Dnsmasq 2.72 Unchecked Return Value

2015.04.24
Credit: Nick Sampanis
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2015-3294
CWE: CWE-19


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: Partial

"Dnsmasq 2.72 Unchecked returned value" Description ------------------------------------------------------------ Dnsmasq does not properly check the return value of the setup_reply() function called during a tcp connection (by the tcp_request() function). This return value is then used as a size argument in a function which writes data on the client's connection. This may lead, upon successful exploitation, to reading the heap memory of dnsmasq. In more detail: Function tcp_request() calls setup_reply() and the returned value is used as a size argument in a write function. m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl); read_write(confd, packet, m + sizeof(u16), 0)); The m variable is determined by a subtraction between the return of skip_questions() and header pointer. The return value of skip_question doesn't checked for error(NULL). As a result the negative value of pointer(-header), might returned. size_t setup_reply(struct dns_header *header, size_t qlen, struct all_addr *addrp, unsigned int flags, unsigned long ttl) { unsigned char *p = skip_questions(header, qlen) return p - (unsigned char *)header } read_write checks if the size argument is positive. In case of a 32 bit system size_t m would be 4 bytes and read_write will automatically exit. In case of 64 bit system size_t m is 8 bytes and may turn to positive if the sign bit of the 32 bit value is 0. If m is less than 0xffffffff80000000, dnsmasq will be exploited by a potential attacker who will remotely read dnsmasq heap. If the above condition is not met, dnsmasq exits properly. Researcher ------------------------------------------------------------ Nick Sampanis (n.sampanis[a t]obrela[do t]com) Vulnerability ------------------------------------------------------------ Unchecked return value CVE-2015-3294 Identification date: ------------------------------------------------------------ 07/04/2015 - 09/04/2015 Solution - fix & patch ------------------------------------------------------------ Please download dnsmasq-2.73rc4.tar.gz Reference: ------------------------------------------------------------ http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009382.html https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1502/

References:

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q2/009382.html
https://www.obrela.com/home/security-labs/advisories/osi-advisory-osi-1502/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top