Full Disclosure mailing list archives
Re: dproxy - arbitrary code execution through stack buffer overflow vulnerability
From: mu-b <mu-b () digit-labs org>
Date: Fri, 23 Mar 2007 16:54:33 +0000
you might want to NULL terminate query_string while your there.... Alexander Klink wrote:
============================================ ||| Security Advisory AKLINK-SA-2007-001 ||| ||| CVE-2007-1465 (CVE candidate) ||| ============================================ dproxy - remotely exploitable buffer overflow ======================================================================== Date released: 20.03.2007 Date reported: 11.03.2007 $Revision: 1.1 $ by Alexander Klink Cynops GmbH a.klink () cynops de https://www.cynops.de/advisories/CVE-2007-1465.txt (S/MIME signed: https://www.cynops.de/advisories/CVE-2007-1465-signed.txt) https://www.klink.name/security/aklink-sa-2007-001-dproxy-bufferoverflow.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1465 Vendor: Matthew Pratt (Open Source) Product: dproxy - a small caching DNS server Website: http://dproxy.sourceforge.net Vulnerability: buffer overflow Class: remote Status: unpatched (author is unresponsive) Severity: high (arbitrary command execution as root) Releases known to be affected: 0.1, 0.2, 0.3, 0.4, 0.5 Releases known NOT to be affected: dproxy-nexgen +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Overview: dproxy suffers from a typical buffer overflow condition, which allows an attacker to overwrite the stack. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Technical details: In dproxy.c, the UDP packet buffer, which can be up to 4096 bytes long is copied into a variable called query_string, which is at most 2048 bytes. As this is done using strcpy, the stack can be overwritten which leads to arbitrary command execution. Note that one can easily find out whether dproxy is running using the fpdns tool (see http://www.rfc.se/fpdns/). dproxy also seems to be used in a number of WLAN access points / routers, but the version used there (at least in the Linksys WRT54AG, the Asus WL500g and the Netgear DG834G) seems to be dproxy-nexgen, which is not vulnerable to this attack. Thanks to Dan Kaminsky, who provided me with the interesting statistics that apparently only 20 out of about 2.000.000 DNS servers he scanned are using dproxy. So this does not look like a major attack vector. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Exploit: A MetaSploit Framework 2.7 exploit module is available from https://www.cynops.de/downloads/metasploit/dproxy.pm It has been tested successfully with both a Debian stable and an Ubuntu system (with randomize_va_space=0). +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Workaround: Drop packets to the destination UDP port 53 which are larger than 2048 bytes (which is a pretty large DNS query packet anyway). +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Communication: * 13.03.2007: Author updated on vulnerable versions * 11.03.2007: First problem report to author +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Solution: Patch dproxy.c: --- dproxy-0.5/dproxy.c 2000-02-03 04:15:35.000000000 +0100 +++ dproxy-0.5.patched/dproxy.c 2007-03-13 13:07:53.000000000 +0100 @@ -105,7 +105,7 @@ /* child process only here */ signal(SIGCHLD, SIG_IGN); - strcpy( query_string, pkt.buf ); + strncpy( query_string, pkt.buf, sizeof(query_string) ); decode_domain_name( query_string ); debug("query: %s\n", query_string ); +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Credits: Alexander Klink, Cynops GmbH (discovery and exploit development, patch)
-- mu-b (mu-b () digit-labs org) "Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct." - Anonymous, "P ?= NP" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- dproxy - arbitrary code execution through stack buffer overflow vulnerability Alexander Klink (Mar 23)
- Re: dproxy - arbitrary code execution through stack buffer overflow vulnerability mu-b (Mar 23)
- Re: dproxy - arbitrary code execution through stack buffer overflow vulnerability Alexander Klink (Mar 23)
- Re: dproxy - arbitrary code execution through stack buffer overflow vulnerability mu-b (Mar 23)