dnrd 2.10 dos

From: Andrew Griffiths (andrewgat_private)
Date: Sun Jan 20 2002 - 01:15:27 PST

  • Next message: truff: "Re: PHP-Nuke allows Command Execution & Much more" 

    Program: dnrd
Version: 2.10
Distro: n/a

Problem:

There are various problems with dnrd's dns request and reply functions, that
cause it to crash.

Reproduce:

Using two consoles, I did the following

Terminal one got:

[andrewg@blackhole /data/audit/dnrd-2.10/src]$ gdb dnrd
GNU gdb 5.0rh-5 Red Hat Linux 7.1
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux".
(gdb) set arg -s 1.2.3.4 -d
(gdb) run
Starting program: /data/audit/dnrd-2.10/src/dnrd -d
[New Thread 1024 (LWP 3249)]
ERROR: Couldn't kill dnrd: No such process
Debug: cache low/high: 800/1000
Debug: initialising master DNS database
Debug: no master configuration: /etc/dnrd/master
Debug: initialising from /etc/hosts, domain= <none>
Debug: /etc/hosts: 3 records
Debug: Received DNS query for "..\SÖanx, 6h??ü-ÀC?Ï"?>" real ? "?????£æ??@ÖwéÕËl?p?Û@??"

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 3249)]
parse_query (y=0xbffff140, msg=0xb4bffff7 <Address 0xb4bffff7 out of bounds>,
    len=1346377321) at dns.c:298
298         if (ntohs(((short int *) msg)[2]) == 0) {       /* C is nice. */

Note that the ? are various control charatchers that I couldn't paste in,
'cause they are not printable and kept stuffing up vim.

While one terminal two, I did:

dd if=/dev/urandom bs=64 count=1 | nc -u 127.0.0.1 53 -w 1

At one stage I also had msg=0x2e2e2e2e <Address 0x2e2e2e2e out of bounds>.

It's not just parse_query that has this problem, but also places like get_objectname()


Exploit:
-=-=-=-=-

So far I haven't tried to exploit it, but given some of the stuff that I've
seen, I would not be surprised if it was.

Even if their was an exploit, it'd have to work out a way of getting root in a
chroot jail and a non-root acct.

Affected:
-=-=-=-=-

People who use this, or distro's that do, such as smoothwall. :P


--
www.tasmail.com

    This archive was generated by hypermail 2b30 : Mon Jan 21 2002 - 16:08:29 PST