lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000d01d07da2$3086d0e0$919472a0$@sampanis@obrela.com>
Date: Thu, 23 Apr 2015 01:47:52 -0700
From: "Nick Sampanis" <n.sampanis@...ela.com>
To: <bugtraq@...urityfocus.com>
Subject: Dnsmasq 2.72 Unchecked returned value

"Dnsmasq 2.72 Unchecked returned value"

Description
------------------------------------------------------------
Dnsmasq does not properly check the return value of the setup_reply()
function called during a tcp connection (by the tcp_request() function).
This return value is then used as a size argument in a function which writes
data on the client's connection.  This may lead, upon successful
exploitation, to reading the heap memory of dnsmasq.
 
In more detail:
Function tcp_request() calls setup_reply() and the returned value is used as
a size argument in a write function.
 
m = setup_reply(header, (unsigned int)size, addrp, flags,
daemon->local_ttl);
read_write(confd, packet, m + sizeof(u16), 0));
 
The m variable is determined by a subtraction between the
return of  skip_questions() and header pointer.
The return value of skip_question doesn't checked for error(NULL).
As a result the negative value of pointer(-header), might returned.
 
size_t setup_reply(struct dns_header *header, size_t qlen,
struct all_addr *addrp, unsigned int flags, unsigned long ttl)
{
       unsigned char *p = skip_questions(header, qlen)
       return p - (unsigned char *)header
}
 
read_write checks if the size argument is positive. In case of a 32 bit
system
size_t m would be 4 bytes and read_write will automatically exit. In case of
64
bit system size_t m is 8 bytes and may turn to positive if the sign bit of
the
32 bit value is 0.
 
If m is less than 0xffffffff80000000, dnsmasq will be exploited by a
potential attacker who will remotely read dnsmasq heap. If the above
condition is not met, dnsmasq exits properly.

Researcher
------------------------------------------------------------
Nick Sampanis (n.sampanis[a t]obrela[do t]com)


Vulnerability
------------------------------------------------------------
Unchecked return value CVE-2015-3294

Identification date:
------------------------------------------------------------
07/04/2015 - 09/04/2015

Solution - fix & patch
------------------------------------------------------------
Please download dnsmasq-2.73rc4.tar.gz

Reference:
------------------------------------------------------------
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009382.html
https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1502/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ