Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 12 Nov 2016 09:39:45 +0100
From: Ondřej Surý <ondrej@...y.org>
To: oss-security@...ts.openwall.com,
 Debian Security Team <team@...urity.debian.org>,
 Dariusz Dwornikowski <dariusz.dwornikowski@...put.poznan.pl>,
 Sam Trenholme <sam-k6mymjcnjpz3fmkieotlt7rbgvqt98qy@...iam.org>
Subject: Remote crash in MaraDNS 2.0.13 and git master

Hi,

while playing with fuzzing the DNS servers with AFL (2.35b) I found a
remote crash bug in MaraDNS 2.0.13 js_readuint16. It can be also
reproduced using https://github.com/samboy/MaraDNS/ master branch.

Attached is patch to allow the fuzzing (it overrides getudp() with
read(0, ..)), the input data that crashes MaraDNS, and the bt full
output.

Please assign CVE, I would provide a patch, but MaraDNS code is
extremely hard to navigate for me, so I'll leave the fix for the code
author.

AFL has finished only 1 cycle (and found the 1 unique crash), so I'll
keep it running for a while.

Cheers,
-- 
Ondřej Surý <ondrej@...y.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu

Download attachment "maradns.btfull" of type "application/octet-stream" (3678 bytes)

View attachment "allow-fuzzing.patch" of type "text/x-patch" (1799 bytes)

Download attachment "id:000000,sig:11,src:007564,op:havoc,rep:32" of type "application/octet-stream" (23 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ