|
|
|
|
| |
Credit:
The information has been provided by Pablo Jorge and Alberto Solino.
The original article can be found at: http://www.coresecurity.com/content/dnsmasq-vulnerabilities
|
| |
Vulnerable Systems:
* dnsmasq version 2.49 and prior
Immune Systems:
* dnsmasq version 2.50
This service is not enabled by default on most distributions; in particular it is not enabled by default on OpenWRT or DD-WRT. Chances of successful exploitation increase when a long directory prefix is used for TFTP. Code will be executed with the privileges of the user running dnsmasq, which is normally a non-privileged one.
Additionally there is a potential DoS attack to the TFTP service by exploiting a null-pointer dereference vulnerability.
Technical Description
Heap Overflow vulnerability (CVE-2009-2957, BID 36121)*
First let's focus on the overflow vulnerability. The 'tftp_request'
calls 'strncat' on 'daemon->namebuff', which has a predefined size of 'MAXDNAME' bytes (defaulting to 1025).
/-----------
else if (filename[0] == '/')
daemon->namebuff[0] = 0;
strncat(daemon->namebuff, filename, MAXDNAME);
- -----------/
This may cause a heap overflow because 'daemon->namebuff' may already contain data, namely the configured 'daemon->tftp_prefix' passed to the daemon via a configuration file.
/-----------
if (daemon->tftp_prefix)
{
if (daemon->tftp_prefix[0] == '/')
daemon->namebuff[0] = 0;
strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME)
- -----------/
The default prefix is '/var/tftpd', but if a longer prefix is used, arbitrary code execution may be possible.
Sending the string resulting from the execution of the following python snippet to a vulnerable server, with a long enough directory prefix configured, should crash the daemon.
/-----------
import sys
sys.stdout.write( '\x00\x01' + "A"*1535 + '\x00' + "netascii" + '\x00' )
- -----------/
Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)*
Now onto the null-pointer dereference. The user can crash the service by handcrafting a packet, because of a problem on the guard of the first if inside this code loop:
/-----------
while ((opt = next(&p, end)))
{
if (strcasecmp(opt, "blksize") == 0 &&
(opt = next(&p, end)) &&
!(daemon->options & OPT_TFTP_NOBLOCK))
{
transfer->blocksize = atoi(opt);
if (transfer->blocksize < 1)
transfer->blocksize = 1;
if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)
transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;
transfer->opt_blocksize = 1;
transfer->block = 0;
}
if (strcasecmp(opt, "tsize") == 0 && next(&p, end) &&
!transfer->netascii)
{
transfer->opt_transize = 1;
transfer->block = 0;
}
}
- -----------/
The problem exists because the guard of the first if includes the result of 'opt = next(&p, end)' as part of the check. If this returns 'NULL', the guard will fail and in the next if 'strcasecmp(opt, "tsize")' will derrefence the null-pointer.
Patch Availability:
If the TFTP service is enabled and patching is not available immediately, a valid workaround is to filter TFTP for untrusted hosts in the network (such as the Internet). This is the default configuration when enabling TFTP on most home routers.
Patches are already available from the software author. Most distributions should release updates for binary packages soon.
CVE Information:
CVE-2009-2957
Disclosure Timeline:
2009-08-20 vendor notified
2009-08-31Advisory published
-------------------------------------------------------------------------------------------------------------------------------
Insider's report: What is behind malware growth and how this knowledge will help you avoid the threat.
-
|
|
|
|
|
