[Full-disclosure] CORE-2009-0820 - Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server 1. *Advisory Information* Title: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server Advisory ID: CORE-2009-0820 Advisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities Date published: 2009-08-31 Date of last update: 2009-08-31 Vendors contacted: Simon Kelley Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: 36120, 36121 CVE Name: CVE-2009-2957, CVE-2009-2958 3. *Vulnerability Description* Dnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability has been found that may allow an attacker to execute arbitrary code on servers or home routers running dnsmasq[1] with the TFTP service[2][3] enabled ('--enable-tfp'). This service is not enabled by default on most distributions; in particular it is not enabled by default on OpenWRT or DD-WRT. Chances of successful exploitation increase when a long directory prefix is used for TFTP. Code will be executed with the privileges of the user running dnsmasq, which is normally a non-privileged one. Additionally there is a potential DoS attack to the TFTP service by exploiting a null-pointer dereference vulnerability. 4. *Vulnerable packages* . dnsmasq 2.40. . dnsmasq 2.41. . dnsmasq 2.42. . dnsmasq 2.43. . dnsmasq 2.44. . dnsmasq 2.45. . dnsmasq 2.46. . dnsmasq 2.47. . dnsmasq 2.48. . dnsmasq 2.49. . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . dnsmasq 2.50 6. *Vendor Information, Solutions and Workarounds* If the TFTP service is enabled and patching is not available immediately, a valid workaround is to filter TFTP for untrusted hosts in the network (such as the Internet). This is the default configuration when enabling TFTP on most home routers. Patches are already available from the software author. Most distributions should release updates for binary packages soon. 7. *Credits* The heap-overflow vulnerability (CVE-2009-2957) was discovered during Bugweek 2009 by Pablo Jorge and Alberto Solino from the team Los Herederos de Don Pablo of Core Security Technologies. The null-pointer dereference (CVE-2009-2958) was reported to the author of dnsmasq independently by an uncredited code auditor. It was merged with this advisory for user's convenience. 8. *Technical Description* 8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)* First let's focus on the overflow vulnerability. The 'tftp_request' calls 'strncat' on 'daemon-namebuff', which has a predefined size of 'MAXDNAME' bytes (defaulting to 1025). /--- else if (filename[0] == '/') daemon-namebuff[0] = 0; strncat(daemon-namebuff, filename, MAXDNAME); - ---/ This may cause a heap overflow because 'daemon-namebuff' may already contain data, namely the configured 'daemon-tftp_prefix' passed to the daemon via a configuration file. /--- if (daemon-tftp_prefix) { if (daemon-tftp_prefix[0] == '/') daemon-namebuff[0] = 0; strncat(daemon-namebuff, daemon-tftp_prefix, MAXDNAME) - ---/ The default prefix is '/var/tftpd', but if a longer prefix is used, arbitrary code execution may be possible. Sending the string resulting from the execution of the following python snippet to a vulnerable server, with a long enough directory prefix configured, should crash the daemon. /--- import sys sys.stdout.write( '\x00\x01' + A*1535 + '\x00' + netascii + '\x00' ) - ---/ 8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)* Now onto the null-pointer dereference. The user can crash the service by handcrafting a packet, because of a problem on the guard of the first if inside this code loop: /--- while ((opt = next(p, end))) { if (strcasecmp(opt, blksize) == 0 (opt = next(p, end)) !(daemon-options OPT_TFTP_NOBLOCK)) { transfer-blocksize = atoi(opt); if (transfer-blocksize 1) transfer-blocksize = 1; if (transfer-blocksize (unsigned)daemon-packet_buff_sz - 4) transfer-blocksize = (unsigned)daemon-packet_buff_sz - 4; transfer-opt_blocksize = 1; transfer-block = 0; } if (strcasecmp(opt, tsize) == 0 next(p, end) !transfer-netascii) { transfer-opt_transize = 1; transfer-block = 0; } } - ---/ The problem exists because the guard of the first if includes the result of 'opt = next(p, end)' as part of the check. If this returns 'NULL', the guard will fail and in the next if 'strcasecmp(opt, tsize)' will derrefence the null-pointer. 9. *Report Timeline* . 2009-08-20: Core Security Technologies notifies Simon Kelley of the vulnerability,
[Full-disclosure] CORE-2009-0820: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server 1. *Advisory Information* Title: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server Advisory ID: CORE-2009-0820 Advisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities Date published: 2009-08-31 Date of last update: 2009-08-31 Vendors contacted: Simon Kelley Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: 36120, 36121 CVE Name: CVE-2009-2957, CVE-2009-2958 3. *Vulnerability Description* Dnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability has been found that may allow an attacker to execute arbitrary code on servers or home routers running dnsmasq[1] with the TFTP service[2][3] enabled ('--enable-tfp'). This service is not enabled by default on most distributions; in particular it is not enabled by default on OpenWRT or DD-WRT. Chances of successful exploitation increase when a long directory prefix is used for TFTP. Code will be executed with the privileges of the user running dnsmasq, which is normally a non-privileged one. Additionally there is a potential DoS attack to the TFTP service by exploiting a null-pointer dereference vulnerability. 4. *Vulnerable packages* . dnsmasq 2.40. . dnsmasq 2.41. . dnsmasq 2.42. . dnsmasq 2.43. . dnsmasq 2.44. . dnsmasq 2.45. . dnsmasq 2.46. . dnsmasq 2.47. . dnsmasq 2.48. . dnsmasq 2.49. . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . dnsmasq 2.50 6. *Vendor Information, Solutions and Workarounds* If the TFTP service is enabled and patching is not available immediately, a valid workaround is to filter TFTP for untrusted hosts in the network (such as the Internet). This is the default configuration when enabling TFTP on most home routers. Patches are already available from the software author. Most distributions should release updates for binary packages soon. 7. *Credits* The heap-overflow vulnerability (CVE-2009-2957) was discovered during Bugweek 2009 by Pablo Jorge and Alberto Solino from the team Los Herederos de Don Pablo of Core Security Technologies. The null-pointer dereference (CVE-2009-2958) was reported to the author of dnsmasq independently by an uncredited code auditor. It was merged with this advisory for user's convenience. 8. *Technical Description* 8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)* First let's focus on the overflow vulnerability. The 'tftp_request' calls 'strncat' on 'daemon-namebuff', which has a predefined size of 'MAXDNAME' bytes (defaulting to 1025). /--- else if (filename[0] == '/') daemon-namebuff[0] = 0; strncat(daemon-namebuff, filename, MAXDNAME); - ---/ This may cause a heap overflow because 'daemon-namebuff' may already contain data, namely the configured 'daemon-tftp_prefix' passed to the daemon via a configuration file. /--- if (daemon-tftp_prefix) { if (daemon-tftp_prefix[0] == '/') daemon-namebuff[0] = 0; strncat(daemon-namebuff, daemon-tftp_prefix, MAXDNAME) - ---/ The default prefix is '/var/tftpd', but if a longer prefix is used, arbitrary code execution may be possible. Sending the string resulting from the execution of the following python snippet to a vulnerable server, with a long enough directory prefix configured, should crash the daemon. /--- import sys sys.stdout.write( '\x00\x01' + A*1535 + '\x00' + netascii + '\x00' ) - ---/ 8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)* Now onto the null-pointer dereference. The user can crash the service by handcrafting a packet, because of a problem on the guard of the first if inside this code loop: /--- while ((opt = next(p, end))) { if (strcasecmp(opt, blksize) == 0 (opt = next(p, end)) !(daemon-options OPT_TFTP_NOBLOCK)) { transfer-blocksize = atoi(opt); if (transfer-blocksize 1) transfer-blocksize = 1; if (transfer-blocksize (unsigned)daemon-packet_buff_sz - 4) transfer-blocksize = (unsigned)daemon-packet_buff_sz - 4; transfer-opt_blocksize = 1; transfer-block = 0; } if (strcasecmp(opt, tsize) == 0 next(p, end) !transfer-netascii) { transfer-opt_transize = 1; transfer-block = 0; } } - ---/ The problem exists because the guard of the first if includes the result of 'opt = next(p, end)' as part of the check. If this returns 'NULL', the guard will fail and in the next if 'strcasecmp(opt, tsize)' will derrefence the null-pointer. 9. *Report Timeline* . 2009-08-20: Core