Net::DNS is "a DNS resolver implemented in Perl. It allows the programmer to perform nearly any type of DNS query from a Perl script". beSTORM's DNS Server module has been able to detect a vulnerability in Net::DNS allows a malicious server to cause the Net::DNS package to crash by sending it a malformed DNS response, this in turn would cause any product using the package to crash with it.
Vulnerable Systems:
* Net::DNS version 0.60 build 654
It is possible to cause Net::DNS to "croak" by responding to it with a malformed DNS response.
The croak itself doesn't allow you to overflow or execute arbitrary code, but as it cannot be captured using normal Perl code - as with an eval() function for example - a user of the Net::DNS package can be caused to "crash", his program to forcefully terminate if it encounters this DNS response.
The problem steams from the fact that: if ($self->{"rdlength"} > 0) {
$self->{"address"} = inet_ntoa(substr($$data, $offset, 4));
}
found in Net/DNS/RR/A.pm
Doesn't properly verify that $$data has 4 bytes to read before attempting to substr - which in turn causes the data sent to inet_ntoa to not have enough bytes which causes this code: ip_address = SvPVbyte(ip_address_sv, addrlen);
if (addrlen == sizeof(addr) || addrlen == 4)
addr.s_addr =
(ip_address[0] & 0xFF) << 24 |
(ip_address[1] & 0xFF) << 16 |
(ip_address[2] & 0xFF) << 8 |
(ip_address[3] & 0xFF);
else
croak("Bad arg length for %s, length is %d, should be %d", "Socket::inet_ntoa", addrlen, sizeof(addr));
To issue a "croak" - causing the perl to abort.
Severity:
The vulnerability itself doesn't pose any problem as Socket::inet_ntoa handles it as expected, seriousness of this vulnerability is caused by the fact that several other packages such as SpamAssassin and OTRS rely on Net::DNS for resolving hostnames - this could at the very least be a nuisance where an attacker can crash the daemons run by these two programs.
