttl); read_write(confd, packet, m +
>>>>> sizeof(u16), 0))
>>>>> 
>>>>> Although, setup_reply can't return a size variable greater
>>>>> than packet[65535+ MAXDNAME + RRFIXEDSZ + sizeof(u16))], an
>>>>> ignored error value(NULL) of  skip_questions() might lead
>>>>> to a negative pointer value(-header)
>>>>> 
>>>>> size_t setup_reply(struct dns_header *header, size_t qlen,
>>>>> struct all_addr *addrp, unsigned int flags, unsigned long
>>>>> ttl) { unsigned char *p = skip_questions(header, qlen)
>>>>> return p - (unsigned char *)header }
>>>>> 
>>>>> read_write checks if the size argument is positive. In case
>>>>> of a 32 bit system size_t m would be 4 bytes and read_write
>>>>> will automatically exit. In case of 64 bit system size_t m
>>>>> is 8 bytes and may turn to positive if the sign bit of the
>>>>> 32 bit value is 0.
>>>>> 
>>>>> If m is less than 0xffffffff80000000, dnsmasq will be
>>>>> exploited by a potential attacker who will remotely read
>>>>> dnsmasq heap until it crashes. If the above condition is
>>>>> not met, dnsmasq  exits properly.
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Dnsmasq-discuss mailing list
>>>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>>
>
>>>>> 
>>> 
>>> _______________________________________________ Dnsmasq-discuss
>>> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlUvoSYACgkQKPyGmiibgref2gCfUt0hEdP1pE4RmPvatKdH2xeM
lyAAoIjYDIRT6wezSBUY6W1gxbkK8R/U
=tUOv
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list