Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 12 Nov 2016 09:39:45 +0100
From: Ondřej Surý <ondrej@...y.org>
To: oss-security@...ts.openwall.com,
 Debian Security Team <team@...urity.debian.org>,
 Dariusz Dwornikowski <dariusz.dwornikowski@...put.poznan.pl>,
 Sam Trenholme <sam-k6mymjcnjpz3fmkieotlt7rbgvqt98qy@...iam.org>
Subject: Remote crash in MaraDNS 2.0.13 and git master

Hi,

while playing with fuzzing the DNS servers with AFL (2.35b) I found a
remote crash bug in MaraDNS 2.0.13 js_readuint16. It can be also
reproduced using https://github.com/samboy/MaraDNS/ master branch.

Attached is patch to allow the fuzzing (it overrides getudp() with
read(0, ..)), the input data that crashes MaraDNS, and the bt full
output.

Please assign CVE, I would provide a patch, but MaraDNS code is
extremely hard to navigate for me, so I'll leave the fix for the code
author.

AFL has finished only 1 cycle (and found the 1 unique crash), so I'll
keep it running for a while.

Cheers,
-- 
Ondřej Surý <ondrej@...y.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

diff --git a/MaraDns.h b/MaraDns.h
index 176c26c..65528e7 100644
--- a/MaraDns.h
+++ b/MaraDns.h
@@ -111,7 +111,11 @@
 
 /* Whether we allow MaraDNS to run as a non root user; this is usually
  * disabled, but can be enabled by uncommenting the following line */
-/* #define ALLOW_NON_ROOT */
+#define ALLOW_NON_ROOT
+
+/* Define to read the packets from stdin instead of UDP sockets,
+ * it still needs valid configuration and socket it can bind to */
+#define FUZZING
 
 /* The maximum allowed size of a zone name */
 #define MAX_ZONE_SIZE 256
diff --git a/server/MaraDNS.c b/server/MaraDNS.c
index 82eb77e..64c40b1 100644
--- a/server/MaraDNS.c
+++ b/server/MaraDNS.c
@@ -4545,7 +4545,11 @@ int main(int argc, char **argv) {
     if(log_level >= 3)
         mlog(L_DATAWAIT); /* "Awaiting data on port 53" */
     /* Listen for data on the UDP socket */
+#ifndef FUZZING
     for(;;) {
+#else
+    do {
+#endif
         int sock_num;
         conn ect; /* The space is not a typo */
         ect.type = 0;
@@ -4561,8 +4565,19 @@ int main(int argc, char **argv) {
         qual_set_time();
         if(log_level >= 50) /* This happens once a second */
             mlog(L_DATAWAIT); /* "Awaiting data on port 53" */
+#ifndef FUZZING
         sock_num = getudp(sock,bind_addresses,&ect,incoming,512,
                           have_ipv6_address);
+#else
+	sock_num = read(0, incoming, 512);
+	if (sock_num == 0) {
+	  continue;
+	} else if (sock_num < 0) {
+	  break;
+	} else {
+	  sock_num = 0;
+	}
+#endif
         if(sock_num == JS_ERROR)
             continue;
         if(log_level >= 3)
@@ -4660,6 +4675,9 @@ int main(int argc, char **argv) {
                 js_dealloc(ect.d);
             }
         }
+#ifdef FUZZING
+        while(0);
+#endif
 
     /* We should never end up here */
 

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ