HI there,
Greeting! This is Qinghao Tang from QIHU 360 company, China. I am a
security researcher there.
I'm writing to apply for a CVE ID, for a 0day vulnerability in net-snmp.
Please refer to below report.
[requester info]
name: Qinghao Tang
company: QIHU 360 company, China
email: tangqinghao () 360 cn
[vendor info]
name: net-snmp
email: net-snmp-users () lists sourceforge net
website: http://www.net-snmp.org/
[vulnerable net-snmp version]
All version
[vulnerability Description]
Incompletely initialized vulnerability exists in the function
‘snmp_pdu_parse()’ of ‘snmp_api.c', and remote attackers can cause memory
leak, DOS and possible command executions by sending malicious packets.
Since the vulnerability occurs when parsing the packets, it could have
broader impacts. Currently we have find 12 remote DOS methods in the latest
version of net-snmp client software. I think this vulnerability could cause
even more severe risks.
[vulnerability resaon]
In the function ‘snmp_pdu_parse()’ of ‘snmp_api.c', the structure of
‘netsnmp_variable_list is initialized incompletely, thus the malicious
packets can cause ‘snmp_parse_var_op()’ returning ERROR. When using the
uninitialized data(type,val,name_loc,buf) in structure ‘
netsnmp_variable_list’, it will cause memory leak, DOS and possible command
executions.
int
snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
{
….
netsnmp_variable_list *vptemp;
vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp));
if (NULL == vptemp) {
return -1;
}
if (NULL == vp) {
pdu->variables = vptemp;
} else {
vp->next_variable = vptemp;
}
vp = vptemp;
vp->next_variable = NULL;
vp->val.string = NULL;
vp->name_length = MAX_OID_LEN;
vp->name = NULL;
vp->index = 0;
vp->data = NULL;
vp->dataFreeHook = NULL;
DEBUGDUMPSECTION("recv", "VarBind");
data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,
&vp->val_len, &var_val, length);
if (data == NULL)
return -1;
……
}
typedef struct variable_list netsnmp_variable_list;
struct variable_list {
/** NULL for last variable */
struct variable_list *next_variable;
/** Object identifier of variable */
oid *name;
/** number of subid's in name */
size_t name_length;
/** ASN type of variable */
u_char type;
/** value of variable */
netsnmp_vardata val;
/** the length of the value to be copied into buf */
size_t val_len;
/** 90 percentile < 24. */
oid name_loc[MAX_OID_LEN];
/** 90 percentile < 40. */
u_char buf[40];
/** (Opaque) hook for additional data */
void *data;
/** callback to free above */
void (*dataFreeHook)(void *);
int index;
};
typedef union {
long *integer;
u_char *string;
oid *objid;
u_char *bitstring;
struct counter64 *counter64;
#ifdef OPAQUE_SPECIAL_TYPES
float *floatVal;
double *doubleVal;
/*
* t_union *unionVal;
*/
#endif /* OPAQUE_SPECIAL_TYPES */
} netsnmp_vardata;
[crash info from /var/log/messages]
sprint_realloc_integer
snmpget:0x290a3
overview:Feb 22 11:37:48 localhost kernel: snmpget[24260]: segfault at 0 ip
00007f00cbff20a3 sp 00007fff7bf08620 error 4 in
libnetsnmp.so.30.0.3[7f00cbfc9000+ac000]
asn_realloc_rbuild_int
snmpget:0x4ac0a
overview:Feb 22 14:38:10 localhost kernel: snmpget[26825]: segfault at 0 ip
00007f2cbc089c0a sp 00007fff294221f0 error 4 in
libnetsnmp.so.30.0.3[7f2cbc03f000+ac000]
asn_realloc_rbuild_unsigned_int
snmpget:0x4a5e7
overview:Feb 22 18:06:53 localhost kernel: snmpget[29948]: segfault at 0 ip
00007f6bb7a8e5e7 sp 00007fffc6863bc0 error 4 in
libnetsnmp.so.30.0.3[7f6bb7a44000+ac000]
asn_realloc_rbuild_unsigned_int64
snmpget:0x49832
overview:Feb 22 20:00:22 localhost kernel: snmpget[31802]: segfault at 0 ip
00007f93cb91d832 sp 00007fff7b93f970 error 4 in
libnetsnmp.so.30.0.3[7f93cb8d4000+ac000]
sprint_realloc_counter
snmpget:0x2877b
overview:Feb 23 09:31:45 localhost kernel: snmpget[44108]: segfault at 0 ip
00007f1e2fd8477b sp 00007fffe0abf9a0 error 4 in
libnetsnmp.so.30.0.3[7f1e2fd5c000+ac000]
sprint_realloc_uinteger
snmpget:0x28c30
overview:Feb 13 09:54:03 localhost kernel: snmpget[64595]: segfault at 0 ip
00007f29f970dc30 sp 00007fff8c89a0e0 error 4 in
libnetsnmp.so.30.0.3[7f29f96e5000+ac000]
printI64
snmpget:0x5273e
overview:Feb 13 10:52:42 localhost kernel: snmpget[3863]: segfault at 0 ip
00007fe314e4773e sp 00007fff782fcba0 error 4 in
libnetsnmp.so.30.0.3[7fe314df5000+ac000]
sprint_realloc_gauge
snmpget:0x28a73
overview:Feb 13 11:24:17 localhost kernel: snmpget[4879]: segfault at 0 ip
00007fb3f0852a73 sp 00007fffc43f7b10 error 4 in
libnetsnmp.so.30.0.3[7fb3f082a000+ac000]
sprint_realloc_timeticks
snmpget:0x29277
overview:Feb 13 12:10:08 localhost kernel: snmpget[6623]: segfault at 0 ip
00007f171c1ad277 sp 00007fff9fad9720 error 4 in
libnetsnmp.so.30.0.3[7f171c184000+ac000]
printU64
snmpget:0x52675
overview:Feb 13 13:48:11 localhost kernel: snmpget[9878]: segfault at 0 ip
00007fc3b04ed675 sp 00007fff4d0a3cb0 error 4 in
libnetsnmp.so.30.0.3[7fc3b049b000+ac000]
sprint_realloc_float
snmpget:0x29c57
overview:Feb 18 23:31:41 localhost kernel: snmpget[57217]: segfault at 0 ip
00007f625c50ac57 sp 00007fffe60ebdb0 error 4 in
libnetsnmp.so.30.0.3[7f625c4e1000+ac000]
asn_realloc_rbuild_signed_int64
snmpget:0x4934d
overview:Feb 21 18:21:13 localhost kernel: snmpget[9149]: segfault at 0 ip
00007f431746e34d sp 00007fffbcac3ed0 error 4 in
libnetsnmp.so.30.0.3[7f4317425000+ac000]
[patch]
--- snmp_api.c 2014-12-09 04:23:22.000000000 +0800
+++ snmp_api.c.patch 2015-03-04 10:44:03.896001377 +0800
@@ -4518,6 +4518,9 @@
vp->index = 0;
vp->data = NULL;
vp->dataFreeHook = NULL;
+ vp->type = 0;
+ vp->name_loc = 0;
+ vp->buf = 0;
DEBUGDUMPSECTION("recv", "VarBind");
data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,
&vp->val_len, &var_val, length)
罗大龙
