dnrd 2.10 dos

From: Andrew Griffiths (andrewg@tasmail.com)
Date: 01/20/02

Previous message: uid0@catastrophe.net: "Re: Breakable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 20 Jan 2002 20:15:27 +1100 (EST)
From: "Andrew Griffiths" <andrewg@tasmail.com>
To: bugtraq@securityfocus.com

Program: dnrd
Version: 2.10
Distro: n/a

Problem:

There are various problems with dnrd's dns request and reply functions, that
cause it to crash.

Reproduce:

Using two consoles, I did the following

Terminal one got:

[andrewg@blackhole /data/audit/dnrd-2.10/src]$ gdb dnrd
GNU gdb 5.0rh-5 Red Hat Linux 7.1
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux".
(gdb) set arg -s 1.2.3.4 -d
(gdb) run
Starting program: /data/audit/dnrd-2.10/src/dnrd -d
[New Thread 1024 (LWP 3249)]
ERROR: Couldn't kill dnrd: No such process
Debug: cache low/high: 800/1000
Debug: initialising master DNS database
Debug: no master configuration: /etc/dnrd/master
Debug: initialising from /etc/hosts, domain= <none>
Debug: /etc/hosts: 3 records
Debug: Received DNS query for "..\SÖanx, 6h??ü-ÀC?Ï"?>" real ? "?????£æ??@ÖwéÕËl?p?Û@??"

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 3249)]
parse_query (y=0xbffff140, msg=0xb4bffff7 <Address 0xb4bffff7 out of bounds>,
len=1346377321) at dns.c:298
298 if (ntohs(((short int *) msg)[2]) == 0) { /* C is nice. */

Note that the ? are various control charatchers that I couldn't paste in,
'cause they are not printable and kept stuffing up vim.

While one terminal two, I did:

dd if=/dev/urandom bs=64 count=1 | nc -u 127.0.0.1 53 -w 1

At one stage I also had msg=0x2e2e2e2e <Address 0x2e2e2e2e out of bounds>.

It's not just parse_query that has this problem, but also places like get_objectname()

Exploit:
-=-=-=-=-

So far I haven't tried to exploit it, but given some of the stuff that I've
seen, I would not be surprised if it was.

Even if their was an exploit, it'd have to work out a way of getting root in a
chroot jail and a non-root acct.

Affected:
-=-=-=-=-

People who use this, or distro's that do, such as smoothwall. :P

--
www.tasmail.com

Previous message: uid0@catastrophe.net: "Re: Breakable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[UNIX] DNRD Contains Security Vulnerabilities (Request, Reply)
... DNRD version 2.10 ... GNU gdb 5.0rh-5 Red Hat Linux 7.1 ... Type
"show warranty" for details. ... Debug: initialising master DNS database ...
(Securiteam)
Re: Firewire blues
... I compiled a kernel with exactly the same options that you cited below. ...
it entering the debugger and waiting for the remote gdb attach. ... When I try to
attach from the debug machine, ... (freebsd-hackers)
Re: Apache2, mod_python and nss_ldap: Coredump...
... On 10 nov 2005, at 12.54, Johan Ström wrote: ... so that all symbols and debug
info are preserved ... > However, I've noticed one thing, if I run gdb httpd and
then run - ... (freebsd-stable)
Re: FreeBSD 7.0 Beta, RC, RELEASE (amd64) freezes with dummynet enabled
... I have some screenshots from debug console after the ... [GDB will not
be able to debug user-mode threads: ... KDB: enter: manual escape to debugger ...
I disabled the polling, for my suprise, the server didn`t crashed after some minutes, but after
1 hour, but crushed, maybe only a coincidence, but maybe not. ... (freebsd-current)