[Full-disclosure] CORE-2009-0820 - Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
1. *Advisory Information*
Title: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
Advisory ID: CORE-2009-0820
Advisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities
Date published: 2009-08-31
Date of last update: 2009-08-31
Vendors contacted: Simon Kelley
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 36120, 36121
CVE Name: CVE-2009-2957, CVE-2009-2958
3. *Vulnerability Description*
Dnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability
has been found that may allow an attacker to execute arbitrary code on
servers or home routers running dnsmasq[1] with the TFTP service[2][3]
enabled ('--enable-tfp'). This service is not enabled by default on most
distributions; in particular it is not enabled by default on OpenWRT or
DD-WRT. Chances of successful exploitation increase when a long
directory prefix is used for TFTP. Code will be executed with the
privileges of the user running dnsmasq, which is normally a
non-privileged one.
Additionally there is a potential DoS attack to the TFTP service by
exploiting a null-pointer dereference vulnerability.
4. *Vulnerable packages*
. dnsmasq 2.40.
. dnsmasq 2.41.
. dnsmasq 2.42.
. dnsmasq 2.43.
. dnsmasq 2.44.
. dnsmasq 2.45.
. dnsmasq 2.46.
. dnsmasq 2.47.
. dnsmasq 2.48.
. dnsmasq 2.49.
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. dnsmasq 2.50
6. *Vendor Information, Solutions and Workarounds*
If the TFTP service is enabled and patching is not available
immediately, a valid workaround is to filter TFTP for untrusted hosts in
the network (such as the Internet). This is the default configuration
when enabling TFTP on most home routers.
Patches are already available from the software author. Most
distributions should release updates for binary packages soon.
7. *Credits*
The heap-overflow vulnerability (CVE-2009-2957) was discovered during
Bugweek 2009 by Pablo Jorge and Alberto Solino from the team Los
Herederos de Don Pablo of Core Security Technologies.
The null-pointer dereference (CVE-2009-2958) was reported to the author
of dnsmasq independently by an uncredited code auditor. It was merged
with this advisory for user's convenience.
8. *Technical Description*
8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)*
First let's focus on the overflow vulnerability. The 'tftp_request'
calls 'strncat' on 'daemon-namebuff', which has a predefined size of
'MAXDNAME' bytes (defaulting to 1025).
/---
else if (filename[0] == '/')
daemon-namebuff[0] = 0;
strncat(daemon-namebuff, filename, MAXDNAME);
- ---/
This may cause a heap overflow because 'daemon-namebuff' may already
contain data, namely the configured 'daemon-tftp_prefix' passed to the
daemon via a configuration file.
/---
if (daemon-tftp_prefix)
{
if (daemon-tftp_prefix[0] == '/')
daemon-namebuff[0] = 0;
strncat(daemon-namebuff, daemon-tftp_prefix, MAXDNAME)
- ---/
The default prefix is '/var/tftpd', but if a longer prefix is used,
arbitrary code execution may be possible.
Sending the string resulting from the execution of the following python
snippet to a vulnerable server, with a long enough directory prefix
configured, should crash the daemon.
/---
import sys
sys.stdout.write( '\x00\x01' + A*1535 + '\x00' + netascii + '\x00' )
- ---/
8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)*
Now onto the null-pointer dereference. The user can crash the service by
handcrafting a packet, because of a problem on the guard of the first if
inside this code loop:
/---
while ((opt = next(p, end)))
{
if (strcasecmp(opt, blksize) == 0
(opt = next(p, end))
!(daemon-options OPT_TFTP_NOBLOCK))
{
transfer-blocksize = atoi(opt);
if (transfer-blocksize 1)
transfer-blocksize = 1;
if (transfer-blocksize (unsigned)daemon-packet_buff_sz - 4)
transfer-blocksize = (unsigned)daemon-packet_buff_sz - 4;
transfer-opt_blocksize = 1;
transfer-block = 0;
}
if (strcasecmp(opt, tsize) == 0 next(p, end)
!transfer-netascii)
{
transfer-opt_transize = 1;
transfer-block = 0;
}
}
- ---/
The problem exists because the guard of the first if includes the result
of 'opt = next(p, end)' as part of the check. If this returns 'NULL',
the guard will fail and in the next if 'strcasecmp(opt, tsize)' will
derrefence the null-pointer.
9. *Report Timeline*
. 2009-08-20:
Core Security Technologies notifies Simon Kelley of the vulnerability,
[Full-disclosure] CORE-2009-0820: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
1. *Advisory Information*
Title: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
Advisory ID: CORE-2009-0820
Advisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities
Date published: 2009-08-31
Date of last update: 2009-08-31
Vendors contacted: Simon Kelley
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 36120, 36121
CVE Name: CVE-2009-2957, CVE-2009-2958
3. *Vulnerability Description*
Dnsmasq is a lightweight DNS forwarder and DHCP server. A
vulnerability has been found that may allow an attacker to execute
arbitrary code on servers or home routers running dnsmasq[1] with the
TFTP service[2][3] enabled ('--enable-tfp'). This service is not
enabled by default on most distributions; in particular it is not
enabled by default on OpenWRT or DD-WRT. Chances of successful
exploitation increase when a long directory prefix is used for TFTP.
Code will be executed with the privileges of the user running dnsmasq,
which is normally a non-privileged one.
Additionally there is a potential DoS attack to the TFTP service by
exploiting a null-pointer dereference vulnerability.
4. *Vulnerable packages*
. dnsmasq 2.40.
. dnsmasq 2.41.
. dnsmasq 2.42.
. dnsmasq 2.43.
. dnsmasq 2.44.
. dnsmasq 2.45.
. dnsmasq 2.46.
. dnsmasq 2.47.
. dnsmasq 2.48.
. dnsmasq 2.49.
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. dnsmasq 2.50
6. *Vendor Information, Solutions and Workarounds*
If the TFTP service is enabled and patching is not available
immediately, a valid workaround is to filter TFTP for untrusted hosts
in the network (such as the Internet). This is the default
configuration when enabling TFTP on most home routers.
Patches are already available from the software author. Most
distributions should release updates for binary packages soon.
7. *Credits*
The heap-overflow vulnerability (CVE-2009-2957) was discovered during
Bugweek 2009 by Pablo Jorge and Alberto Solino from the team Los
Herederos de Don Pablo of Core Security Technologies.
The null-pointer dereference (CVE-2009-2958) was reported to the
author of dnsmasq independently by an uncredited code auditor. It was
merged with this advisory for user's convenience.
8. *Technical Description*
8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)*
First let's focus on the overflow vulnerability. The 'tftp_request'
calls 'strncat' on 'daemon-namebuff', which has a predefined size of
'MAXDNAME' bytes (defaulting to 1025).
/---
else if (filename[0] == '/')
daemon-namebuff[0] = 0;
strncat(daemon-namebuff, filename, MAXDNAME);
- ---/
This may cause a heap overflow because 'daemon-namebuff' may already
contain data, namely the configured 'daemon-tftp_prefix' passed to
the daemon via a configuration file.
/---
if (daemon-tftp_prefix)
{
if (daemon-tftp_prefix[0] == '/')
daemon-namebuff[0] = 0;
strncat(daemon-namebuff, daemon-tftp_prefix, MAXDNAME)
- ---/
The default prefix is '/var/tftpd', but if a longer prefix is used,
arbitrary code execution may be possible.
Sending the string resulting from the execution of the following
python snippet to a vulnerable server, with a long enough directory
prefix configured, should crash the daemon.
/---
import sys
sys.stdout.write( '\x00\x01' + A*1535 + '\x00' + netascii + '\x00' )
- ---/
8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)*
Now onto the null-pointer dereference. The user can crash the service
by handcrafting a packet, because of a problem on the guard of the
first if inside this code loop:
/---
while ((opt = next(p, end)))
{
if (strcasecmp(opt, blksize) == 0
(opt = next(p, end))
!(daemon-options OPT_TFTP_NOBLOCK))
{
transfer-blocksize = atoi(opt);
if (transfer-blocksize 1)
transfer-blocksize = 1;
if (transfer-blocksize (unsigned)daemon-packet_buff_sz - 4)
transfer-blocksize = (unsigned)daemon-packet_buff_sz - 4;
transfer-opt_blocksize = 1;
transfer-block = 0;
}
if (strcasecmp(opt, tsize) == 0 next(p, end)
!transfer-netascii)
{
transfer-opt_transize = 1;
transfer-block = 0;
}
}
- ---/
The problem exists because the guard of the first if includes the
result of 'opt = next(p, end)' as part of the check. If this returns
'NULL', the guard will fail and in the next if 'strcasecmp(opt,
tsize)' will derrefence the null-pointer.
9. *Report Timeline*
. 2009-08-20:
Core
