Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server
10 Sep. 2009
Summary
Dnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability has been found that may allow an attacker to execute arbitrary code on servers or home routers running dnsmasq[1] with the TFTP service enabled ('--enable-tfp').
Vulnerable Systems:
* dnsmasq version 2.49 and prior
Immune Systems:
* dnsmasq version 2.50
This service is not enabled by default on most distributions; in particular it is not enabled by default on OpenWRT or DD-WRT. Chances of successful exploitation increase when a long directory prefix is used for TFTP. Code will be executed with the privileges of the user running dnsmasq, which is normally a non-privileged one.
Additionally there is a potential DoS attack to the TFTP service by exploiting a null-pointer dereference vulnerability.
First let's focus on the overflow vulnerability. The 'tftp_request'
calls 'strncat' on 'daemon->namebuff', which has a predefined size of 'MAXDNAME' bytes (defaulting to 1025).
This may cause a heap overflow because 'daemon->namebuff' may already contain data, namely the configured 'daemon->tftp_prefix' passed to the daemon via a configuration file.
/-----------
if (daemon->tftp_prefix)
{
if (daemon->tftp_prefix[0] == '/')
daemon->namebuff[0] = 0;
strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME)
- -----------/
The default prefix is '/var/tftpd', but if a longer prefix is used, arbitrary code execution may be possible.
Sending the string resulting from the execution of the following python snippet to a vulnerable server, with a long enough directory prefix configured, should crash the daemon.
Now onto the null-pointer dereference. The user can crash the service by handcrafting a packet, because of a problem on the guard of the first if inside this code loop:
The problem exists because the guard of the first if includes the result of 'opt = next(&p, end)' as part of the check. If this returns 'NULL', the guard will fail and in the next if 'strcasecmp(opt, "tsize")' will derrefence the null-pointer.
Patch Availability:
If the TFTP service is enabled and patching is not available immediately, a valid workaround is to filter TFTP for untrusted hosts in the network (such as the Internet). This is the default configuration when enabling TFTP on most home routers.
Patches are already available from the software author. Most distributions should release updates for binary packages soon.
Disclosure Timeline:
2009-08-20 vendor notified
2009-08-31Advisory published
-------------------------------------------------------------------------------------------------------------------------------
Insider's report: What is behind malware growth and how this knowledge will help you avoid the threat.
-
