what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AKLINK-SA-2007-001.txt

AKLINK-SA-2007-001.txt
Posted Mar 24, 2007
Authored by Alexander Klink | Site cynops.de

dproxy suffers from a typical buffer overflow condition, which allows an attacker to overwrite the stack. Version 0.5 and below are affected.

tags | advisory, overflow
advisories | CVE-2007-1465
SHA-256 | 105b19b9f636ba774d84d4ddd91b39ff45110d8e236554da8ee19b7dd5e116e5

AKLINK-SA-2007-001.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

============================================
||| Security Advisory AKLINK-SA-2007-001 |||
||| CVE-2007-1465 (CVE candidate) |||
============================================

dproxy - remotely exploitable buffer overflow
========================================================================

Date released: 20.03.2007
Date reported: 11.03.2007
$Revision: 1.1 $

by Alexander Klink
Cynops GmbH
a.klink@cynops.de
https://www.cynops.de/advisories/CVE-2007-1465.txt
(S/MIME signed: https://www.cynops.de/advisories/CVE-2007-1465-signed.txt)
https://www.klink.name/security/aklink-sa-2007-001-dproxy-bufferoverflow.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1465

Vendor: Matthew Pratt (Open Source)
Product: dproxy - a small caching DNS server
Website: http://dproxy.sourceforge.net
Vulnerability: buffer overflow
Class: remote
Status: unpatched (author is unresponsive)
Severity: high (arbitrary command execution as root)
Releases known to be affected: 0.1, 0.2, 0.3, 0.4, 0.5
Releases known NOT to be affected: dproxy-nexgen

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:

dproxy suffers from a typical buffer overflow condition, which allows
an attacker to overwrite the stack.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:

In dproxy.c, the UDP packet buffer, which can be up to 4096 bytes long
is copied into a variable called query_string, which is at most 2048
bytes. As this is done using strcpy, the stack can be overwritten
which leads to arbitrary command execution.

Note that one can easily find out whether dproxy is running
using the fpdns tool (see http://www.rfc.se/fpdns/). dproxy also
seems to be used in a number of WLAN access points / routers, but
the version used there (at least in the Linksys WRT54AG, the Asus
WL500g and the Netgear DG834G) seems to be dproxy-nexgen, which is not
vulnerable to this attack.

Thanks to Dan Kaminsky, who provided me with the interesting statistics
that apparently only 20 out of about 2.000.000 DNS servers he scanned
are using dproxy. So this does not look like a major attack vector.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Exploit:

A MetaSploit Framework 2.7 exploit module is available from
https://www.cynops.de/downloads/metasploit/dproxy.pm

It has been tested successfully with both a Debian stable and an
Ubuntu system (with randomize_va_space=0).

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Workaround:

Drop packets to the destination UDP port 53 which are larger than
2048 bytes (which is a pretty large DNS query packet anyway).

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:

* 13.03.2007: Author updated on vulnerable versions
* 11.03.2007: First problem report to author

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:

Patch dproxy.c:

- --- dproxy-0.5/dproxy.c 2000-02-03 04:15:35.000000000 +0100
+++ dproxy-0.5.patched/dproxy.c 2007-03-13 13:07:53.000000000 +0100
@@ -105,7 +105,7 @@
/* child process only here */
signal(SIGCHLD, SIG_IGN);

- - strcpy( query_string, pkt.buf );
+ strncpy( query_string, pkt.buf, sizeof(query_string) );
decode_domain_name( query_string );
debug("query: %s\n", query_string );

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credits:

Alexander Klink, Cynops GmbH (discovery and exploit development, patch)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFF/7TXAEAIlkRL9AcRAhxmAJoDj8OT6wx+/CjKP3GOPb5+Uae/hQCffcoq
/2D9FAkTfhEJyBuUuTmarew=
=JIGg
-----END PGP SIGNATURE-----

--
Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink@cynops.de
mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer:
Bad Homburg v. d. Höhe | | Martin Bartosch

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close