Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 13 Apr 2015 13:44:04 +0800
From: 罗大龙 <luodalongde@...il.com>
To: oss-security@...ts.openwall.com
Subject: net-snmp snmp_pdu_parse() function incompletely initializaition vulnerability

HI there,



Greeting! This is Qinghao Tang from QIHU 360  company, China. I am a
security researcher there.

I'm writing to apply for a CVE ID, for a 0day vulnerability in net-snmp.
Please refer to below report.





[requester info]

         name: Qinghao Tang

         company: QIHU 360  company, China

         email: tangqinghao@....cn



[vendor info]

         name: net-snmp

         email: net-snmp-users@...ts.sourceforge.net

         website: http://www.net-snmp.org/



[vulnerable net-snmp version]

All version



[vulnerability Description]

Incompletely initialized vulnerability exists in the function
‘snmp_pdu_parse()’ of ‘snmp_api.c', and remote attackers can cause memory
leak, DOS and possible command executions by sending malicious packets.

Since the vulnerability occurs when parsing the packets, it could have
broader impacts. Currently we have find 12 remote DOS methods in the latest
version of net-snmp client software. I think this vulnerability could cause
even more severe risks.



[vulnerability resaon]

In the function ‘snmp_pdu_parse()’ of ‘snmp_api.c', the structure of
‘netsnmp_variable_list is initialized incompletely, thus the malicious
packets can cause ‘snmp_parse_var_op()’ returning ERROR. When using the
uninitialized data（type，val，name_loc，buf） in structure ‘
netsnmp_variable_list’, it will cause memory leak, DOS and possible command
executions.



int

snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)

{

                   ….

netsnmp_variable_list *vptemp;

        vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp));

        if (NULL == vptemp) {

            return -1;

        }

        if (NULL == vp) {

            pdu->variables = vptemp;

        } else {

            vp->next_variable = vptemp;

        }

        vp = vptemp;



        vp->next_variable = NULL;

        vp->val.string = NULL;

        vp->name_length = MAX_OID_LEN;

        vp->name = NULL;

        vp->index = 0;

        vp->data = NULL;

        vp->dataFreeHook = NULL;

        DEBUGDUMPSECTION("recv", "VarBind");

        data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,

                                 &vp->val_len, &var_val, length);

        if (data == NULL)

            return -1;

                  ……

}

typedef struct variable_list netsnmp_variable_list;

struct variable_list {

   /** NULL for last variable */

   struct variable_list *next_variable;

   /** Object identifier of variable */

   oid            *name;

   /** number of subid's in name */

   size_t          name_length;

   /** ASN type of variable */

   u_char          type;

   /** value of variable */

    netsnmp_vardata val;

   /** the length of the value to be copied into buf */

   size_t          val_len;

   /** 90 percentile < 24. */

   oid             name_loc[MAX_OID_LEN];

   /** 90 percentile < 40. */

   u_char          buf[40];

   /** (Opaque) hook for additional data */

   void           *data;

   /** callback to free above */

   void            (*dataFreeHook)(void *);

   int             index;

};



typedef union {

   long           *integer;

   u_char         *string;

   oid            *objid;

   u_char         *bitstring;

   struct counter64 *counter64;

#ifdef OPAQUE_SPECIAL_TYPES

   float          *floatVal;

   double         *doubleVal;

   /*

    * t_union *unionVal;

    */

#endif                          /* OPAQUE_SPECIAL_TYPES */

} netsnmp_vardata;







[crash info from /var/log/messages]

sprint_realloc_integer

snmpget:0x290a3

overview:Feb 22 11:37:48 localhost kernel: snmpget[24260]: segfault at 0 ip
00007f00cbff20a3 sp 00007fff7bf08620 error 4 in
libnetsnmp.so.30.0.3[7f00cbfc9000+ac000]





asn_realloc_rbuild_int

snmpget:0x4ac0a

overview:Feb 22 14:38:10 localhost kernel: snmpget[26825]: segfault at 0 ip
00007f2cbc089c0a sp 00007fff294221f0 error 4 in
libnetsnmp.so.30.0.3[7f2cbc03f000+ac000]



asn_realloc_rbuild_unsigned_int

snmpget:0x4a5e7

overview:Feb 22 18:06:53 localhost kernel: snmpget[29948]: segfault at 0 ip
00007f6bb7a8e5e7 sp 00007fffc6863bc0 error 4 in
libnetsnmp.so.30.0.3[7f6bb7a44000+ac000]



asn_realloc_rbuild_unsigned_int64

snmpget:0x49832

overview:Feb 22 20:00:22 localhost kernel: snmpget[31802]: segfault at 0 ip
00007f93cb91d832 sp 00007fff7b93f970 error 4 in
libnetsnmp.so.30.0.3[7f93cb8d4000+ac000]



sprint_realloc_counter

snmpget:0x2877b

overview:Feb 23 09:31:45 localhost kernel: snmpget[44108]: segfault at 0 ip
00007f1e2fd8477b sp 00007fffe0abf9a0 error 4 in
libnetsnmp.so.30.0.3[7f1e2fd5c000+ac000]



sprint_realloc_uinteger

snmpget:0x28c30

overview:Feb 13 09:54:03 localhost kernel: snmpget[64595]: segfault at 0 ip
00007f29f970dc30 sp 00007fff8c89a0e0 error 4 in
libnetsnmp.so.30.0.3[7f29f96e5000+ac000]





printI64

snmpget:0x5273e

overview:Feb 13 10:52:42 localhost kernel: snmpget[3863]: segfault at 0 ip
00007fe314e4773e sp 00007fff782fcba0 error 4 in
libnetsnmp.so.30.0.3[7fe314df5000+ac000]



sprint_realloc_gauge

snmpget:0x28a73

overview:Feb 13 11:24:17 localhost kernel: snmpget[4879]: segfault at 0 ip
00007fb3f0852a73 sp 00007fffc43f7b10 error 4 in
libnetsnmp.so.30.0.3[7fb3f082a000+ac000]



sprint_realloc_timeticks

snmpget:0x29277

overview:Feb 13 12:10:08 localhost kernel: snmpget[6623]: segfault at 0 ip
00007f171c1ad277 sp 00007fff9fad9720 error 4 in
libnetsnmp.so.30.0.3[7f171c184000+ac000]



printU64

snmpget:0x52675

overview:Feb 13 13:48:11 localhost kernel: snmpget[9878]: segfault at 0 ip
00007fc3b04ed675 sp 00007fff4d0a3cb0 error 4 in
libnetsnmp.so.30.0.3[7fc3b049b000+ac000]



sprint_realloc_float

snmpget:0x29c57

overview:Feb 18 23:31:41 localhost kernel: snmpget[57217]: segfault at 0 ip
00007f625c50ac57 sp 00007fffe60ebdb0 error 4 in
libnetsnmp.so.30.0.3[7f625c4e1000+ac000]



asn_realloc_rbuild_signed_int64

snmpget:0x4934d

overview:Feb 21 18:21:13 localhost kernel: snmpget[9149]: segfault at 0 ip
00007f431746e34d sp 00007fffbcac3ed0 error 4 in
libnetsnmp.so.30.0.3[7f4317425000+ac000]





[patch]

--- snmp_api.c 2014-12-09 04:23:22.000000000 +0800

+++ snmp_api.c.patch     2015-03-04 10:44:03.896001377 +0800

@@ -4518,6 +4518,9 @@

         vp->index = 0;

         vp->data = NULL;

         vp->dataFreeHook = NULL;

+       vp->type = 0;

+       vp->name_loc = 0;

+       vp->buf = 0;

         DEBUGDUMPSECTION("recv", "VarBind");

         data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,

                                  &vp->val_len, &var_val, length)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.