lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 23 Mar 2007 16:54:33 +0000
From: mu-b <mu-b@...it-labs.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: dproxy - arbitrary code execution through
 stack buffer overflow vulnerability

you might want to NULL terminate query_string while your there....

Alexander Klink wrote:
> ============================================
> ||| Security Advisory AKLINK-SA-2007-001 |||
> ||| CVE-2007-1465 (CVE candidate)        |||
> ============================================
>
> dproxy - remotely exploitable buffer overflow
> ========================================================================
>
> Date released: 20.03.2007
> Date reported: 11.03.2007
> $Revision: 1.1 $
>
> by Alexander Klink
>    Cynops GmbH
>    a.klink@...ops.de
>    https://www.cynops.de/advisories/CVE-2007-1465.txt
>    (S/MIME signed: https://www.cynops.de/advisories/CVE-2007-1465-signed.txt)
>    https://www.klink.name/security/aklink-sa-2007-001-dproxy-bufferoverflow.txt
>    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1465
>
> Vendor: Matthew Pratt (Open Source)
> Product: dproxy - a small caching DNS server
> Website: http://dproxy.sourceforge.net
> Vulnerability: buffer overflow
> Class: remote
> Status: unpatched (author is unresponsive)
> Severity: high (arbitrary command execution as root)
> Releases known to be affected: 0.1, 0.2, 0.3, 0.4, 0.5
> Releases known NOT to be affected: dproxy-nexgen
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Overview:
>
> dproxy suffers from a typical buffer overflow condition, which allows
> an attacker to overwrite the stack.
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Technical details:
>
> In dproxy.c, the UDP packet buffer, which can be up to 4096 bytes long
> is copied into a variable called query_string, which is at most 2048
> bytes. As this is done using strcpy, the stack can be overwritten
> which leads to arbitrary command execution.
>
> Note that one can easily find out whether dproxy is running
> using the fpdns tool (see http://www.rfc.se/fpdns/). dproxy also
> seems to be used in a number of WLAN access points / routers, but
> the version used there (at least in the Linksys WRT54AG, the Asus
> WL500g and the Netgear DG834G) seems to be dproxy-nexgen, which is not
> vulnerable to this attack.
>
> Thanks to Dan Kaminsky, who provided me with the interesting statistics
> that apparently only 20 out of about 2.000.000 DNS servers he scanned
> are using dproxy. So this does not look like a major attack vector.
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Exploit:
>
> A MetaSploit Framework 2.7 exploit module is available from
> https://www.cynops.de/downloads/metasploit/dproxy.pm
>
> It has been tested successfully with both a Debian stable and an
> Ubuntu system (with randomize_va_space=0).
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Workaround:
>
> Drop packets to the destination UDP port 53 which are larger than
> 2048 bytes (which is a pretty large DNS query packet anyway).
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Communication:
>
> * 13.03.2007: Author updated on vulnerable versions
> * 11.03.2007: First problem report to author
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Solution:
>
> Patch dproxy.c:
>
> --- dproxy-0.5/dproxy.c 2000-02-03 04:15:35.000000000 +0100
> +++ dproxy-0.5.patched/dproxy.c 2007-03-13 13:07:53.000000000 +0100
> @@ -105,7 +105,7 @@
>    /* child process only here */
>    signal(SIGCHLD, SIG_IGN);
>
> -  strcpy( query_string, pkt.buf );
> +  strncpy( query_string, pkt.buf, sizeof(query_string) );
>    decode_domain_name( query_string );
>    debug("query: %s\n", query_string );
>
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Credits:
>
> Alexander Klink, Cynops GmbH (discovery and exploit development, patch)

-- 
mu-b
(mu-b@...it-labs.org)

  "Only a few people will follow the proof. Whoever does will
     spend the rest of his life convincing people it is correct."
        - Anonymous, "P ?= NP"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ