ID CVE-2009-2957 Type cve Reporter cve@mitre.org Modified 2017-09-19T01:29:00
Description
Heap-based buffer overflow in the tftp_request function in tftp.c in dnsmasq before 2.50, when --enable-tftp is used, might allow remote attackers to execute arbitrary code via a long filename in a TFTP packet, as demonstrated by a read (aka RRQ) request.
{"seebug": [{"lastseen": "2017-11-19T18:38:26", "description": "BUGTRAQ ID: 36121\r\nCVE(CAN) ID: CVE-2009-2957\r\n\r\nDnsmasq\u662f\u53ef\u65b9\u4fbf\u914d\u7f6e\u7684\u8f7b\u578bDNS\u8f6c\u53d1\u5668\u548cDHCP\u670d\u52a1\u5668\u3002\r\n\r\ndnsmasq\u5728\u542f\u7528\u4e86TFTP\u670d\u52a1\uff08--enable-tftp\u547d\u4ee4\u884c\u9009\u9879\u6216\u5728/etc/dnsmasq.conf\u4e2d\u542f\u7528enable-tftp\uff09\u7684\u65f6\u5019\u5b58\u5728\u5806\u6ea2\u51fa\u6f0f\u6d1e\u3002\u5982\u679c\u6240\u914d\u7f6e\u7684tftp-root\u8db3\u591f\u957f\uff0c\u4e14\u8fdc\u7a0b\u7528\u6237\u53d1\u9001\u7684\u8bf7\u6c42\u4e2d\u5305\u542b\u6709\u8d85\u957f\u7684\u6587\u4ef6\u540d\uff0cdnsmasq\u5c31\u53ef\u80fd\u5d29\u6e83\u6216\u4ee5dnsmasq\u670d\u52a1\u7684\u6743\u9650\uff08\u901a\u5e38\u4e3a\u975e\u7279\u6743\u7684nobody\u7528\u6237\uff09\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\r\n\r\ntftp_request\u5bf9daemon->namebuff\u8c03\u7528strncat\uff0c\u5176\u9884\u5b9a\u4e49\u5927\u5c0f\u4e3aMAXDNAME\u5b57\u8282\uff08\u9ed8\u8ba41025\uff09\u3002\r\n\r\n/-----------\r\n\r\n else if (filename[0] == '/')\r\n daemon->namebuff[0] = 0;\r\n strncat(daemon->namebuff, filename, MAXDNAME);\r\n\r\n- -----------/\r\n\r\n\u7531\u4e8edaemon->namebuff\u53ef\u80fd\u5df2\u7ecf\u5305\u542b\u6709\u6570\u636e\uff0c\u4e5f\u5c31\u662f\u901a\u8fc7\u914d\u7f6e\u6587\u4ef6\u4f20\u9001\u7ed9\u5b88\u62a4\u7a0b\u5e8f\u7684daemon->tftp_prefix\uff0c\u56e0\u6b64\u8fd9\u53ef\u80fd\u89e6\u53d1\u5806\u6ea2\u51fa\u3002\r\n\r\n/-----------\r\n\r\n if (daemon->tftp_prefix)\r\n {\r\n if (daemon->tftp_prefix[0] == '/')\r\n daemon->namebuff[0] = 0;\r\n strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME)\r\n\r\n- -----------/\r\n\r\n\u9ed8\u8ba4\u7684\u524d\u7f00\u662f/var/tftpd\uff0c\u4f46\u5982\u679c\u4f7f\u7528\u4e86\u66f4\u957f\u7684\u524d\u7f00\uff0c\u5c31\u53ef\u80fd\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\n\nSimon Kelley Dnsmasq 2.4x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nRedHat\r\n------\r\nRedHat\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08RHSA-2009:1238-01\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nRHSA-2009:1238-01\uff1aImportant: dnsmasq security update\r\n\u94fe\u63a5\uff1ahttps://www.redhat.com/support/errata/RHSA-2009-1238.html\r\n\r\nSimon Kelley\r\n------------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.thekelleys.org.uk/dnsmasq/doc.html", "published": "2009-09-02T00:00:00", "title": "Dnsmasq TFTP\u670d\u52a1\u8fdc\u7a0b\u5806\u6ea2\u51fa\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2957"], "modified": "2009-09-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-12174", "id": "SSV:12174", "sourceData": "\n /-----------\r\n\r\nimport sys\r\nsys.stdout.write( '\\x00\\x01' + "A"*1535 + '\\x00' + "netascii" + '\\x00' )\r\n\r\n- -----------/\n ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-12174"}, {"lastseen": "2017-11-19T18:39:50", "description": "No description provided by source.", "published": "2009-09-09T00:00:00", "title": "Dnsmasq < 2.50 Heap Overflow & Null pointer Dereference Vulns", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "modified": "2009-09-09T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-12710", "id": "SSV:12710", "sourceData": "\n -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs/\n\n Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server\n\n\n1. *Advisory Information*\n\nTitle: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server\nAdvisory ID: CORE-2009-0820\nAdvisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities\nDate published: 2009-08-31\nDate of last update: 2009-08-31\nVendors contacted: Simon Kelley\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Buffer overflow\nRemotely Exploitable: Yes\nLocally Exploitable: No\nBugtraq ID: 36120, 36121\nCVE Name: CVE-2009-2957, CVE-2009-2958\n\n\n3. *Vulnerability Description*\n\nDnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability\nhas been found that may allow an attacker to execute arbitrary code on\nservers or home routers running dnsmasq[1] with the TFTP service[2][3]\nenabled ('--enable-tfp'). This service is not enabled by default on most\ndistributions; in particular it is not enabled by default on OpenWRT or\nDD-WRT. Chances of successful exploitation increase when a long\ndirectory prefix is used for TFTP. Code will be executed with the\nprivileges of the user running dnsmasq, which is normally a\nnon-privileged one.\n\nAdditionally there is a potential DoS attack to the TFTP service by\nexploiting a null-pointer dereference vulnerability.\n\n\n4. *Vulnerable packages*\n\n . dnsmasq 2.40.\n . dnsmasq 2.41.\n . dnsmasq 2.42.\n . dnsmasq 2.43.\n . dnsmasq 2.44.\n . dnsmasq 2.45.\n . dnsmasq 2.46.\n . dnsmasq 2.47.\n . dnsmasq 2.48.\n . dnsmasq 2.49.\n . Older versions are probably affected too, but they were not checked.\n\n\n5. *Non-vulnerable packages*\n\n . dnsmasq 2.50\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nIf the TFTP service is enabled and patching is not available\nimmediately, a valid workaround is to filter TFTP for untrusted hosts in\nthe network (such as the Internet). This is the default configuration\nwhen enabling TFTP on most home routers.\n\nPatches are already available from the software author. Most\ndistributions should release updates for binary packages soon.\n\n\n7. *Credits*\n\nThe heap-overflow vulnerability (CVE-2009-2957) was discovered during\nBugweek 2009 by Pablo Jorge and Alberto Solino from the team "Los\nHerederos de Don Pablo" of Core Security Technologies.\n\nThe null-pointer dereference (CVE-2009-2958) was reported to the author\nof dnsmasq independently by an uncredited code auditor. It was merged\nwith this advisory for user's convenience.\n\n\n8. *Technical Description*\n\n8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)*\n\nFirst let's focus on the overflow vulnerability. The 'tftp_request'\ncalls 'strncat' on 'daemon->namebuff', which has a predefined size of\n'MAXDNAME' bytes (defaulting to 1025).\n\n/-----------\nelse if (filename[0] == '/')\n daemon->namebuff[0] = 0;\nstrncat(daemon->namebuff, filename, MAXDNAME);\n- -----------/\n\nThis may cause a heap overflow because 'daemon->namebuff' may already\ncontain data, namely the configured 'daemon->tftp_prefix' passed to the\ndaemon via a configuration file.\n\n/-----------\nif (daemon->tftp_prefix)\n{\n if (daemon->tftp_prefix[0] == '/')\n daemon->namebuff[0] = 0;\n strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME)\n- -----------/\n\nThe default prefix is '/var/tftpd', but if a longer prefix is used,\narbitrary code execution may be possible.\n\nSending the string resulting from the execution of the following python\nsnippet to a vulnerable server, with a long enough directory prefix\nconfigured, should crash the daemon.\n\n/-----------\nimport sys\nsys.stdout.write( '\\x00\\x01' + "A"*1535 + '\\x00' + "netascii" + '\\x00' )\n- -----------/\n\n8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)*\n\nNow onto the null-pointer dereference. The user can crash the service by\nhandcrafting a packet, because of a problem on the guard of the first if\ninside this code loop:\n\n/-----------\nwhile ((opt = next(&p, end)))\n {\n if (strcasecmp(opt, "blksize") == 0 &&\n (opt = next(&p, end)) &&\n !(daemon->options & OPT_TFTP_NOBLOCK))\n {\n transfer->blocksize = atoi(opt);\n if (transfer->blocksize < 1)\n transfer->blocksize = 1;\n if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)\n transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;\n transfer->opt_blocksize = 1;\n transfer->block = 0;\n }\n\n if (strcasecmp(opt, "tsize") == 0 && next(&p, end) &&\n !transfer->netascii)\n {\n transfer->opt_transize = 1;\n transfer->block = 0;\n }\n }\n- -----------/\n\nThe problem exists because the guard of the first if includes the result\nof 'opt = next(&p, end)' as part of the check. If this returns 'NULL',\nthe guard will fail and in the next if 'strcasecmp(opt, "tsize")' will\nderrefence the null-pointer.\n\n\n9. *Report Timeline*\n\n. 2009-08-20:\nCore Security Technologies notifies Simon Kelley of the vulnerability,\nincluding technical details of the vulnerability in an advisory draft.\n\n. 2009-08-21:\nSimon Kelley acknowledges the vulnerability and confirms to be working\non a patch. He also informs that he is aware that most home router\ndistributions have tftp turned off by default, and firewalled, and\nsuggests this should be mentioned on the advisory. Simon also mentions\nthat a NULL-pointer dereference bug has also been discovered on that\ncode, and suggests merging both bugs in the same advisory. Monday 31/08\nis accepted as a possible release date for this advisory, and help is\noffered in contacting package maintainers of dnsmasq for most operating\nsystems.\n\n. 2009-08-21:\nCore changes the advisory draft to accommodate Simon's suggestions.\nAbout the NULL-pointer dereference, Core mentions the terms it thinks\nappropriate for the bug to be merged into this advisory, and details how\nthis would affect the following procedures, such as asking for a\nCVE/Bugtraq ID.\n\n. 2009-08-23:\nSimon Kelley contacts Core back, saying that the terms for the\nnull-pointer derrefence bug to be included in the advisory are ok. He\nalso mentions that the finder of this bug prefers to remain uncredited\nin this advisory. Details are sent by him about the new bug so that the\nadvisory draft can be updated to include it.\n\n. 2009-08-23:\nCore asks for proper CVE and Bugtraq ID numbers, specifying it believes\neach vulnerability reported in this advisory should be assigned its own.\n\n. 2009-08-23:\nVincent Danen, from Red Hat's Security Response Team contacts Core in\norder to discuss both vulnerabilities by a secure communications\nchannel, and offers its help in obtaining proper CVE numbers, specifying\nthey also believe a separate number should be assigned to each\nvulnerability.\n\n. 2009-08-23:\nCore replies to Vincent Danen by sending its gpg key. Core also mentions\nseparate CVE numbers have already been asked.\n\n. 2009-08-23:\nCore replies to Simon Kelley, including a new advisory draft with both\nbugs merged.\n\n. 2009-08-23:\nCore receives proper CVE and Bugtraq ID numbers for both bugs, and sends\nthem to Red Hat and Simon Kelley.\n\n. 2009-08-31:\nThe advisory CORE-2009-0820 is published.\n\n\n10. *References*\n\n[1] http://www.thekelleys.org.uk/dnsmasq/doc.html\n[2] http://www.isi.edu/in-notes/ien/ien133.txt\n[3] http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs.\n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company's flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com.\n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2009 Core Security\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given.\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.7 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niD8DBQFKp9rOyNibggitWa0RAjkbAJ0SLIFwI1CMF7IOHSDv+Fg0DwFNQwCfWsZm\nwa3syAdyXlixVdQhdk5vcK0=\n=tfqM\n-----END PGP SIGNATURE-----\n\n# sebug.net\n\n ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-12710"}, {"lastseen": "2017-11-19T14:17:26", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Dnsmasq < 2.50 - Heap Overflow & Null pointer Dereference Vulns", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-66871", "id": "SSV:66871", "sourceData": "\n -----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n\r\n Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server\r\nAdvisory ID: CORE-2009-0820\r\nAdvisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities\r\nDate published: 2009-08-31\r\nDate of last update: 2009-08-31\r\nVendors contacted: Simon Kelley\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Buffer overflow\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 36120, 36121\r\nCVE Name: CVE-2009-2957, CVE-2009-2958\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nDnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability\r\nhas been found that may allow an attacker to execute arbitrary code on\r\nservers or home routers running dnsmasq[1] with the TFTP service[2][3]\r\nenabled ('--enable-tfp'). This service is not enabled by default on most\r\ndistributions; in particular it is not enabled by default on OpenWRT or\r\nDD-WRT. Chances of successful exploitation increase when a long\r\ndirectory prefix is used for TFTP. Code will be executed with the\r\nprivileges of the user running dnsmasq, which is normally a\r\nnon-privileged one.\r\n\r\nAdditionally there is a potential DoS attack to the TFTP service by\r\nexploiting a null-pointer dereference vulnerability.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . dnsmasq 2.40.\r\n . dnsmasq 2.41.\r\n . dnsmasq 2.42.\r\n . dnsmasq 2.43.\r\n . dnsmasq 2.44.\r\n . dnsmasq 2.45.\r\n . dnsmasq 2.46.\r\n . dnsmasq 2.47.\r\n . dnsmasq 2.48.\r\n . dnsmasq 2.49.\r\n . Older versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . dnsmasq 2.50\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nIf the TFTP service is enabled and patching is not available\r\nimmediately, a valid workaround is to filter TFTP for untrusted hosts in\r\nthe network (such as the Internet). This is the default configuration\r\nwhen enabling TFTP on most home routers.\r\n\r\nPatches are already available from the software author. Most\r\ndistributions should release updates for binary packages soon.\r\n\r\n\r\n7. *Credits*\r\n\r\nThe heap-overflow vulnerability (CVE-2009-2957) was discovered during\r\nBugweek 2009 by Pablo Jorge and Alberto Solino from the team "Los\r\nHerederos de Don Pablo" of Core Security Technologies.\r\n\r\nThe null-pointer dereference (CVE-2009-2958) was reported to the author\r\nof dnsmasq independently by an uncredited code auditor. It was merged\r\nwith this advisory for user's convenience.\r\n\r\n\r\n8. *Technical Description*\r\n\r\n8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)*\r\n\r\nFirst let's focus on the overflow vulnerability. The 'tftp_request'\r\ncalls 'strncat' on 'daemon->namebuff', which has a predefined size of\r\n'MAXDNAME' bytes (defaulting to 1025).\r\n\r\n/-----------\r\nelse if (filename[0] == '/')\r\n daemon->namebuff[0] = 0;\r\nstrncat(daemon->namebuff, filename, MAXDNAME);\r\n- -----------/\r\n\r\nThis may cause a heap overflow because 'daemon->namebuff' may already\r\ncontain data, namely the configured 'daemon->tftp_prefix' passed to the\r\ndaemon via a configuration file.\r\n\r\n/-----------\r\nif (daemon->tftp_prefix)\r\n{\r\n if (daemon->tftp_prefix[0] == '/')\r\n daemon->namebuff[0] = 0;\r\n strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME)\r\n- -----------/\r\n\r\nThe default prefix is '/var/tftpd', but if a longer prefix is used,\r\narbitrary code execution may be possible.\r\n\r\nSending the string resulting from the execution of the following python\r\nsnippet to a vulnerable server, with a long enough directory prefix\r\nconfigured, should crash the daemon.\r\n\r\n/-----------\r\nimport sys\r\nsys.stdout.write( '\\x00\\x01' + "A"*1535 + '\\x00' + "netascii" + '\\x00' )\r\n- -----------/\r\n\r\n8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)*\r\n\r\nNow onto the null-pointer dereference. The user can crash the service by\r\nhandcrafting a packet, because of a problem on the guard of the first if\r\ninside this code loop:\r\n\r\n/-----------\r\nwhile ((opt = next(&p, end)))\r\n {\r\n if (strcasecmp(opt, "blksize") == 0 &&\r\n (opt = next(&p, end)) &&\r\n !(daemon->options & OPT_TFTP_NOBLOCK))\r\n {\r\n transfer->blocksize = atoi(opt);\r\n if (transfer->blocksize < 1)\r\n transfer->blocksize = 1;\r\n if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)\r\n transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;\r\n transfer->opt_blocksize = 1;\r\n transfer->block = 0;\r\n }\r\n\r\n if (strcasecmp(opt, "tsize") == 0 && next(&p, end) &&\r\n !transfer->netascii)\r\n {\r\n transfer->opt_transize = 1;\r\n transfer->block = 0;\r\n }\r\n }\r\n- -----------/\r\n\r\nThe problem exists because the guard of the first if includes the result\r\nof 'opt = next(&p, end)' as part of the check. If this returns 'NULL',\r\nthe guard will fail and in the next if 'strcasecmp(opt, "tsize")' will\r\nderrefence the null-pointer.\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2009-08-20:\r\nCore Security Technologies notifies Simon Kelley of the vulnerability,\r\nincluding technical details of the vulnerability in an advisory draft.\r\n\r\n. 2009-08-21:\r\nSimon Kelley acknowledges the vulnerability and confirms to be working\r\non a patch. He also informs that he is aware that most home router\r\ndistributions have tftp turned off by default, and firewalled, and\r\nsuggests this should be mentioned on the advisory. Simon also mentions\r\nthat a NULL-pointer dereference bug has also been discovered on that\r\ncode, and suggests merging both bugs in the same advisory. Monday 31/08\r\nis accepted as a possible release date for this advisory, and help is\r\noffered in contacting package maintainers of dnsmasq for most operating\r\nsystems.\r\n\r\n. 2009-08-21:\r\nCore changes the advisory draft to accommodate Simon's suggestions.\r\nAbout the NULL-pointer dereference, Core mentions the terms it thinks\r\nappropriate for the bug to be merged into this advisory, and details how\r\nthis would affect the following procedures, such as asking for a\r\nCVE/Bugtraq ID.\r\n\r\n. 2009-08-23:\r\nSimon Kelley contacts Core back, saying that the terms for the\r\nnull-pointer derrefence bug to be included in the advisory are ok. He\r\nalso mentions that the finder of this bug prefers to remain uncredited\r\nin this advisory. Details are sent by him about the new bug so that the\r\nadvisory draft can be updated to include it.\r\n\r\n. 2009-08-23:\r\nCore asks for proper CVE and Bugtraq ID numbers, specifying it believes\r\neach vulnerability reported in this advisory should be assigned its own.\r\n\r\n. 2009-08-23:\r\nVincent Danen, from Red Hat's Security Response Team contacts Core in\r\norder to discuss both vulnerabilities by a secure communications\r\nchannel, and offers its help in obtaining proper CVE numbers, specifying\r\nthey also believe a separate number should be assigned to each\r\nvulnerability.\r\n\r\n. 2009-08-23:\r\nCore replies to Vincent Danen by sending its gpg key. Core also mentions\r\nseparate CVE numbers have already been asked.\r\n\r\n. 2009-08-23:\r\nCore replies to Simon Kelley, including a new advisory draft with both\r\nbugs merged.\r\n\r\n. 2009-08-23:\r\nCore receives proper CVE and Bugtraq ID numbers for both bugs, and sends\r\nthem to Red Hat and Simon Kelley.\r\n\r\n. 2009-08-31:\r\nThe advisory CORE-2009-0820 is published.\r\n\r\n\r\n10. *References*\r\n\r\n[1] http://www.thekelleys.org.uk/dnsmasq/doc.html\r\n[2] http://www.isi.edu/in-notes/ien/ien133.txt\r\n[3] http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://www.coresecurity.com/corelabs.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.7 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\r\n\r\niD8DBQFKp9rOyNibggitWa0RAjkbAJ0SLIFwI1CMF7IOHSDv+Fg0DwFNQwCfWsZm\r\nwa3syAdyXlixVdQhdk5vcK0=\r\n=tfqM\r\n-----END PGP SIGNATURE-----\r\n\r\n# milw0rm.com [2009-09-09]\r\n\n ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-66871"}], "redhat": [{"lastseen": "2019-08-13T18:45:22", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "Dnsmasq is a lightweight and easy to configure DNS forwarder and DHCP\nserver.\n\nCore Security Technologies discovered a heap overflow flaw in dnsmasq when\nthe TFTP service is enabled (the \"--enable-tftp\" command line option, or by\nenabling \"enable-tftp\" in \"/etc/dnsmasq.conf\"). If the configured tftp-root\nis sufficiently long, and a remote user sends a request that sends a long\nfile name, dnsmasq could crash or, possibly, execute arbitrary code with\nthe privileges of the dnsmasq service (usually the unprivileged \"nobody\"\nuser). (CVE-2009-2957)\n\nA NULL pointer dereference flaw was discovered in dnsmasq when the TFTP\nservice is enabled. This flaw could allow a malicious TFTP client to crash\nthe dnsmasq service. (CVE-2009-2958)\n\nNote: The default tftp-root is \"/var/ftpd\", which is short enough to make\nit difficult to exploit the CVE-2009-2957 issue; if a longer directory name\nis used, arbitrary code execution may be possible. As well, the dnsmasq\npackage distributed by Red Hat does not have TFTP support enabled by\ndefault.\n\nAll users of dnsmasq should upgrade to this updated package, which contains\na backported patch to correct these issues. After installing the updated\npackage, the dnsmasq service must be restarted for the update to take\neffect.", "modified": "2017-09-08T11:50:53", "published": "2009-08-31T04:00:00", "id": "RHSA-2009:1238", "href": "https://access.redhat.com/errata/RHSA-2009:1238", "type": "redhat", "title": "(RHSA-2009:1238) Important: dnsmasq security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:45:01", "bulletinFamily": "unix", "cvelist": ["CVE-2006-6304", "CVE-2007-4567", "CVE-2009-1189", "CVE-2009-2409", "CVE-2009-2730", "CVE-2009-2910", "CVE-2009-2957", "CVE-2009-2958", "CVE-2009-3080", "CVE-2009-3556", "CVE-2009-3563", "CVE-2009-3736", "CVE-2009-3889", "CVE-2009-3939", "CVE-2009-4020", "CVE-2009-4021", "CVE-2009-4138", "CVE-2009-4141", "CVE-2009-4212", "CVE-2009-4272", "CVE-2009-4355", "CVE-2009-4536", "CVE-2009-4537", "CVE-2009-4538", "CVE-2010-0001", "CVE-2010-0097", "CVE-2010-0298", "CVE-2010-0306", "CVE-2010-0309"], "description": "The rhev-hypervisor package provides a Red Hat Enterprise Virtualization\n(RHEV) Hypervisor ISO disk image. The RHEV Hypervisor is a dedicated\nKernel-based Virtual Machine (KVM) hypervisor. It includes everything\nnecessary to run and manage virtual machines: A subset of the Red Hat\nEnterprise Linux operating environment and the Red Hat Enterprise\nVirtualization Agent.\n\nNote: RHEV Hypervisor is only available for the Intel 64 and AMD64\narchitectures with virtualization extensions.\n\nA flaw was found in the IPv6 Extension Header (EH) handling\nimplementation in the Linux kernel. The skb->dst data structure was not\nproperly validated in the ipv6_hop_jumbo() function. This could possibly\nlead to a remote denial of service. (CVE-2007-4567)\n\nThe Parallels Virtuozzo Containers team reported two flaws in the routing\nimplementation. If an attacker was able to cause a large enough number of\ncollisions in the routing hash table (via specially-crafted packets) for\nthe emergency route flush to trigger, a deadlock could occur. Secondly, if\nthe kernel routing cache was disabled, an uninitialized pointer would be\nleft behind after a route lookup, leading to a kernel panic.\n(CVE-2009-4272)\n\nA flaw was found in each of the following Intel PRO/1000 Linux drivers in\nthe Linux kernel: e1000 and e1000e. A remote attacker using packets larger\nthan the MTU could bypass the existing fragment check, resulting in\npartial, invalid frames being passed to the network stack. These flaws\ncould also possibly be used to trigger a remote denial of service.\n(CVE-2009-4536, CVE-2009-4538)\n\nA flaw was found in the Realtek r8169 Ethernet driver in the Linux kernel.\nReceiving overly-long frames with a certain revision of the network cards\nsupported by this driver could possibly result in a remote denial of\nservice. (CVE-2009-4537)\n\nThe x86 emulator implementation was missing a check for the Current\nPrivilege Level (CPL) and I/O Privilege Level (IOPL). A user in a guest\ncould leverage these flaws to cause a denial of service (guest crash) or\npossibly escalate their privileges within that guest. (CVE-2010-0298,\nCVE-2010-0306)\n\nA flaw was found in the Programmable Interval Timer (PIT) emulation. Access\nto the internal data structure pit_state, which represents the data state\nof the emulated PIT, was not properly validated in the pit_ioport_read()\nfunction. A privileged guest user could use this flaw to crash the host.\n(CVE-2010-0309)\n\nThis updated package provides updated components that include fixes for\nsecurity issues; however, these issues have no security impact for RHEV\nHypervisor. These fixes are for kernel issues CVE-2006-6304, CVE-2009-2910,\nCVE-2009-3080, CVE-2009-3556, CVE-2009-3889, CVE-2009-3939, CVE-2009-4020,\nCVE-2009-4021, CVE-2009-4138, and CVE-2009-4141; ntp issue CVE-2009-3563;\ndbus issue CVE-2009-1189; dnsmasq issues CVE-2009-2957 and CVE-2009-2958;\ngnutls issue CVE-2009-2730; krb5 issue CVE-2009-4212; bind issue \nCVE-2010-0097; gzip issue CVE-2010-0001; openssl issues CVE-2009-2409 and \nCVE-2009-4355; and gcc issue CVE-2009-3736.\n\nThis update also fixes the following bugs:\n\n* on systems with a large number of disk devices, USB storage devices may\nget enumerated after \"/dev/sdz\", for example, \"/dev/sdcd\". This was not\nhandled by the udev rules, resulting in a missing \"/dev/live\" symbolic\nlink, causing installations from USB media to fail. With this update, udev\nrules correctly handle USB storage devices on systems with a large number\nof disk devices, which resolves this issue. (BZ#555083)\n\nAs RHEV Hypervisor is based on KVM, the bug fixes from the KVM update\nRHSA-2010:0088 have been included in this update:\n\nhttps://rhn.redhat.com/errata/RHSA-2010-0088.html\n\nUsers of the Red Hat Enterprise Virtualization Hypervisor are advised to\nupgrade to this updated package, which corrects these issues.", "modified": "2019-03-22T23:44:58", "published": "2010-02-09T05:00:00", "id": "RHSA-2010:0095", "href": "https://access.redhat.com/errata/RHSA-2010:0095", "type": "redhat", "title": "(RHSA-2010:0095) Important: rhev-hypervisor security and bug fix update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:37:12", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "[2.45-1.1.el5]\n- problems with strings when enabling tftp CVE-2009-2957 and CVE-2009-2957\n- Resolves: rhbg#519021 ", "edition": 4, "modified": "2009-08-31T00:00:00", "published": "2009-08-31T00:00:00", "id": "ELSA-2009-1238", "href": "http://linux.oracle.com/errata/ELSA-2009-1238.html", "title": "dnsmasq security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2019-12-20T18:26:33", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "**CentOS Errata and Security Advisory** CESA-2009:1238\n\n\nDnsmasq is a lightweight and easy to configure DNS forwarder and DHCP\nserver.\n\nCore Security Technologies discovered a heap overflow flaw in dnsmasq when\nthe TFTP service is enabled (the \"--enable-tftp\" command line option, or by\nenabling \"enable-tftp\" in \"/etc/dnsmasq.conf\"). If the configured tftp-root\nis sufficiently long, and a remote user sends a request that sends a long\nfile name, dnsmasq could crash or, possibly, execute arbitrary code with\nthe privileges of the dnsmasq service (usually the unprivileged \"nobody\"\nuser). (CVE-2009-2957)\n\nA NULL pointer dereference flaw was discovered in dnsmasq when the TFTP\nservice is enabled. This flaw could allow a malicious TFTP client to crash\nthe dnsmasq service. (CVE-2009-2958)\n\nNote: The default tftp-root is \"/var/ftpd\", which is short enough to make\nit difficult to exploit the CVE-2009-2957 issue; if a longer directory name\nis used, arbitrary code execution may be possible. As well, the dnsmasq\npackage distributed by Red Hat does not have TFTP support enabled by\ndefault.\n\nAll users of dnsmasq should upgrade to this updated package, which contains\na backported patch to correct these issues. After installing the updated\npackage, the dnsmasq service must be restarted for the update to take\neffect.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2009-September/028157.html\nhttp://lists.centos.org/pipermail/centos-announce/2009-September/028158.html\n\n**Affected packages:**\ndnsmasq\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2009-1238.html", "edition": 3, "modified": "2009-09-01T15:10:23", "published": "2009-09-01T15:10:22", "href": "http://lists.centos.org/pipermail/centos-announce/2009-September/028157.html", "id": "CESA-2009:1238", "title": "dnsmasq security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2016-09-06T19:47:01", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "### Background\n\nDnsmasq is a lightweight, easy to configure DNS forwarder and DHCP server. It includes support for Trivial FTP (TFTP). \n\n### Description\n\nMultiple vulnerabilities have been reported in the TFTP functionality included in Dnsmasq: \n\n * Pablo Jorge and Alberto Solino discovered a heap-based buffer overflow (CVE-2009-2957).\n * An anonymous researcher reported a NULL pointer reference (CVE-2009-2958).\n\n### Impact\n\nA remote attacker in the local network could exploit these vulnerabilities by sending specially crafted TFTP requests to a machine running Dnsmasq, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the daemon, or a Denial of Service. NOTE: The TFTP server is not enabled by default. \n\n### Workaround\n\nYou can disable the TFTP server either at buildtime by not enabling the \"tftp\" USE flag, or at runtime. Make sure \"--enable-tftp\" is not set in the DNSMASQ_OPTS variable in the /etc/conf.d/dnsmasq file and \"enable-tftp\" is not set in /etc/dnsmasq.conf, either of which would enable TFTP support if it is compiled in. \n\n### Resolution\n\nAll Dnsmasq users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-dns/dnsmasq-2.5.0\"", "edition": 1, "modified": "2009-09-20T00:00:00", "published": "2009-09-20T00:00:00", "id": "GLSA-200909-19", "href": "https://security.gentoo.org/glsa/200909-19", "type": "gentoo", "title": "Dnsmasq: Multiple vulnerabilities", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:34", "bulletinFamily": "software", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "Heap buffer overrun, NULL pointer dereference.", "edition": 1, "modified": "2009-09-10T00:00:00", "published": "2009-09-10T00:00:00", "id": "SECURITYVULNS:VULN:10222", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10222", "title": "dnsmasq TFTP server multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:31", "bulletinFamily": "software", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\nDebian Security Advisory DSA-1876-1 security@debian.org\r\nhttp://www.debian.org/security/ Florian Weimer\r\nSeptember 01, 2009 http://www.debian.org/security/faq\r\n- ------------------------------------------------------------------------\r\n\r\nPackage : dnsmasq\r\nVulnerability : buffer overflow\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE Id(s) : CVE-2009-2957 CVE-2009-2958\r\n\r\nSeveral remote vulnerabilities have been discovered in the TFTP\r\ncomponent of dnsmasq. The Common Vulnerabilities and Exposures\r\nproject identifies the following problems:\r\n\r\nCVE-2009-2957\r\n A buffer overflow in TFTP processing may enable arbitrary code\r\n execution to attackers which are permitted to use the TFTP service.\r\n\r\nCVE-2009-2958\r\n Malicious TFTP clients may crash dnsmasq, leading to denial of\r\n service.\r\n\r\nThe old stable distribution is not affected by these problems.\r\n\r\nFor the stable distribution (lenny), these problems have been fixed in\r\nversion 2.45-1+lenny1.\r\n\r\nFor the unstable distribution (sid), these problems have been fixed in\r\nversion 2.50-1.\r\n\r\nWe recommend that you upgrade your dnsmasq packages.\r\n\r\nUpgrade instructions\r\n- --------------------\r\n\r\nwget url\r\n will fetch the file for you\r\ndpkg -i file.deb\r\n will install the referenced file.\r\n\r\nIf you are using the apt-get package manager, use the line for\r\nsources.list as given below:\r\n\r\napt-get update\r\n will update the internal database\r\napt-get upgrade\r\n will install corrected packages\r\n\r\nYou may use an automated update by adding the resources from the\r\nfooter to the proper configuration.\r\n\r\n\r\nDebian GNU/Linux 5.0 alias lenny\r\n- --------------------------------\r\n\r\nSource archives:\r\n\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45.orig.tar.gz\r\n Size/MD5 checksum: 377466 59106495260bb2d0f184f0d4ae88d740\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1.diff.gz\r\n Size/MD5 checksum: 14514 c841708d86ea6a13f4f168d311638ff5\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1.dsc\r\n Size/MD5 checksum: 1006 377658fb3cb46cc670a86e475ff70533\r\n\r\nArchitecture independent packages:\r\n\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1_all.deb\r\n Size/MD5 checksum: 12110 716c6f4f6e478f5a0f248725e4544dda\r\n\r\nalpha architecture (DEC Alpha)\r\n\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_alpha.deb\r\n Size/MD5 checksum: 267294 d7ba6bd2b7363246587cf4ab8b78f721\r\n\r\namd64 architecture (AMD x86_64 (AMD64))\r\n\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_amd64.deb\r\n Size/MD5 checksum: 258118 3b5fc290f6bfacd7450fbc138e63bcb7\r\n\r\narm architecture (ARM)\r\n\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_arm.deb\r\n Size/MD5 checksum: 250676 0011c21826ab5f3b9c64444113acc97f\r\n\r\narmel architecture (ARM EABI)\r\n\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_armel.deb\r\n Size/MD5 checksum: 252830 5999eff243a849fe31fba765e92228d0\r\n\r\nhppa architecture (HP PA RISC)\r\n\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_hppa.deb\r\n Size/MD5 checksum: 258292 cadea4880ef01292affd271cde276226\r\n\r\ni386 architecture (Intel ia32)\r\n\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_i386.deb\r\n Size/MD5 checksum: 251182 cdad8cd873dc28fd69fdd7ca2e59cec1\r\n\r\nia64 architecture (Intel ia64)\r\n\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_ia64.deb\r\n Size/MD5 checksum: 301522 2723ddacd61bf4378115a1701848fa2c\r\n\r\nmips architecture (MIPS (Big Endian))\r\n\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_mips.deb\r\n Size/MD5 checksum: 256426 0873691aa0b37c2873e93e1132d0db95\r\n\r\nmipsel architecture (MIPS (Little Endian))\r\n\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_mipsel.deb\r\n Size/MD5 checksum: 257982 dd6342a053fc0bb9a3be6ec5b4aa3b2f\r\n\r\npowerpc architecture (PowerPC)\r\n\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_powerpc.deb\r\n Size/MD5 checksum: 257426 58e705f584e41b2598a6d62bfc7e2671\r\n\r\ns390 architecture (IBM S/390)\r\n\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_s390.deb\r\n Size/MD5 checksum: 255328 3abfb764f944344064aed16352156b04\r\n\r\nsparc architecture (Sun SPARC/UltraSPARC)\r\n\r\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_sparc.deb\r\n Size/MD5 checksum: 252234 4a6db5969b47698346b59828928dc0b5\r\n\r\n\r\n These files will probably be moved into the stable distribution on\r\n its next update.\r\n\r\n- ---------------------------------------------------------------------------------\r\nFor apt-get: deb http://security.debian.org/ stable/updates main\r\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\r\nMailing list: debian-security-announce@lists.debian.org\r\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (GNU/Linux)\r\n\r\niQEcBAEBAgAGBQJKnXmhAAoJEL97/wQC1SS+BPQIAK1x7nctuD1BkdIVjSt5BXRG\r\ncBlfdwgsyjXLoLocyN6A1lsHwcAcFPZI189aqLD2MU8MBJmugDdgReF4d6GTLI/T\r\nzv2G0fkj9rggJXAeqpFOlMK/nhUNxRDAn8h/ZgXcFuTkY0zm1M2D1qhqKpvOjByC\r\nU7im5+V/rp9VAFOaTdMnnvnBJX2nRnXULj85eIAaJYZSahX544UfKi6GLkjN0wji\r\nb/FJvtn9yOT6Rkzgs528icZ3ZoDslTV8xQhuBgILhCcP5Dmp7JokbdzZ7h3zH1YV\r\n8b0WwxEIF/mhmhlNVYDP6n2k2jLw+zLBF2c5jSIlHa67vChsLGeU3auqXAHMpq0=\r\n=h2eE\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2009-09-02T00:00:00", "published": "2009-09-02T00:00:00", "id": "SECURITYVULNS:DOC:22397", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22397", "title": "[SECURITY] [DSA 1876-1] New dnsmasq packages fix remote code execution", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:33", "bulletinFamily": "software", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "Multiple vulnerabilities on TFTP processing.", "edition": 1, "modified": "2009-09-02T00:00:00", "published": "2009-09-02T00:00:00", "id": "SECURITYVULNS:VULN:10194", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10194", "title": "dnsmasq multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:31", "bulletinFamily": "software", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n\r\n Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server\r\nAdvisory ID: CORE-2009-0820\r\nAdvisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities\r\nDate published: 2009-08-31\r\nDate of last update: 2009-08-31\r\nVendors contacted: Simon Kelley\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Buffer overflow\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 36120, 36121\r\nCVE Name: CVE-2009-2957, CVE-2009-2958\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nDnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability\r\nhas been found that may allow an attacker to execute arbitrary code on\r\nservers or home routers running dnsmasq[1] with the TFTP service[2][3]\r\nenabled ('--enable-tfp'). This service is not enabled by default on most\r\ndistributions; in particular it is not enabled by default on OpenWRT or\r\nDD-WRT. Chances of successful exploitation increase when a long\r\ndirectory prefix is used for TFTP. Code will be executed with the\r\nprivileges of the user running dnsmasq, which is normally a\r\nnon-privileged one.\r\n\r\nAdditionally there is a potential DoS attack to the TFTP service by\r\nexploiting a null-pointer dereference vulnerability.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . dnsmasq 2.40.\r\n . dnsmasq 2.41.\r\n . dnsmasq 2.42.\r\n . dnsmasq 2.43.\r\n . dnsmasq 2.44.\r\n . dnsmasq 2.45.\r\n . dnsmasq 2.46.\r\n . dnsmasq 2.47.\r\n . dnsmasq 2.48.\r\n . dnsmasq 2.49.\r\n . Older versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . dnsmasq 2.50\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nIf the TFTP service is enabled and patching is not available\r\nimmediately, a valid workaround is to filter TFTP for untrusted hosts in\r\nthe network (such as the Internet). This is the default configuration\r\nwhen enabling TFTP on most home routers.\r\n\r\nPatches are already available from the software author. Most\r\ndistributions should release updates for binary packages soon.\r\n\r\n\r\n7. *Credits*\r\n\r\nThe heap-overflow vulnerability (CVE-2009-2957) was discovered during\r\nBugweek 2009 by Pablo Jorge and Alberto Solino from the team "Los\r\nHerederos de Don Pablo" of Core Security Technologies.\r\n\r\nThe null-pointer dereference (CVE-2009-2958) was reported to the author\r\nof dnsmasq independently by an uncredited code auditor. It was merged\r\nwith this advisory for user's convenience.\r\n\r\n\r\n8. *Technical Description*\r\n\r\n8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)*\r\n\r\nFirst let's focus on the overflow vulnerability. The 'tftp_request'\r\ncalls 'strncat' on 'daemon->namebuff', which has a predefined size of\r\n'MAXDNAME' bytes (defaulting to 1025).\r\n\r\n/-----------\r\nelse if (filename[0] == '/')\r\n daemon->namebuff[0] = 0;\r\nstrncat(daemon->namebuff, filename, MAXDNAME);\r\n- -----------/\r\n\r\nThis may cause a heap overflow because 'daemon->namebuff' may already\r\ncontain data, namely the configured 'daemon->tftp_prefix' passed to the\r\ndaemon via a configuration file.\r\n\r\n/-----------\r\nif (daemon->tftp_prefix)\r\n{\r\n if (daemon->tftp_prefix[0] == '/')\r\n daemon->namebuff[0] = 0;\r\n strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME)\r\n- -----------/\r\n\r\nThe default prefix is '/var/tftpd', but if a longer prefix is used,\r\narbitrary code execution may be possible.\r\n\r\nSending the string resulting from the execution of the following python\r\nsnippet to a vulnerable server, with a long enough directory prefix\r\nconfigured, should crash the daemon.\r\n\r\n/-----------\r\nimport sys\r\nsys.stdout.write( '\x00\x01' + "A"*1535 + '\x00' + "netascii" + '\x00' )\r\n- -----------/\r\n\r\n8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)*\r\n\r\nNow onto the null-pointer dereference. The user can crash the service by\r\nhandcrafting a packet, because of a problem on the guard of the first if\r\ninside this code loop:\r\n\r\n/-----------\r\nwhile ((opt = next(&p, end)))\r\n {\r\n if (strcasecmp(opt, "blksize") == 0 &&\r\n (opt = next(&p, end)) &&\r\n !(daemon->options & OPT_TFTP_NOBLOCK))\r\n {\r\n transfer->blocksize = atoi(opt);\r\n if (transfer->blocksize < 1)\r\n transfer->blocksize = 1;\r\n if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)\r\n transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;\r\n transfer->opt_blocksize = 1;\r\n transfer->block = 0;\r\n }\r\n\r\n if (strcasecmp(opt, "tsize") == 0 && next(&p, end) &&\r\n !transfer->netascii)\r\n {\r\n transfer->opt_transize = 1;\r\n transfer->block = 0;\r\n }\r\n }\r\n- -----------/\r\n\r\nThe problem exists because the guard of the first if includes the result\r\nof 'opt = next(&p, end)' as part of the check. If this returns 'NULL',\r\nthe guard will fail and in the next if 'strcasecmp(opt, "tsize")' will\r\nderrefence the null-pointer.\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2009-08-20:\r\nCore Security Technologies notifies Simon Kelley of the vulnerability,\r\nincluding technical details of the vulnerability in an advisory draft.\r\n\r\n. 2009-08-21:\r\nSimon Kelley acknowledges the vulnerability and confirms to be working\r\non a patch. He also informs that he is aware that most home router\r\ndistributions have tftp turned off by default, and firewalled, and\r\nsuggests this should be mentioned on the advisory. Simon also mentions\r\nthat a NULL-pointer dereference bug has also been discovered on that\r\ncode, and suggests merging both bugs in the same advisory. Monday 31/08\r\nis accepted as a possible release date for this advisory, and help is\r\noffered in contacting package maintainers of dnsmasq for most operating\r\nsystems.\r\n\r\n. 2009-08-21:\r\nCore changes the advisory draft to accommodate Simon's suggestions.\r\nAbout the NULL-pointer dereference, Core mentions the terms it thinks\r\nappropriate for the bug to be merged into this advisory, and details how\r\nthis would affect the following procedures, such as asking for a\r\nCVE/Bugtraq ID.\r\n\r\n. 2009-08-23:\r\nSimon Kelley contacts Core back, saying that the terms for the\r\nnull-pointer derrefence bug to be included in the advisory are ok. He\r\nalso mentions that the finder of this bug prefers to remain uncredited\r\nin this advisory. Details are sent by him about the new bug so that the\r\nadvisory draft can be updated to include it.\r\n\r\n. 2009-08-23:\r\nCore asks for proper CVE and Bugtraq ID numbers, specifying it believes\r\neach vulnerability reported in this advisory should be assigned its own.\r\n\r\n. 2009-08-23:\r\nVincent Danen, from Red Hat's Security Response Team contacts Core in\r\norder to discuss both vulnerabilities by a secure communications\r\nchannel, and offers its help in obtaining proper CVE numbers, specifying\r\nthey also believe a separate number should be assigned to each\r\nvulnerability.\r\n\r\n. 2009-08-23:\r\nCore replies to Vincent Danen by sending its gpg key. Core also mentions\r\nseparate CVE numbers have already been asked.\r\n\r\n. 2009-08-23:\r\nCore replies to Simon Kelley, including a new advisory draft with both\r\nbugs merged.\r\n\r\n. 2009-08-23:\r\nCore receives proper CVE and Bugtraq ID numbers for both bugs, and sends\r\nthem to Red Hat and Simon Kelley.\r\n\r\n. 2009-08-31:\r\nThe advisory CORE-2009-0820 is published.\r\n\r\n\r\n10. *References*\r\n\r\n[1] http://www.thekelleys.org.uk/dnsmasq/doc.html\r\n[2] http://www.isi.edu/in-notes/ien/ien133.txt\r\n[3] http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://www.coresecurity.com/corelabs.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.7 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\r\n\r\niD8DBQFKp9rOyNibggitWa0RAjkbAJ0SLIFwI1CMF7IOHSDv+Fg0DwFNQwCfWsZm\r\nwa3syAdyXlixVdQhdk5vcK0=\r\n=tfqM\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2009-09-10T00:00:00", "published": "2009-09-10T00:00:00", "id": "SECURITYVULNS:DOC:22439", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22439", "title": "CORE-2009-0820 - Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-07T10:46:34", "description": "Simon Kelley reports :\n\nFix security problem which allowed any host permitted to do TFTP to\npossibly compromise dnsmasq by remote buffer overflow when TFTP\nenabled.\n\nFix a problem which allowed a malicious TFTP client to crash dnsmasq.", "edition": 26, "published": "2009-09-03T00:00:00", "title": "FreeBSD : dnsmasq -- TFTP server remote code injection vulnerability (80aa98e0-97b4-11de-b946-0030843d3802)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "modified": "2009-09-03T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:dnsmasq"], "id": "FREEBSD_PKG_80AA98E097B411DEB9460030843D3802.NASL", "href": "https://www.tenable.com/plugins/nessus/40858", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(40858);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_bugtraq_id(36120, 36121);\n\n script_name(english:\"FreeBSD : dnsmasq -- TFTP server remote code injection vulnerability (80aa98e0-97b4-11de-b946-0030843d3802)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Simon Kelley reports :\n\nFix security problem which allowed any host permitted to do TFTP to\npossibly compromise dnsmasq by remote buffer overflow when TFTP\nenabled.\n\nFix a problem which allowed a malicious TFTP client to crash dnsmasq.\"\n );\n # http://www.coresecurity.com/content/dnsmasq-vulnerabilities\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.secureauth.com/labs/advisories/dnsmasq-vulnerabilities\"\n );\n # https://rhn.redhat.com/errata/RHSA-2009-1238.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2009:1238\"\n );\n # https://vuxml.freebsd.org/freebsd/80aa98e0-97b4-11de-b946-0030843d3802.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aec1e001\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(119, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/08/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/09/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"dnsmasq<2.50\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:52:34", "description": "The remote host is affected by the vulnerability described in GLSA-200909-19\n(Dnsmasq: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been reported in the TFTP functionality\n included in Dnsmasq:\n Pablo Jorge and Alberto Solino\n discovered a heap-based buffer overflow (CVE-2009-2957).\n An\n anonymous researcher reported a NULL pointer reference\n (CVE-2009-2958).\n \nImpact :\n\n A remote attacker in the local network could exploit these\n vulnerabilities by sending specially crafted TFTP requests to a machine\n running Dnsmasq, possibly resulting in the remote execution of\n arbitrary code with the privileges of the user running the daemon, or a\n Denial of Service. NOTE: The TFTP server is not enabled by default.\n \nWorkaround :\n\n You can disable the TFTP server either at buildtime by not enabling the\n 'tftp' USE flag, or at runtime. Make sure '--enable-tftp' is not set in\n the DNSMASQ_OPTS variable in the /etc/conf.d/dnsmasq file and\n 'enable-tftp' is not set in /etc/dnsmasq.conf, either of which would\n enable TFTP support if it is compiled in.", "edition": 26, "published": "2009-09-21T00:00:00", "title": "GLSA-200909-19 : Dnsmasq: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "modified": "2009-09-21T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:dnsmasq"], "id": "GENTOO_GLSA-200909-19.NASL", "href": "https://www.tenable.com/plugins/nessus/41023", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200909-19.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(41023);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_bugtraq_id(36120);\n script_xref(name:\"GLSA\", value:\"200909-19\");\n\n script_name(english:\"GLSA-200909-19 : Dnsmasq: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200909-19\n(Dnsmasq: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been reported in the TFTP functionality\n included in Dnsmasq:\n Pablo Jorge and Alberto Solino\n discovered a heap-based buffer overflow (CVE-2009-2957).\n An\n anonymous researcher reported a NULL pointer reference\n (CVE-2009-2958).\n \nImpact :\n\n A remote attacker in the local network could exploit these\n vulnerabilities by sending specially crafted TFTP requests to a machine\n running Dnsmasq, possibly resulting in the remote execution of\n arbitrary code with the privileges of the user running the daemon, or a\n Denial of Service. NOTE: The TFTP server is not enabled by default.\n \nWorkaround :\n\n You can disable the TFTP server either at buildtime by not enabling the\n 'tftp' USE flag, or at runtime. Make sure '--enable-tftp' is not set in\n the DNSMASQ_OPTS variable in the /etc/conf.d/dnsmasq file and\n 'enable-tftp' is not set in /etc/dnsmasq.conf, either of which would\n enable TFTP support if it is compiled in.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200909-19\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Dnsmasq users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-dns/dnsmasq-2.5.0'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/09/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-dns/dnsmasq\", unaffected:make_list(\"ge 2.5.0\"), vulnerable:make_list(\"lt 2.5.0\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Dnsmasq\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:45:38", "description": "Several remote vulnerabilities have been discovered in the TFTP\ncomponent of dnsmasq. The Common Vulnerabilities and Exposures project\nidentifies the following problems :\n\n - CVE-2009-2957\n A buffer overflow in TFTP processing may enable\n arbitrary code execution to attackers which are\n permitted to use the TFTP service.\n\n - CVE-2009-2958\n Malicious TFTP clients may crash dnsmasq, leading to\n denial of service.", "edition": 27, "published": "2010-02-24T00:00:00", "title": "Debian DSA-1876-1 : dnsmasq - buffer overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "modified": "2010-02-24T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:5.0", "p-cpe:/a:debian:debian_linux:dnsmasq"], "id": "DEBIAN_DSA-1876.NASL", "href": "https://www.tenable.com/plugins/nessus/44741", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1876. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(44741);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_bugtraq_id(36120);\n script_xref(name:\"DSA\", value:\"1876\");\n\n script_name(english:\"Debian DSA-1876-1 : dnsmasq - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several remote vulnerabilities have been discovered in the TFTP\ncomponent of dnsmasq. The Common Vulnerabilities and Exposures project\nidentifies the following problems :\n\n - CVE-2009-2957\n A buffer overflow in TFTP processing may enable\n arbitrary code execution to attackers which are\n permitted to use the TFTP service.\n\n - CVE-2009-2958\n Malicious TFTP clients may crash dnsmasq, leading to\n denial of service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-2957\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-2958\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2009/dsa-1876\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the dnsmasq packages.\n\nThe old stable distribution is not affected by these problems.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.45-1+lenny1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"dnsmasq\", reference:\"2.45-1+lenny1\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"dnsmasq-base\", reference:\"2.45-1+lenny1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T12:44:42", "description": "From Red Hat Security Advisory 2009:1238 :\n\nAn updated dnsmasq package that fixes two security issues is now\navailable for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nDnsmasq is a lightweight and easy to configure DNS forwarder and DHCP\nserver.\n\nCore Security Technologies discovered a heap overflow flaw in dnsmasq\nwhen the TFTP service is enabled (the '--enable-tftp' command line\noption, or by enabling 'enable-tftp' in '/etc/dnsmasq.conf'). If the\nconfigured tftp-root is sufficiently long, and a remote user sends a\nrequest that sends a long file name, dnsmasq could crash or, possibly,\nexecute arbitrary code with the privileges of the dnsmasq service\n(usually the unprivileged 'nobody' user). (CVE-2009-2957)\n\nA NULL pointer dereference flaw was discovered in dnsmasq when the\nTFTP service is enabled. This flaw could allow a malicious TFTP client\nto crash the dnsmasq service. (CVE-2009-2958)\n\nNote: The default tftp-root is '/var/ftpd', which is short enough to\nmake it difficult to exploit the CVE-2009-2957 issue; if a longer\ndirectory name is used, arbitrary code execution may be possible. As\nwell, the dnsmasq package distributed by Red Hat does not have TFTP\nsupport enabled by default.\n\nAll users of dnsmasq should upgrade to this updated package, which\ncontains a backported patch to correct these issues. After installing\nthe updated package, the dnsmasq service must be restarted for the\nupdate to take effect.", "edition": 26, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 5 : dnsmasq (ELSA-2009-1238)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "modified": "2013-07-12T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:dnsmasq", "cpe:/o:oracle:linux:5"], "id": "ORACLELINUX_ELSA-2009-1238.NASL", "href": "https://www.tenable.com/plugins/nessus/67918", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2009:1238 and \n# Oracle Linux Security Advisory ELSA-2009-1238 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67918);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_bugtraq_id(36120);\n script_xref(name:\"RHSA\", value:\"2009:1238\");\n\n script_name(english:\"Oracle Linux 5 : dnsmasq (ELSA-2009-1238)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2009:1238 :\n\nAn updated dnsmasq package that fixes two security issues is now\navailable for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nDnsmasq is a lightweight and easy to configure DNS forwarder and DHCP\nserver.\n\nCore Security Technologies discovered a heap overflow flaw in dnsmasq\nwhen the TFTP service is enabled (the '--enable-tftp' command line\noption, or by enabling 'enable-tftp' in '/etc/dnsmasq.conf'). If the\nconfigured tftp-root is sufficiently long, and a remote user sends a\nrequest that sends a long file name, dnsmasq could crash or, possibly,\nexecute arbitrary code with the privileges of the dnsmasq service\n(usually the unprivileged 'nobody' user). (CVE-2009-2957)\n\nA NULL pointer dereference flaw was discovered in dnsmasq when the\nTFTP service is enabled. This flaw could allow a malicious TFTP client\nto crash the dnsmasq service. (CVE-2009-2958)\n\nNote: The default tftp-root is '/var/ftpd', which is short enough to\nmake it difficult to exploit the CVE-2009-2957 issue; if a longer\ndirectory name is used, arbitrary code execution may be possible. As\nwell, the dnsmasq package distributed by Red Hat does not have TFTP\nsupport enabled by default.\n\nAll users of dnsmasq should upgrade to this updated package, which\ncontains a backported patch to correct these issues. After installing\nthe updated package, the dnsmasq service must be restarted for the\nupdate to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2009-August/001134.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dnsmasq package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/09/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"dnsmasq-2.45-1.1.el5_3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:06:51", "description": "This update fixes two security issues with dnsmasq's tftp server:\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2957\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2958\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "published": "2009-10-15T00:00:00", "title": "Fedora 10 : dnsmasq-2.46-2.fc10 (2009-10252)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "modified": "2009-10-15T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:10", "p-cpe:/a:fedoraproject:fedora:dnsmasq"], "id": "FEDORA_2009-10252.NASL", "href": "https://www.tenable.com/plugins/nessus/42121", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-10252.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(42121);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_bugtraq_id(36120);\n script_xref(name:\"FEDORA\", value:\"2009-10252\");\n\n script_name(english:\"Fedora 10 : dnsmasq-2.46-2.fc10 (2009-10252)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes two security issues with dnsmasq's tftp server:\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2957\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2958\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=519020\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-October/030080.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a2ef299f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dnsmasq package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/10/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/10/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^10([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 10.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC10\", reference:\"dnsmasq-2.46-2.fc10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T13:07:01", "description": "An updated dnsmasq package that fixes two security issues is now\navailable for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nDnsmasq is a lightweight and easy to configure DNS forwarder and DHCP\nserver.\n\nCore Security Technologies discovered a heap overflow flaw in dnsmasq\nwhen the TFTP service is enabled (the '--enable-tftp' command line\noption, or by enabling 'enable-tftp' in '/etc/dnsmasq.conf'). If the\nconfigured tftp-root is sufficiently long, and a remote user sends a\nrequest that sends a long file name, dnsmasq could crash or, possibly,\nexecute arbitrary code with the privileges of the dnsmasq service\n(usually the unprivileged 'nobody' user). (CVE-2009-2957)\n\nA NULL pointer dereference flaw was discovered in dnsmasq when the\nTFTP service is enabled. This flaw could allow a malicious TFTP client\nto crash the dnsmasq service. (CVE-2009-2958)\n\nNote: The default tftp-root is '/var/ftpd', which is short enough to\nmake it difficult to exploit the CVE-2009-2957 issue; if a longer\ndirectory name is used, arbitrary code execution may be possible. As\nwell, the dnsmasq package distributed by Red Hat does not have TFTP\nsupport enabled by default.\n\nAll users of dnsmasq should upgrade to this updated package, which\ncontains a backported patch to correct these issues. After installing\nthe updated package, the dnsmasq service must be restarted for the\nupdate to take effect.", "edition": 28, "published": "2009-09-02T00:00:00", "title": "RHEL 5 : dnsmasq (RHSA-2009:1238)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "modified": "2009-09-02T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:5.3", "p-cpe:/a:redhat:enterprise_linux:dnsmasq"], "id": "REDHAT-RHSA-2009-1238.NASL", "href": "https://www.tenable.com/plugins/nessus/40834", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2009:1238. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(40834);\n script_version(\"1.26\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_bugtraq_id(36120);\n script_xref(name:\"RHSA\", value:\"2009:1238\");\n\n script_name(english:\"RHEL 5 : dnsmasq (RHSA-2009:1238)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An updated dnsmasq package that fixes two security issues is now\navailable for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having important security impact by the\nRed Hat Security Response Team.\n\nDnsmasq is a lightweight and easy to configure DNS forwarder and DHCP\nserver.\n\nCore Security Technologies discovered a heap overflow flaw in dnsmasq\nwhen the TFTP service is enabled (the '--enable-tftp' command line\noption, or by enabling 'enable-tftp' in '/etc/dnsmasq.conf'). If the\nconfigured tftp-root is sufficiently long, and a remote user sends a\nrequest that sends a long file name, dnsmasq could crash or, possibly,\nexecute arbitrary code with the privileges of the dnsmasq service\n(usually the unprivileged 'nobody' user). (CVE-2009-2957)\n\nA NULL pointer dereference flaw was discovered in dnsmasq when the\nTFTP service is enabled. This flaw could allow a malicious TFTP client\nto crash the dnsmasq service. (CVE-2009-2958)\n\nNote: The default tftp-root is '/var/ftpd', which is short enough to\nmake it difficult to exploit the CVE-2009-2957 issue; if a longer\ndirectory name is used, arbitrary code execution may be possible. As\nwell, the dnsmasq package distributed by Red Hat does not have TFTP\nsupport enabled by default.\n\nAll users of dnsmasq should upgrade to this updated package, which\ncontains a backported patch to correct these issues. After installing\nthe updated package, the dnsmasq service must be restarted for the\nupdate to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-2957\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2009-2958\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2009:1238\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dnsmasq package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/09/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2009:1238\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"dnsmasq-2.45-1.1.el5_3\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"dnsmasq-2.45-1.1.el5_3\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"dnsmasq-2.45-1.1.el5_3\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-01T02:06:47", "description": "The remote host is running dnsmasq, a DNS and TFTP server. \n\nThe version of dnsmasq installed on the remote host reports itself as\nlower than 2.50. Such versions include a TFTP server that is\nreportedly affected by a number of issues:\n\n - A remote heap-overflow vulnerability exists because the\n software fails to properly bounds-check user-supplied \n input before copying it into an insufficiently-sized \n memory buffer. (CVE-2009-2957)\n\n - A malformed TFTP packet can crash dnsmasq with a NULL\n pointer dereference. (CVE-2009-2958)", "edition": 30, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2009-09-04T00:00:00", "title": "dnsmasq < 2.50 Multiple Remote TFTP Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:thekelleys:dnsmasq"], "id": "DNSMASQ_MULTIPLE_TFTP_FLAWS.NASL", "href": "https://www.tenable.com/plugins/nessus/40875", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude( 'compat.inc' );\n\nif(description)\n{\n script_id(40875);\n script_version(\"1.14\");\n\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_bugtraq_id(36120, 36121);\n\n script_name(english:\"dnsmasq < 2.50 Multiple Remote TFTP Vulnerabilities\");\n script_summary(english: \"Checks the version of dnsmasq\");\n\n script_set_attribute(\n attribute:'synopsis',\n value:'The remote TFTP service is affected by multiple vulnerabilities.'\n );\n\n script_set_attribute(\n attribute:'description',\n value:'The remote host is running dnsmasq, a DNS and TFTP server. \n\nThe version of dnsmasq installed on the remote host reports itself as\nlower than 2.50. Such versions include a TFTP server that is\nreportedly affected by a number of issues:\n\n - A remote heap-overflow vulnerability exists because the\n software fails to properly bounds-check user-supplied \n input before copying it into an insufficiently-sized \n memory buffer. (CVE-2009-2957)\n\n - A malformed TFTP packet can crash dnsmasq with a NULL\n pointer dereference. (CVE-2009-2958)'\n );\n\n script_set_attribute(\n attribute:'see_also',\n value:'http://www.coresecurity.com/content/dnsmasq-vulnerabilities'\n );\n script_set_attribute(\n attribute:'see_also',\n value:'https://seclists.org/fulldisclosure/2009/Aug/450'\n );\n # https://web.archive.org/web/20090901005927/http://www.thekelleys.org.uk/dnsmasq/CHANGELOG\n script_set_attribute(\n attribute:'see_also',\n value:'http://www.nessus.org/u?a0dc0215'\n );\n # http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2009q3/003253.html\n script_set_attribute(\n attribute:'see_also',\n value:'http://www.nessus.org/u?7052e1ae'\n );\n script_set_attribute(\n attribute:'solution',\n value:'Upgrade to dnsmasq 2.50 or later.'\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119, 399);\n\n script_set_attribute( attribute:'vuln_publication_date', value:'2009/08/31' );\n script_set_attribute( attribute:'patch_publication_date', value:'2009/08/31' );\n script_set_attribute( attribute:'plugin_publication_date', value:'2009/09/04' );\n\n script_cvs_date(\"Date: 2018/11/15 20:50:21\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:thekelleys:dnsmasq\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n script_family(english: \"DNS\");\n\n script_dependencie(\"dns_version.nasl\", \"tftpd_detect.nasl\");\n script_require_keys(\"dns_server/version\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/dns\", 53, \"Services/udp/tftp\");\n \n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\napp_name = \"dnsmasq\";\n\nget_kb_item_or_exit(\"Services/udp/dns\");\nport = get_kb_item_or_exit( \"Services/udp/tftp\" );\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# dnsmasq replies to BIND.VERSION\nversion = get_kb_item_or_exit(\"dns_server/version\");\nversion = tolower(version);\ndisplay_version = version;\n\nif (version !~ \"dnsmasq-(v)?\")\n audit(AUDIT_NOT_LISTEN, app_name, port);\n\nversion = ereg_replace(pattern:\"^dnsmasq-(v)?(.*)$\", replace:\"\\2\", string:version);\n\nif (version == '2')\n audit(AUDIT_VER_NOT_GRANULAR, app_name, port, display_version);\n\nif (version =~ \"^([01]\\.|2\\.([0-9]|[1-4][0-9])$)\")\n{\n report = '\\n' +\n '\\n Installed version : ' + display_version +\n '\\n Fixed version : dnsmasq-2.50' +\n '\\n';\n security_report_v4(port:port, proto:\"udp\", severity:SECURITY_HOLE, extra:report);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, app_name, port, display_version, 'udp');\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:44:44", "description": "IvAin Arce, Pablo HernAin Jorge, Alejandro Pablo Rodriguez, MartAn\nCoco, Alberto SoliAto Testa and Pablo Annetta discovered that Dnsmasq\ndid not properly validate its input when processing TFTP requests for\nfiles with long names. A remote attacker could cause a denial of\nservice or execute arbitrary code with user privileges. Dnsmasq runs\nas the 'dnsmasq' user by default on Ubuntu. (CVE-2009-2957)\n\nSteve Grubb discovered that Dnsmasq could be made to dereference a\nNULL pointer when processing certain TFTP requests. A remote attacker\ncould cause a denial of service by sending a crafted TFTP request.\n(CVE-2009-2958).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "published": "2009-09-02T00:00:00", "title": "Ubuntu 8.04 LTS / 8.10 / 9.04 : dnsmasq vulnerabilities (USN-827-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "modified": "2009-09-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:dnsmasq-base", "p-cpe:/a:canonical:ubuntu_linux:dnsmasq", "cpe:/o:canonical:ubuntu_linux:8.04:-:lts", "cpe:/o:canonical:ubuntu_linux:8.10", "cpe:/o:canonical:ubuntu_linux:9.04"], "id": "UBUNTU_USN-827-1.NASL", "href": "https://www.tenable.com/plugins/nessus/40848", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-827-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(40848);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_bugtraq_id(36120);\n script_xref(name:\"USN\", value:\"827-1\");\n\n script_name(english:\"Ubuntu 8.04 LTS / 8.10 / 9.04 : dnsmasq vulnerabilities (USN-827-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"IvAin Arce, Pablo HernAin Jorge, Alejandro Pablo Rodriguez, MartAn\nCoco, Alberto SoliAto Testa and Pablo Annetta discovered that Dnsmasq\ndid not properly validate its input when processing TFTP requests for\nfiles with long names. A remote attacker could cause a denial of\nservice or execute arbitrary code with user privileges. Dnsmasq runs\nas the 'dnsmasq' user by default on Ubuntu. (CVE-2009-2957)\n\nSteve Grubb discovered that Dnsmasq could be made to dereference a\nNULL pointer when processing certain TFTP requests. A remote attacker\ncould cause a denial of service by sending a crafted TFTP request.\n(CVE-2009-2958).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/827-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dnsmasq and / or dnsmasq-base packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:dnsmasq-base\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:9.04\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/09/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(8\\.04|8\\.10|9\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 8.04 / 8.10 / 9.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"8.04\", pkgname:\"dnsmasq\", pkgver:\"2.41-2ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"dnsmasq-base\", pkgver:\"2.41-2ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"dnsmasq\", pkgver:\"2.45-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"dnsmasq-base\", pkgver:\"2.45-1ubuntu1.1\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"dnsmasq\", pkgver:\"2.47-3ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"dnsmasq-base\", pkgver:\"2.47-3ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq / dnsmasq-base\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:06:51", "description": "This update fixes two security issues with dnsmasq's tftp server:\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2957\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2958\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 26, "published": "2009-10-15T00:00:00", "title": "Fedora 11 : dnsmasq-2.46-3.fc11 (2009-10285)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "modified": "2009-10-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:dnsmasq", "cpe:/o:fedoraproject:fedora:11"], "id": "FEDORA_2009-10285.NASL", "href": "https://www.tenable.com/plugins/nessus/42123", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-10285.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(42123);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_bugtraq_id(36120);\n script_xref(name:\"FEDORA\", value:\"2009-10285\");\n\n script_name(english:\"Fedora 11 : dnsmasq-2.46-3.fc11 (2009-10285)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes two security issues with dnsmasq's tftp server:\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2957\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2958\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=519020\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-October/029959.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?50a218e0\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dnsmasq package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/10/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/10/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^11([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 11.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC11\", reference:\"dnsmasq-2.46-3.fc11\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T13:44:29", "description": "CVE-2009-2957, CVE-2009-2958 dnsmasq: multiple vulnerabilities in TFTP\nserver\n\nCore Security Technologies discovered a heap overflow flaw in dnsmasq\nwhen the TFTP service is enabled (the '--enable-tftp' command line\noption, or by enabling 'enable-tftp' in '/etc/dnsmasq.conf'). If the\nconfigured tftp-root is sufficiently long, and a remote user sends a\nrequest that sends a long file name, dnsmasq could crash or, possibly,\nexecute arbitrary code with the privileges of the dnsmasq service\n(usually the unprivileged 'nobody' user). (CVE-2009-2957)\n\nA NULL pointer dereference flaw was discovered in dnsmasq when the\nTFTP service is enabled. This flaw could allow a malicious TFTP client\nto crash the dnsmasq service. (CVE-2009-2958)\n\nNote: The default tftp-root is '/var/ftpd', which is short enough to\nmake it difficult to exploit the CVE-2009-2957 issue; if a longer\ndirectory name is used, arbitrary code execution may be possible. As\nwell, the dnsmasq package distributed by Red Hat does not have TFTP\nsupport enabled by default.\n\nAfter installing the updated package, the dnsmasq service must be\nrestarted for the update to take effect.", "edition": 26, "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : dnsmasq on SL5.x i386/x86_64", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "modified": "2012-08-01T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20090831_DNSMASQ_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/60649", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(60649);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n\n script_name(english:\"Scientific Linux Security Update : dnsmasq on SL5.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Scientific Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2009-2957, CVE-2009-2958 dnsmasq: multiple vulnerabilities in TFTP\nserver\n\nCore Security Technologies discovered a heap overflow flaw in dnsmasq\nwhen the TFTP service is enabled (the '--enable-tftp' command line\noption, or by enabling 'enable-tftp' in '/etc/dnsmasq.conf'). If the\nconfigured tftp-root is sufficiently long, and a remote user sends a\nrequest that sends a long file name, dnsmasq could crash or, possibly,\nexecute arbitrary code with the privileges of the dnsmasq service\n(usually the unprivileged 'nobody' user). (CVE-2009-2957)\n\nA NULL pointer dereference flaw was discovered in dnsmasq when the\nTFTP service is enabled. This flaw could allow a malicious TFTP client\nto crash the dnsmasq service. (CVE-2009-2958)\n\nNote: The default tftp-root is '/var/ftpd', which is short enough to\nmake it difficult to exploit the CVE-2009-2957 issue; if a longer\ndirectory name is used, arbitrary code execution may be possible. As\nwell, the dnsmasq package distributed by Red Hat does not have TFTP\nsupport enabled by default.\n\nAfter installing the updated package, the dnsmasq service must be\nrestarted for the update to take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0909&L=scientific-linux-errata&T=0&P=80\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c3651c23\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dnsmasq package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cwe_id(119, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/08/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"dnsmasq-2.45-1.1.el5_3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:12", "description": "\nDnsmasq 2.50 - Heap Overflow Null Pointer Dereference", "edition": 1, "published": "2009-09-09T00:00:00", "title": "Dnsmasq 2.50 - Heap Overflow Null Pointer Dereference", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "modified": "2009-09-09T00:00:00", "id": "EXPLOITPACK:ECB83F9533371579F3997366C239FB4D", "href": "", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs/\n\n Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server\n\n\n1. *Advisory Information*\n\nTitle: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server\nAdvisory ID: CORE-2009-0820\nAdvisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities\nDate published: 2009-08-31\nDate of last update: 2009-08-31\nVendors contacted: Simon Kelley\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Buffer overflow\nRemotely Exploitable: Yes\nLocally Exploitable: No\nBugtraq ID: 36120, 36121\nCVE Name: CVE-2009-2957, CVE-2009-2958\n\n\n3. *Vulnerability Description*\n\nDnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability\nhas been found that may allow an attacker to execute arbitrary code on\nservers or home routers running dnsmasq[1] with the TFTP service[2][3]\nenabled ('--enable-tfp'). This service is not enabled by default on most\ndistributions; in particular it is not enabled by default on OpenWRT or\nDD-WRT. Chances of successful exploitation increase when a long\ndirectory prefix is used for TFTP. Code will be executed with the\nprivileges of the user running dnsmasq, which is normally a\nnon-privileged one.\n\nAdditionally there is a potential DoS attack to the TFTP service by\nexploiting a null-pointer dereference vulnerability.\n\n\n4. *Vulnerable packages*\n\n . dnsmasq 2.40.\n . dnsmasq 2.41.\n . dnsmasq 2.42.\n . dnsmasq 2.43.\n . dnsmasq 2.44.\n . dnsmasq 2.45.\n . dnsmasq 2.46.\n . dnsmasq 2.47.\n . dnsmasq 2.48.\n . dnsmasq 2.49.\n . Older versions are probably affected too, but they were not checked.\n\n\n5. *Non-vulnerable packages*\n\n . dnsmasq 2.50\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nIf the TFTP service is enabled and patching is not available\nimmediately, a valid workaround is to filter TFTP for untrusted hosts in\nthe network (such as the Internet). This is the default configuration\nwhen enabling TFTP on most home routers.\n\nPatches are already available from the software author. Most\ndistributions should release updates for binary packages soon.\n\n\n7. *Credits*\n\nThe heap-overflow vulnerability (CVE-2009-2957) was discovered during\nBugweek 2009 by Pablo Jorge and Alberto Solino from the team \"Los\nHerederos de Don Pablo\" of Core Security Technologies.\n\nThe null-pointer dereference (CVE-2009-2958) was reported to the author\nof dnsmasq independently by an uncredited code auditor. It was merged\nwith this advisory for user's convenience.\n\n\n8. *Technical Description*\n\n8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)*\n\nFirst let's focus on the overflow vulnerability. The 'tftp_request'\ncalls 'strncat' on 'daemon->namebuff', which has a predefined size of\n'MAXDNAME' bytes (defaulting to 1025).\n\n/-----------\nelse if (filename[0] == '/')\n daemon->namebuff[0] = 0;\nstrncat(daemon->namebuff, filename, MAXDNAME);\n- -----------/\n\nThis may cause a heap overflow because 'daemon->namebuff' may already\ncontain data, namely the configured 'daemon->tftp_prefix' passed to the\ndaemon via a configuration file.\n\n/-----------\nif (daemon->tftp_prefix)\n{\n if (daemon->tftp_prefix[0] == '/')\n daemon->namebuff[0] = 0;\n strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME)\n- -----------/\n\nThe default prefix is '/var/tftpd', but if a longer prefix is used,\narbitrary code execution may be possible.\n\nSending the string resulting from the execution of the following python\nsnippet to a vulnerable server, with a long enough directory prefix\nconfigured, should crash the daemon.\n\n/-----------\nimport sys\nsys.stdout.write( '\\x00\\x01' + \"A\"*1535 + '\\x00' + \"netascii\" + '\\x00' )\n- -----------/\n\n8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)*\n\nNow onto the null-pointer dereference. The user can crash the service by\nhandcrafting a packet, because of a problem on the guard of the first if\ninside this code loop:\n\n/-----------\nwhile ((opt = next(&p, end)))\n {\n if (strcasecmp(opt, \"blksize\") == 0 &&\n (opt = next(&p, end)) &&\n !(daemon->options & OPT_TFTP_NOBLOCK))\n {\n transfer->blocksize = atoi(opt);\n if (transfer->blocksize < 1)\n transfer->blocksize = 1;\n if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)\n transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;\n transfer->opt_blocksize = 1;\n transfer->block = 0;\n }\n\n if (strcasecmp(opt, \"tsize\") == 0 && next(&p, end) &&\n !transfer->netascii)\n {\n transfer->opt_transize = 1;\n transfer->block = 0;\n }\n }\n- -----------/\n\nThe problem exists because the guard of the first if includes the result\nof 'opt = next(&p, end)' as part of the check. If this returns 'NULL',\nthe guard will fail and in the next if 'strcasecmp(opt, \"tsize\")' will\nderrefence the null-pointer.\n\n\n9. *Report Timeline*\n\n. 2009-08-20:\nCore Security Technologies notifies Simon Kelley of the vulnerability,\nincluding technical details of the vulnerability in an advisory draft.\n\n. 2009-08-21:\nSimon Kelley acknowledges the vulnerability and confirms to be working\non a patch. He also informs that he is aware that most home router\ndistributions have tftp turned off by default, and firewalled, and\nsuggests this should be mentioned on the advisory. Simon also mentions\nthat a NULL-pointer dereference bug has also been discovered on that\ncode, and suggests merging both bugs in the same advisory. Monday 31/08\nis accepted as a possible release date for this advisory, and help is\noffered in contacting package maintainers of dnsmasq for most operating\nsystems.\n\n. 2009-08-21:\nCore changes the advisory draft to accommodate Simon's suggestions.\nAbout the NULL-pointer dereference, Core mentions the terms it thinks\nappropriate for the bug to be merged into this advisory, and details how\nthis would affect the following procedures, such as asking for a\nCVE/Bugtraq ID.\n\n. 2009-08-23:\nSimon Kelley contacts Core back, saying that the terms for the\nnull-pointer derrefence bug to be included in the advisory are ok. He\nalso mentions that the finder of this bug prefers to remain uncredited\nin this advisory. Details are sent by him about the new bug so that the\nadvisory draft can be updated to include it.\n\n. 2009-08-23:\nCore asks for proper CVE and Bugtraq ID numbers, specifying it believes\neach vulnerability reported in this advisory should be assigned its own.\n\n. 2009-08-23:\nVincent Danen, from Red Hat's Security Response Team contacts Core in\norder to discuss both vulnerabilities by a secure communications\nchannel, and offers its help in obtaining proper CVE numbers, specifying\nthey also believe a separate number should be assigned to each\nvulnerability.\n\n. 2009-08-23:\nCore replies to Vincent Danen by sending its gpg key. Core also mentions\nseparate CVE numbers have already been asked.\n\n. 2009-08-23:\nCore replies to Simon Kelley, including a new advisory draft with both\nbugs merged.\n\n. 2009-08-23:\nCore receives proper CVE and Bugtraq ID numbers for both bugs, and sends\nthem to Red Hat and Simon Kelley.\n\n. 2009-08-31:\nThe advisory CORE-2009-0820 is published.\n\n\n10. *References*\n\n[1] http://www.thekelleys.org.uk/dnsmasq/doc.html\n[2] http://www.isi.edu/in-notes/ien/ien133.txt\n[3] http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography.\nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies.\nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs.\n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company's flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com.\n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2009 Core Security\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given.\n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.7 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niD8DBQFKp9rOyNibggitWa0RAjkbAJ0SLIFwI1CMF7IOHSDv+Fg0DwFNQwCfWsZm\nwa3syAdyXlixVdQhdk5vcK0=\n=tfqM\n-----END PGP SIGNATURE-----\n\n# milw0rm.com [2009-09-09]", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:13:15", "description": "", "published": "2009-09-02T00:00:00", "type": "packetstorm", "title": "Core Security Technologies Advisory 2009.0820", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "modified": "2009-09-02T00:00:00", "id": "PACKETSTORM:80896", "href": "https://packetstormsecurity.com/files/80896/Core-Security-Technologies-Advisory-2009.0820.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \n \nHash: SHA1 \n \n \n \nCore Security Technologies - CoreLabs Advisory \nhttp://www.coresecurity.com/corelabs/ \n \nDnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server \n \n \n1. *Advisory Information* \n \nTitle: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server \nAdvisory ID: CORE-2009-0820 \nAdvisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities \nDate published: 2009-08-31 \nDate of last update: 2009-08-31 \nVendors contacted: Simon Kelley \nRelease mode: Coordinated release \n \n \n2. *Vulnerability Information* \n \nClass: Buffer overflow \nRemotely Exploitable: Yes \nLocally Exploitable: No \nBugtraq ID: 36120, 36121 \nCVE Name: CVE-2009-2957, CVE-2009-2958 \n \n \n3. *Vulnerability Description* \n \nDnsmasq is a lightweight DNS forwarder and DHCP server. A \nvulnerability has been found that may allow an attacker to execute \narbitrary code on servers or home routers running dnsmasq[1] with the \nTFTP service[2][3] enabled ('--enable-tfp'). This service is not \nenabled by default on most distributions; in particular it is not \nenabled by default on OpenWRT or DD-WRT. Chances of successful \nexploitation increase when a long directory prefix is used for TFTP. \nCode will be executed with the privileges of the user running dnsmasq, \nwhich is normally a non-privileged one. \n \nAdditionally there is a potential DoS attack to the TFTP service by \nexploiting a null-pointer dereference vulnerability. \n \n \n4. *Vulnerable packages* \n \n. dnsmasq 2.40. \n. dnsmasq 2.41. \n. dnsmasq 2.42. \n. dnsmasq 2.43. \n. dnsmasq 2.44. \n. dnsmasq 2.45. \n. dnsmasq 2.46. \n. dnsmasq 2.47. \n. dnsmasq 2.48. \n. dnsmasq 2.49. \n. Older versions are probably affected too, but they were not checked. \n \n \n5. *Non-vulnerable packages* \n \n. dnsmasq 2.50 \n \n \n6. *Vendor Information, Solutions and Workarounds* \n \nIf the TFTP service is enabled and patching is not available \nimmediately, a valid workaround is to filter TFTP for untrusted hosts \nin the network (such as the Internet). This is the default \nconfiguration when enabling TFTP on most home routers. \n \nPatches are already available from the software author. Most \ndistributions should release updates for binary packages soon. \n \n \n7. *Credits* \n \nThe heap-overflow vulnerability (CVE-2009-2957) was discovered during \nBugweek 2009 by Pablo Jorge and Alberto Solino from the team \"Los \nHerederos de Don Pablo\" of Core Security Technologies. \n \nThe null-pointer dereference (CVE-2009-2958) was reported to the \nauthor of dnsmasq independently by an uncredited code auditor. It was \nmerged with this advisory for user's convenience. \n \n \n8. *Technical Description* \n \n \n8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)* \n \nFirst let's focus on the overflow vulnerability. The 'tftp_request' \ncalls 'strncat' on 'daemon->namebuff', which has a predefined size of \n'MAXDNAME' bytes (defaulting to 1025). \n \n/----------- \n \nelse if (filename[0] == '/') \ndaemon->namebuff[0] = 0; \nstrncat(daemon->namebuff, filename, MAXDNAME); \n \n- -----------/ \n \n \n \nThis may cause a heap overflow because 'daemon->namebuff' may already \ncontain data, namely the configured 'daemon->tftp_prefix' passed to \nthe daemon via a configuration file. \n \n/----------- \n \nif (daemon->tftp_prefix) \n{ \nif (daemon->tftp_prefix[0] == '/') \ndaemon->namebuff[0] = 0; \nstrncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME) \n \n- -----------/ \n \n \n \nThe default prefix is '/var/tftpd', but if a longer prefix is used, \narbitrary code execution may be possible. \n \nSending the string resulting from the execution of the following \npython snippet to a vulnerable server, with a long enough directory \nprefix configured, should crash the daemon. \n \n/----------- \n \nimport sys \nsys.stdout.write( '\\x00\\x01' + \"A\"*1535 + '\\x00' + \"netascii\" + '\\x00' ) \n \n- -----------/ \n \n \n \n \n8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)* \n \nNow onto the null-pointer dereference. The user can crash the service \nby handcrafting a packet, because of a problem on the guard of the \nfirst if inside this code loop: \n \n/----------- \n \nwhile ((opt = next(&p, end))) \n{ \nif (strcasecmp(opt, \"blksize\") == 0 && \n(opt = next(&p, end)) && \n!(daemon->options & OPT_TFTP_NOBLOCK)) \n{ \ntransfer->blocksize = atoi(opt); \nif (transfer->blocksize < 1) \ntransfer->blocksize = 1; \nif (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4) \ntransfer->blocksize = (unsigned)daemon->packet_buff_sz - 4; \ntransfer->opt_blocksize = 1; \ntransfer->block = 0; \n} \n \nif (strcasecmp(opt, \"tsize\") == 0 && next(&p, end) && \n!transfer->netascii) \n{ \ntransfer->opt_transize = 1; \ntransfer->block = 0; \n} \n} \n \n- -----------/ \n \nThe problem exists because the guard of the first if includes the \nresult of 'opt = next(&p, end)' as part of the check. If this returns \n'NULL', the guard will fail and in the next if 'strcasecmp(opt, \n\"tsize\")' will derrefence the null-pointer. \n \n \n9. *Report Timeline* \n \n. 2009-08-20: \nCore Security Technologies notifies Simon Kelley of the vulnerability, \nincluding technical details of the vulnerability in an advisory draft. \n \n. 2009-08-21: \nSimon Kelley acknowledges the vulnerability and confirms to be working \non a patch. He also informs that he is aware that most home router \ndistributions have tftp turned off by default, and firewalled, and \nsuggests this should be mentioned on the advisory. Simon also mentions \nthat a NULL-pointer dereference bug has also been discovered on that \ncode, and suggests merging both bugs in the same advisory. Monday \n31/08 is accepted as a possible release date for this advisory, and \nhelp is offered in contacting package maintainers of dnsmasq for most \noperating systems. \n \n. 2009-08-21: \nCore changes the advisory draft to accommodate Simon's suggestions. \nAbout the NULL-pointer dereference, Core mentions the terms it thinks \nappropriate for the bug to be merged into this advisory, and details \nhow this would affect the following procedures, such as asking for a \nCVE/Bugtraq ID. \n \n. 2009-08-23: \nSimon Kelley contacts Core back, saying that the terms for the \nnull-pointer derrefence bug to be included in the advisory are ok. He \nalso mentions that the finder of this bug prefers to remain uncredited \nin this advisory. Details are sent by him about the new bug so that \nthe advisory draft can be updated to include it. \n \n. 2009-08-23: \nCore asks for proper CVE and Bugtraq ID numbers, specifying it \nbelieves each vulnerability reported in this advisory should be \nassigned its own. \n \n. 2009-08-23: \nVincent Danen, from Red Hat's Security Response Team contacts Core in \norder to discuss both vulnerabilities by a secure communications \nchannel, and offers its help in obtaining proper CVE numbers, \nspecifying they also believe a separate number should be assigned to \neach vulnerability. \n \n. 2009-08-23: \nCore replies to Vincent Danen by sending its gpg key. Core also \nmentions separate CVE numbers have already been asked. \n \n. 2009-08-23: \nCore replies to Simon Kelley, including a new advisory draft with both \nbugs merged. \n \n. 2009-08-23: \nCore receives proper CVE and Bugtraq ID numbers for both bugs, and \nsends them to Red Hat and Simon Kelley. \n \n. 2009-08-31: \nThe advisory CORE-2009-0820 is published. \n \n \n \n10. *References* \n \n[1] http://www.thekelleys.org.uk/dnsmasq/doc.html \n[2] http://www.isi.edu/in-notes/ien/ien133.txt \n[3] http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol \n \n \n11. *About CoreLabs* \n \nCoreLabs, the research center of Core Security Technologies, is \ncharged with anticipating the future needs and requirements for \ninformation security technologies. We conduct our research in several \nimportant areas of computer security including system vulnerabilities, \ncyber attack planning and simulation, source code auditing, and \ncryptography. Our results include problem formalization, \nidentification of vulnerabilities, novel solutions and prototypes for \nnew technologies. CoreLabs regularly publishes security advisories, \ntechnical papers, project information and shared software tools for \npublic use at: http://www.coresecurity.com/corelabs. \n \n \n12. *About Core Security Technologies* \n \nCore Security Technologies develops strategic solutions that help \nsecurity-conscious organizations worldwide develop and maintain a \nproactive process for securing their networks. The company's flagship \nproduct, CORE IMPACT, is the most comprehensive product for performing \nenterprise security assurance testing. CORE IMPACT evaluates network, \nendpoint and end-user vulnerabilities and identifies what resources \nare exposed. It enables organizations to determine if current security \ninvestments are detecting and preventing attacks. Core Security \nTechnologies augments its leading technology solution with world-class \nsecurity consulting services, including penetration testing and \nsoftware security auditing. Based in Boston, MA and Buenos Aires, \nArgentina, Core Security Technologies can be reached at 617-399-6980 \nor on the Web at http://www.coresecurity.com. \n \n \n13. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2009 Core Security \nTechnologies and (c) 2009 CoreLabs, and may be distributed freely \nprovided that no fee is charged for this distribution and proper \ncredit is given. \n \n \n14. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nTechnologies advisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n \n \n-----BEGIN PGP SIGNATURE----- \n \nVersion: GnuPG v2.0.12 (MingW32) \n \nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ \n \n \n \niEYEARECAAYFAkqcRQMACgkQyNibggitWa10dACdFj5uU4P3FwXEzNLqSmfaATR9 \n \nM9AAnjRF5IQ75E5x6iQDIp5FU5CjkSXe \n \n=loI2 \n \n-----END PGP SIGNATURE----- \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/80896/CORE-2009-0820.txt"}], "debian": [{"lastseen": "2020-11-11T13:16:23", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1876-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nSeptember 01, 2009 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : dnsmasq\nVulnerability : buffer overflow\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2009-2957 CVE-2009-2958\n\nSeveral remote vulnerabilities have been discovered in the TFTP\ncomponent of dnsmasq. The Common Vulnerabilities and Exposures\nproject identifies the following problems:\n\nCVE-2009-2957\n A buffer overflow in TFTP processing may enable arbitrary code\n execution to attackers which are permitted to use the TFTP service.\n\nCVE-2009-2958\n Malicious TFTP clients may crash dnsmasq, leading to denial of\n service.\n\nThe old stable distribution is not affected by these problems.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.45-1+lenny1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.50-1.\n\nWe recommend that you upgrade your dnsmasq packages.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 5.0 alias lenny\n- --------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45.orig.tar.gz\n Size/MD5 checksum: 377466 59106495260bb2d0f184f0d4ae88d740\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1.diff.gz\n Size/MD5 checksum: 14514 c841708d86ea6a13f4f168d311638ff5\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1.dsc\n Size/MD5 checksum: 1006 377658fb3cb46cc670a86e475ff70533\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.45-1+lenny1_all.deb\n Size/MD5 checksum: 12110 716c6f4f6e478f5a0f248725e4544dda\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_alpha.deb\n Size/MD5 checksum: 267294 d7ba6bd2b7363246587cf4ab8b78f721\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_amd64.deb\n Size/MD5 checksum: 258118 3b5fc290f6bfacd7450fbc138e63bcb7\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_arm.deb\n Size/MD5 checksum: 250676 0011c21826ab5f3b9c64444113acc97f\n\narmel architecture (ARM EABI)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_armel.deb\n Size/MD5 checksum: 252830 5999eff243a849fe31fba765e92228d0\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_hppa.deb\n Size/MD5 checksum: 258292 cadea4880ef01292affd271cde276226\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_i386.deb\n Size/MD5 checksum: 251182 cdad8cd873dc28fd69fdd7ca2e59cec1\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_ia64.deb\n Size/MD5 checksum: 301522 2723ddacd61bf4378115a1701848fa2c\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_mips.deb\n Size/MD5 checksum: 256426 0873691aa0b37c2873e93e1132d0db95\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_mipsel.deb\n Size/MD5 checksum: 257982 dd6342a053fc0bb9a3be6ec5b4aa3b2f\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_powerpc.deb\n Size/MD5 checksum: 257426 58e705f584e41b2598a6d62bfc7e2671\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_s390.deb\n Size/MD5 checksum: 255328 3abfb764f944344064aed16352156b04\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq-base_2.45-1+lenny1_sparc.deb\n Size/MD5 checksum: 252234 4a6db5969b47698346b59828928dc0b5\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 3, "modified": "2009-09-01T19:48:20", "published": "2009-09-01T19:48:20", "id": "DEBIAN:DSA-1876-1:6443C", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2009/msg00195.html", "title": "[SECURITY] [DSA 1876-1] New dnsmasq packages fix remote code execution", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-allocated addresses to appear in the DNS with names configured either in each host or in a central configuration file. Dnsmasq supports static and dynamic DHCP leases and BOOTP for network booting of diskless machines. ", "modified": "2009-10-14T01:33:55", "published": "2009-10-14T01:33:55", "id": "FEDORA:134A110F86A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 11 Update: dnsmasq-2.46-3.fc11", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:49", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. It is designed to provide DNS and, optionally, DHCP, to a small network. It can serve the names of local machines which are not in the global DNS. The DHCP server integrates with the DNS server and allows machines with DHCP-allocated addresses to appear in the DNS with names configured either in each host or in a central configuration file. Dnsmasq supports static and dynamic DHCP leases and BOOTP for network booting of diskless machines. ", "modified": "2009-10-14T01:59:02", "published": "2009-10-14T01:59:02", "id": "FEDORA:D259110F8A3", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 10 Update: dnsmasq-2.46-2.fc10", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:12", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "\nSimon Kelley reports:\n\nFix security problem which allowed any host permitted to\n\t do TFTP to possibly compromise dnsmasq by remote buffer\n\t overflow when TFTP enabled.\nFix a problem which allowed a malicious TFTP client to\n\t crash dnsmasq.\n\n", "edition": 4, "modified": "2009-08-31T00:00:00", "published": "2009-08-31T00:00:00", "id": "80AA98E0-97B4-11DE-B946-0030843D3802", "href": "https://vuxml.freebsd.org/freebsd/80aa98e0-97b4-11de-b946-0030843d3802.html", "title": "dnsmasq -- TFTP server remote code injection vulnerability", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2020-07-09T00:33:44", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "IvAin Arce, Pablo HernAin Jorge, Alejandro Pablo Rodriguez, MartA\u00adn Coco, \nAlberto SoliAto Testa and Pablo Annetta discovered that Dnsmasq did not \nproperly validate its input when processing TFTP requests for files with \nlong names. A remote attacker could cause a denial of service or execute \narbitrary code with user privileges. Dnsmasq runs as the 'dnsmasq' user by \ndefault on Ubuntu. (CVE-2009-2957)\n\nSteve Grubb discovered that Dnsmasq could be made to dereference a NULL \npointer when processing certain TFTP requests. A remote attacker could \ncause a denial of service by sending a crafted TFTP request. \n(CVE-2009-2958)", "edition": 5, "modified": "2009-09-01T00:00:00", "published": "2009-09-01T00:00:00", "id": "USN-827-1", "href": "https://ubuntu.com/security/notices/USN-827-1", "title": "Dnsmasq vulnerabilities", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-01T11:00:03", "description": "Dnsmasq < 2.50 Heap Overflow & Null pointer Dereference Vulns. CVE-2009-2957,CVE-2009-2958. Dos exploit for windows platform", "published": "2009-09-09T00:00:00", "type": "exploitdb", "title": "Dnsmasq < 2.50 - Heap Overflow & Null pointer Dereference Vulns", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "modified": "2009-09-09T00:00:00", "id": "EDB-ID:9617", "href": "https://www.exploit-db.com/exploits/9617/", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n\r\n Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Dnsmasq Heap Overflow and Null-pointer Dereference on TFTP Server\r\nAdvisory ID: CORE-2009-0820\r\nAdvisory URL: http://www.coresecurity.com/content/dnsmasq-vulnerabilities\r\nDate published: 2009-08-31\r\nDate of last update: 2009-08-31\r\nVendors contacted: Simon Kelley\r\nRelease mode: Coordinated release\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Buffer overflow\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 36120, 36121\r\nCVE Name: CVE-2009-2957, CVE-2009-2958\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nDnsmasq is a lightweight DNS forwarder and DHCP server. A vulnerability\r\nhas been found that may allow an attacker to execute arbitrary code on\r\nservers or home routers running dnsmasq[1] with the TFTP service[2][3]\r\nenabled ('--enable-tfp'). This service is not enabled by default on most\r\ndistributions; in particular it is not enabled by default on OpenWRT or\r\nDD-WRT. Chances of successful exploitation increase when a long\r\ndirectory prefix is used for TFTP. Code will be executed with the\r\nprivileges of the user running dnsmasq, which is normally a\r\nnon-privileged one.\r\n\r\nAdditionally there is a potential DoS attack to the TFTP service by\r\nexploiting a null-pointer dereference vulnerability.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . dnsmasq 2.40.\r\n . dnsmasq 2.41.\r\n . dnsmasq 2.42.\r\n . dnsmasq 2.43.\r\n . dnsmasq 2.44.\r\n . dnsmasq 2.45.\r\n . dnsmasq 2.46.\r\n . dnsmasq 2.47.\r\n . dnsmasq 2.48.\r\n . dnsmasq 2.49.\r\n . Older versions are probably affected too, but they were not checked.\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . dnsmasq 2.50\r\n\r\n\r\n6. *Vendor Information, Solutions and Workarounds*\r\n\r\nIf the TFTP service is enabled and patching is not available\r\nimmediately, a valid workaround is to filter TFTP for untrusted hosts in\r\nthe network (such as the Internet). This is the default configuration\r\nwhen enabling TFTP on most home routers.\r\n\r\nPatches are already available from the software author. Most\r\ndistributions should release updates for binary packages soon.\r\n\r\n\r\n7. *Credits*\r\n\r\nThe heap-overflow vulnerability (CVE-2009-2957) was discovered during\r\nBugweek 2009 by Pablo Jorge and Alberto Solino from the team \"Los\r\nHerederos de Don Pablo\" of Core Security Technologies.\r\n\r\nThe null-pointer dereference (CVE-2009-2958) was reported to the author\r\nof dnsmasq independently by an uncredited code auditor. It was merged\r\nwith this advisory for user's convenience.\r\n\r\n\r\n8. *Technical Description*\r\n\r\n8.1. *Heap Overflow vulnerability (CVE-2009-2957, BID 36121)*\r\n\r\nFirst let's focus on the overflow vulnerability. The 'tftp_request'\r\ncalls 'strncat' on 'daemon->namebuff', which has a predefined size of\r\n'MAXDNAME' bytes (defaulting to 1025).\r\n\r\n/-----------\r\nelse if (filename[0] == '/')\r\n daemon->namebuff[0] = 0;\r\nstrncat(daemon->namebuff, filename, MAXDNAME);\r\n- -----------/\r\n\r\nThis may cause a heap overflow because 'daemon->namebuff' may already\r\ncontain data, namely the configured 'daemon->tftp_prefix' passed to the\r\ndaemon via a configuration file.\r\n\r\n/-----------\r\nif (daemon->tftp_prefix)\r\n{\r\n if (daemon->tftp_prefix[0] == '/')\r\n daemon->namebuff[0] = 0;\r\n strncat(daemon->namebuff, daemon->tftp_prefix, MAXDNAME)\r\n- -----------/\r\n\r\nThe default prefix is '/var/tftpd', but if a longer prefix is used,\r\narbitrary code execution may be possible.\r\n\r\nSending the string resulting from the execution of the following python\r\nsnippet to a vulnerable server, with a long enough directory prefix\r\nconfigured, should crash the daemon.\r\n\r\n/-----------\r\nimport sys\r\nsys.stdout.write( '\\x00\\x01' + \"A\"*1535 + '\\x00' + \"netascii\" + '\\x00' )\r\n- -----------/\r\n\r\n8.2. *Null-pointer Dereference vulnerability (CVE-2009-2958, BID 36120)*\r\n\r\nNow onto the null-pointer dereference. The user can crash the service by\r\nhandcrafting a packet, because of a problem on the guard of the first if\r\ninside this code loop:\r\n\r\n/-----------\r\nwhile ((opt = next(&p, end)))\r\n {\r\n if (strcasecmp(opt, \"blksize\") == 0 &&\r\n (opt = next(&p, end)) &&\r\n !(daemon->options & OPT_TFTP_NOBLOCK))\r\n {\r\n transfer->blocksize = atoi(opt);\r\n if (transfer->blocksize < 1)\r\n transfer->blocksize = 1;\r\n if (transfer->blocksize > (unsigned)daemon->packet_buff_sz - 4)\r\n transfer->blocksize = (unsigned)daemon->packet_buff_sz - 4;\r\n transfer->opt_blocksize = 1;\r\n transfer->block = 0;\r\n }\r\n\r\n if (strcasecmp(opt, \"tsize\") == 0 && next(&p, end) &&\r\n !transfer->netascii)\r\n {\r\n transfer->opt_transize = 1;\r\n transfer->block = 0;\r\n }\r\n }\r\n- -----------/\r\n\r\nThe problem exists because the guard of the first if includes the result\r\nof 'opt = next(&p, end)' as part of the check. If this returns 'NULL',\r\nthe guard will fail and in the next if 'strcasecmp(opt, \"tsize\")' will\r\nderrefence the null-pointer.\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2009-08-20:\r\nCore Security Technologies notifies Simon Kelley of the vulnerability,\r\nincluding technical details of the vulnerability in an advisory draft.\r\n\r\n. 2009-08-21:\r\nSimon Kelley acknowledges the vulnerability and confirms to be working\r\non a patch. He also informs that he is aware that most home router\r\ndistributions have tftp turned off by default, and firewalled, and\r\nsuggests this should be mentioned on the advisory. Simon also mentions\r\nthat a NULL-pointer dereference bug has also been discovered on that\r\ncode, and suggests merging both bugs in the same advisory. Monday 31/08\r\nis accepted as a possible release date for this advisory, and help is\r\noffered in contacting package maintainers of dnsmasq for most operating\r\nsystems.\r\n\r\n. 2009-08-21:\r\nCore changes the advisory draft to accommodate Simon's suggestions.\r\nAbout the NULL-pointer dereference, Core mentions the terms it thinks\r\nappropriate for the bug to be merged into this advisory, and details how\r\nthis would affect the following procedures, such as asking for a\r\nCVE/Bugtraq ID.\r\n\r\n. 2009-08-23:\r\nSimon Kelley contacts Core back, saying that the terms for the\r\nnull-pointer derrefence bug to be included in the advisory are ok. He\r\nalso mentions that the finder of this bug prefers to remain uncredited\r\nin this advisory. Details are sent by him about the new bug so that the\r\nadvisory draft can be updated to include it.\r\n\r\n. 2009-08-23:\r\nCore asks for proper CVE and Bugtraq ID numbers, specifying it believes\r\neach vulnerability reported in this advisory should be assigned its own.\r\n\r\n. 2009-08-23:\r\nVincent Danen, from Red Hat's Security Response Team contacts Core in\r\norder to discuss both vulnerabilities by a secure communications\r\nchannel, and offers its help in obtaining proper CVE numbers, specifying\r\nthey also believe a separate number should be assigned to each\r\nvulnerability.\r\n\r\n. 2009-08-23:\r\nCore replies to Vincent Danen by sending its gpg key. Core also mentions\r\nseparate CVE numbers have already been asked.\r\n\r\n. 2009-08-23:\r\nCore replies to Simon Kelley, including a new advisory draft with both\r\nbugs merged.\r\n\r\n. 2009-08-23:\r\nCore receives proper CVE and Bugtraq ID numbers for both bugs, and sends\r\nthem to Red Hat and Simon Kelley.\r\n\r\n. 2009-08-31:\r\nThe advisory CORE-2009-0820 is published.\r\n\r\n\r\n10. *References*\r\n\r\n[1] http://www.thekelleys.org.uk/dnsmasq/doc.html\r\n[2] http://www.isi.edu/in-notes/ien/ien133.txt\r\n[3] http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol\r\n\r\n\r\n11. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\nhttp://www.coresecurity.com/corelabs.\r\n\r\n\r\n12. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\nhttp://www.coresecurity.com.\r\n\r\n\r\n13. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper credit\r\nis given.\r\n\r\n\r\n14. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.7 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\r\n\r\niD8DBQFKp9rOyNibggitWa0RAjkbAJ0SLIFwI1CMF7IOHSDv+Fg0DwFNQwCfWsZm\r\nwa3syAdyXlixVdQhdk5vcK0=\r\n=tfqM\r\n-----END PGP SIGNATURE-----\r\n\r\n# milw0rm.com [2009-09-09]\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/9617/"}], "openvas": [{"lastseen": "2017-07-25T10:56:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "The remote host is missing an update to dnsmasq\nannounced via advisory FEDORA-2009-10252.", "modified": "2017-07-10T00:00:00", "published": "2009-10-19T00:00:00", "id": "OPENVAS:66043", "href": "http://plugins.openvas.org/nasl.php?oid=66043", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-10252 (dnsmasq)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_10252.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-10252 (dnsmasq)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nThis update fixes two security issues with dnsmasq's tftp server.\n\nChangeLog:\n\n* Mon Oct 5 2009 Mark McLoughlin - 2.46-2\n- Fix multiple TFTP server vulnerabilities (CVE-2009-2957, CVE-2009-2958)\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update dnsmasq' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-10252\";\ntag_summary = \"The remote host is missing an update to dnsmasq\nannounced via advisory FEDORA-2009-10252.\";\n\n\n\nif(description)\n{\n script_id(66043);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-19 21:50:22 +0200 (Mon, 19 Oct 2009)\");\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Core 10 FEDORA-2009-10252 (dnsmasq)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=519020\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"dnsmasq\", rpm:\"dnsmasq~2.46~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dnsmasq-debuginfo\", rpm:\"dnsmasq-debuginfo~2.46~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-06T11:40:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "The remote host is missing an update to dnsmasq\nannounced via advisory FEDORA-2009-10285.", "modified": "2018-04-06T00:00:00", "published": "2009-10-19T00:00:00", "id": "OPENVAS:136141256231066037", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066037", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-10285 (dnsmasq)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_10285.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-10285 (dnsmasq)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nThis update fixes two security issues with dnsmasq's tftp server.\n\nChangeLog:\n\n* Mon Oct 5 2009 Mark McLoughlin - 2.46-3\n- Fix multiple TFTP server vulnerabilities (CVE-2009-2957, CVE-2009-2958)\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update dnsmasq' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-10285\";\ntag_summary = \"The remote host is missing an update to dnsmasq\nannounced via advisory FEDORA-2009-10285.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66037\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-19 21:50:22 +0200 (Mon, 19 Oct 2009)\");\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Core 11 FEDORA-2009-10285 (dnsmasq)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=519020\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"dnsmasq\", rpm:\"dnsmasq~2.46~3.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dnsmasq-debuginfo\", rpm:\"dnsmasq-debuginfo~2.46~3.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:55:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "Check for the Version of gnutls", "modified": "2017-07-10T00:00:00", "published": "2011-08-09T00:00:00", "id": "OPENVAS:880677", "href": "http://plugins.openvas.org/nasl.php?oid=880677", "type": "openvas", "title": "CentOS Update for gnutls CESA-2009:123 centos5 i386", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for gnutls CESA-2009:123 centos5 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Dnsmasq is a lightweight and easy to configure DNS forwarder and DHCP\n server.\n\n Core Security Technologies discovered a heap overflow flaw in dnsmasq when\n the TFTP service is enabled (the "--enable-tftp" command line option, or by\n enabling "enable-tftp" in "/etc/dnsmasq.conf"). If the configured tftp-root\n is sufficiently long, and a remote user sends a request that sends a long\n file name, dnsmasq could crash or, possibly, execute arbitrary code with\n the privileges of the dnsmasq service (usually the unprivileged "nobody"\n user). (CVE-2009-2957)\n \n A NULL pointer dereference flaw was discovered in dnsmasq when the TFTP\n service is enabled. This flaw could allow a malicious TFTP client to crash\n the dnsmasq service. (CVE-2009-2958)\n \n Note: The default tftp-root is "/var/ftpd", which is short enough to make\n it difficult to exploit the CVE-2009-2957 issue; if a longer directory name\n is used, arbitrary code execution may be possible. As well, the dnsmasq\n package distributed by Red Hat does not have TFTP support enabled by\n default.\n \n All users of dnsmasq should upgrade to this updated package, which contains\n a backported patch to correct these issues. After installing the updated\n package, the dnsmasq service must be restarted for the update to take\n effect.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"gnutls on CentOS 5\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2009-August/016115.html\");\n script_id(880677);\n script_version(\"$Revision: 6653 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:46:53 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-09 08:20:34 +0200 (Tue, 09 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"CESA\", value: \"2009:123\");\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_name(\"CentOS Update for gnutls CESA-2009:123 centos5 i386\");\n\n script_summary(\"Check for the Version of gnutls\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"gnutls\", rpm:\"gnutls~1.4.1~3.el5_3.5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnutls-devel\", rpm:\"gnutls-devel~1.4.1~3.el5_3.5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"gnutls-utils\", rpm:\"gnutls-utils~1.4.1~3.el5_3.5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-06T11:38:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "The remote host is missing an update to dnsmasq\nannounced via advisory FEDORA-2009-10252.", "modified": "2018-04-06T00:00:00", "published": "2009-10-19T00:00:00", "id": "OPENVAS:136141256231066043", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066043", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-10252 (dnsmasq)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_10252.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-10252 (dnsmasq)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nThis update fixes two security issues with dnsmasq's tftp server.\n\nChangeLog:\n\n* Mon Oct 5 2009 Mark McLoughlin - 2.46-2\n- Fix multiple TFTP server vulnerabilities (CVE-2009-2957, CVE-2009-2958)\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update dnsmasq' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-10252\";\ntag_summary = \"The remote host is missing an update to dnsmasq\nannounced via advisory FEDORA-2009-10252.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66043\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-19 21:50:22 +0200 (Mon, 19 Oct 2009)\");\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Core 10 FEDORA-2009-10252 (dnsmasq)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=519020\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"dnsmasq\", rpm:\"dnsmasq~2.46~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dnsmasq-debuginfo\", rpm:\"dnsmasq-debuginfo~2.46~2.fc10\", rls:\"FC10\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:57:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "The remote host is missing an update to dnsmasq\nannounced via advisory FEDORA-2009-10285.", "modified": "2017-07-10T00:00:00", "published": "2009-10-19T00:00:00", "id": "OPENVAS:66037", "href": "http://plugins.openvas.org/nasl.php?oid=66037", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-10285 (dnsmasq)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_10285.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-10285 (dnsmasq)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nThis update fixes two security issues with dnsmasq's tftp server.\n\nChangeLog:\n\n* Mon Oct 5 2009 Mark McLoughlin - 2.46-3\n- Fix multiple TFTP server vulnerabilities (CVE-2009-2957, CVE-2009-2958)\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update dnsmasq' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-10285\";\ntag_summary = \"The remote host is missing an update to dnsmasq\nannounced via advisory FEDORA-2009-10285.\";\n\n\n\nif(description)\n{\n script_id(66037);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-19 21:50:22 +0200 (Mon, 19 Oct 2009)\");\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Fedora Core 11 FEDORA-2009-10285 (dnsmasq)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=519020\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"dnsmasq\", rpm:\"dnsmasq~2.46~3.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dnsmasq-debuginfo\", rpm:\"dnsmasq-debuginfo~2.46~3.fc11\", rls:\"FC11\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:55:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "Check for the Version of dnsmasq", "modified": "2017-07-10T00:00:00", "published": "2011-08-09T00:00:00", "id": "OPENVAS:880761", "href": "http://plugins.openvas.org/nasl.php?oid=880761", "type": "openvas", "title": "CentOS Update for dnsmasq CESA-2009:1238 centos5 i386", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for dnsmasq CESA-2009:1238 centos5 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Dnsmasq is a lightweight and easy to configure DNS forwarder and DHCP\n server.\n\n Core Security Technologies discovered a heap overflow flaw in dnsmasq when\n the TFTP service is enabled (the "--enable-tftp" command line option, or by\n enabling "enable-tftp" in "/etc/dnsmasq.conf"). If the configured tftp-root\n is sufficiently long, and a remote user sends a request that sends a long\n file name, dnsmasq could crash or, possibly, execute arbitrary code with\n the privileges of the dnsmasq service (usually the unprivileged "nobody"\n user). (CVE-2009-2957)\n \n A NULL pointer dereference flaw was discovered in dnsmasq when the TFTP\n service is enabled. This flaw could allow a malicious TFTP client to crash\n the dnsmasq service. (CVE-2009-2958)\n \n Note: The default tftp-root is "/var/ftpd", which is short enough to make\n it difficult to exploit the CVE-2009-2957 issue; if a longer directory name\n is used, arbitrary code execution may be possible. As well, the dnsmasq\n package distributed by Red Hat does not have TFTP support enabled by\n default.\n \n All users of dnsmasq should upgrade to this updated package, which contains\n a backported patch to correct these issues. After installing the updated\n package, the dnsmasq service must be restarted for the update to take\n effect.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"dnsmasq on CentOS 5\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2009-September/016119.html\");\n script_id(880761);\n script_version(\"$Revision: 6653 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:46:53 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-09 08:20:34 +0200 (Tue, 09 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"CESA\", value: \"2009:1238\");\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_name(\"CentOS Update for dnsmasq CESA-2009:1238 centos5 i386\");\n\n script_summary(\"Check for the Version of dnsmasq\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"dnsmasq\", rpm:\"dnsmasq~2.45~1.1.el5_3\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-27T10:55:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "The remote host is missing updates announced in\nadvisory RHSA-2009:1238.\n\nDnsmasq is a lightweight and easy to configure DNS forwarder and DHCP\nserver.\n\nCore Security Technologies discovered a heap overflow flaw in dnsmasq when\nthe TFTP service is enabled (the --enable-tftp command line option, or by\nenabling enable-tftp in /etc/dnsmasq.conf). If the configured tftp-root\nis sufficiently long, and a remote user sends a request that sends a long\nfile name, dnsmasq could crash or, possibly, execute arbitrary code with\nthe privileges of the dnsmasq service (usually the unprivileged nobody\nuser). (CVE-2009-2957)\n\nA NULL pointer dereference flaw was discovered in dnsmasq when the TFTP\nservice is enabled. This flaw could allow a malicious TFTP client to crash\nthe dnsmasq service. (CVE-2009-2958)\n\nNote: The default tftp-root is /var/ftpd, which is short enough to make\nit difficult to exploit the CVE-2009-2957 issue; if a longer directory name\nis used, arbitrary code execution may be possible. As well, the dnsmasq\npackage distributed by Red Hat does not have TFTP support enabled by\ndefault.\n\nAll users of dnsmasq should upgrade to this updated package, which contains\na backported patch to correct these issues. After installing the updated\npackage, the dnsmasq service must be restarted for the update to take\neffect.", "modified": "2017-07-12T00:00:00", "published": "2009-09-02T00:00:00", "id": "OPENVAS:64673", "href": "http://plugins.openvas.org/nasl.php?oid=64673", "type": "openvas", "title": "RedHat Security Advisory RHSA-2009:1238", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: RHSA_2009_1238.nasl 6683 2017-07-12 09:41:57Z cfischer $\n# Description: Auto-generated from advisory RHSA-2009:1238 ()\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates announced in\nadvisory RHSA-2009:1238.\n\nDnsmasq is a lightweight and easy to configure DNS forwarder and DHCP\nserver.\n\nCore Security Technologies discovered a heap overflow flaw in dnsmasq when\nthe TFTP service is enabled (the --enable-tftp command line option, or by\nenabling enable-tftp in /etc/dnsmasq.conf). If the configured tftp-root\nis sufficiently long, and a remote user sends a request that sends a long\nfile name, dnsmasq could crash or, possibly, execute arbitrary code with\nthe privileges of the dnsmasq service (usually the unprivileged nobody\nuser). (CVE-2009-2957)\n\nA NULL pointer dereference flaw was discovered in dnsmasq when the TFTP\nservice is enabled. This flaw could allow a malicious TFTP client to crash\nthe dnsmasq service. (CVE-2009-2958)\n\nNote: The default tftp-root is /var/ftpd, which is short enough to make\nit difficult to exploit the CVE-2009-2957 issue; if a longer directory name\nis used, arbitrary code execution may be possible. As well, the dnsmasq\npackage distributed by Red Hat does not have TFTP support enabled by\ndefault.\n\nAll users of dnsmasq should upgrade to this updated package, which contains\na backported patch to correct these issues. After installing the updated\npackage, the dnsmasq service must be restarted for the update to take\neffect.\";\n\ntag_solution = \"Please note that this update is available via\nRed Hat Network. To use Red Hat Network, launch the Red\nHat Update Agent with the following command: up2date\";\n\n\n\nif(description)\n{\n script_id(64673);\n script_version(\"$Revision: 6683 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:41:57 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-02 04:58:39 +0200 (Wed, 02 Sep 2009)\");\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"RedHat Security Advisory RHSA-2009:1238\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://rhn.redhat.com/errata/RHSA-2009-1238.html\");\n script_xref(name : \"URL\" , value : \"http://www.redhat.com/security/updates/classification/#important\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"dnsmasq\", rpm:\"dnsmasq~2.45~1.1.el5_3\", rls:\"RHENT_5\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dnsmasq-debuginfo\", rpm:\"dnsmasq-debuginfo~2.45~1.1.el5_3\", rls:\"RHENT_5\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-25T10:57:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "The remote host is missing updates to dnsmasq announced in\nadvisory CESA-2009:1238.", "modified": "2017-07-10T00:00:00", "published": "2009-09-09T00:00:00", "id": "OPENVAS:64830", "href": "http://plugins.openvas.org/nasl.php?oid=64830", "type": "openvas", "title": "CentOS Security Advisory CESA-2009:1238 (dnsmasq)", "sourceData": "#CESA-2009:1238 64830 2\n# $Id: ovcesa2009_1238.nasl 6650 2017-07-10 11:43:12Z cfischer $\n# Description: Auto-generated from advisory CESA-2009:1238 (dnsmasq)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"For details on the issues addressed in this update,\nplease visit the referenced security advisories.\";\ntag_solution = \"Update the appropriate packages on your system.\n\nhttp://www.securityspace.com/smysecure/catid.html?in=CESA-2009:1238\nhttp://www.securityspace.com/smysecure/catid.html?in=RHSA-2009:1238\nhttps://rhn.redhat.com/errata/RHSA-2009-1238.html\";\ntag_summary = \"The remote host is missing updates to dnsmasq announced in\nadvisory CESA-2009:1238.\";\n\n\n\nif(description)\n{\n script_id(64830);\n script_version(\"$Revision: 6650 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:43:12 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-09 02:15:49 +0200 (Wed, 09 Sep 2009)\");\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"CentOS Security Advisory CESA-2009:1238 (dnsmasq)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"dnsmasq\", rpm:\"dnsmasq~2.45~1.1.el5_3\", rls:\"CentOS5\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-03-11T19:04:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "Dnsmasq is prone to a remotely exploitable heap-overflow vulnerability\n because the software fails to properly bounds-check user-supplied\n input before copying it into an insufficiently sized memory buffer.", "modified": "2020-03-09T00:00:00", "published": "2009-09-02T00:00:00", "id": "OPENVAS:1361412562310100267", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100267", "type": "openvas", "title": "Dnsmasq TFTP Service multiple vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Dnsmasq TFTP Service multiple vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2009 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:thekelleys:dnsmasq\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100267\");\n script_version(\"2020-03-09T09:10:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-03-09 09:10:44 +0000 (Mon, 09 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-09-02 11:12:57 +0200 (Wed, 02 Sep 2009)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_bugtraq_id(36121, 36120);\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_name(\"Dnsmasq TFTP Service multiple vulnerabilities\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Buffer overflow\");\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_dependencies(\"dnsmasq_version.nasl\");\n script_mandatory_keys(\"dnsmasq/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/36121\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/36120\");\n script_xref(name:\"URL\", value:\"http://www.coresecurity.com/content/dnsmasq-vulnerabilities\");\n\n script_tag(name:\"impact\", value:\"Remote attackers can exploit this issue to execute arbitrary machine\n code in the context of the vulnerable software on the targeted user's computer.\n\n Dnsmasq is also prone to a NULL-pointer dereference vulnerability.\n An attacker can exploit this issue to crash the affected application, denying\n service to legitimate users.\");\n\n script_tag(name:\"affected\", value:\"dnsmasq versions 2.40 up to 2.49. Older versions are probably affected too, but they were not checked.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"Dnsmasq is prone to a remotely exploitable heap-overflow vulnerability\n because the software fails to properly bounds-check user-supplied\n input before copying it into an insufficiently sized memory buffer.\");\n\n script_tag(name:\"insight\", value:\"NOTE: The TFTP service must be enabled for this issue to be exploitable. This\n is not the default.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"tftp.inc\");\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nport = get_port_for_service( default:69, proto:\"tftp\", ipproto:\"udp\" );\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! infos = get_app_version_and_proto( cpe:CPE, port:port, exit_no_version:TRUE ) ) exit( 0 );\n\nversion = infos[\"version\"];\nproto = infos[\"proto\"];\n\nif( version_is_less( version:version, test_version:\"2.50\" ) ) {\n report = report_fixed_ver( installed_version:version, fixed_version:\"2.50\" );\n if( tftp_alive( port:port ) ) {\n report += string(\"\\n\\nOn port \" + port + \"/udp a running TFTPD was found at this host. If this is the\\ndnsmasq-tftpd, you should disable it immediately until you have\\nswitched to the latest version of dnsmasq.\\n\");\n }\n security_message( data:report, port:port, proto:proto );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:56:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2957", "CVE-2009-2958"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200909-19.", "modified": "2017-07-07T00:00:00", "published": "2009-09-21T00:00:00", "id": "OPENVAS:64925", "href": "http://plugins.openvas.org/nasl.php?oid=64925", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200909-19 (dnsmasq)", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities in Dnsmasq might result in the remote execution of\n arbitrary code, or a Denial of Service.\";\ntag_solution = \"All Dnsmasq users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose =net-dns/dnsmasq-2.5.0\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200909-19\nhttp://bugs.gentoo.org/show_bug.cgi?id=282653\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200909-19.\";\n\n \n \n\nif(description)\n{\n script_id(64925);\n script_version(\"$Revision: 6595 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:19:55 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-21 23:13:00 +0200 (Mon, 21 Sep 2009)\");\n script_cve_id(\"CVE-2009-2957\", \"CVE-2009-2958\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200909-19 (dnsmasq)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-dns/dnsmasq\", unaffected: make_list(\"ge 2.5.0\"), vulnerable: make_list(\"lt 2.5.0\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
