what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MU Security Advisory 2007-09.02

MU Security Advisory 2007-09.02
Posted Sep 19, 2007
Authored by MU Dynamics, Mu Security research team | Site labs.musecurity.com

There are multiple vulnerabilities where a maliciously-crafted packet can crash Dibbler version 0.6.0. These include packets with options with large lengths (memory allocation failure via integer overflow), invalid lengths (buffer overread), and malformed IA_NA options in a REBIND message (null pointer dereference).

tags | advisory, overflow, vulnerability
SHA-256 | f2b090fcf8285f4556684e70a8d80dc062ceda4f629aff5c30aed4839cb633a6

MU Security Advisory 2007-09.02

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dibbler Remote Denial of Service Vulnerability [MU-200709-02]
September 18, 2007

http://labs.musecurity.com/advisories.html

Affected Products/Versions:

Dibbler 0.6.0
http://klub.com.pl/dhcpv6/

Product Overview:

Dibbler is a portable DHCPv6 implementation. DHCPv6 is the Dynamic
Host Configuration Protocol for IPv6, an application-layer protocol
used to dynamically assign IPv6 addresses to network components.

Vulnerability Details:

There are multiple vulnerabilities where a maliciously-crafted packet
can crash Dibbler. These include packets with options with large
lengths (memory allocation failure via integer overflow), invalid
lengths (buffer overread), and malformed IA_NA options in a REBIND
message (null pointer dereference).

* Options with large lengths

Options with large lengths can cause integer overflows which
ultimately cause the server to fail to allocate memory and abort. For
example, in the TSrvMsg constructor (SrvMessages/SrvMsg.cpp, line 94),
the message length is converted using ntohs() and stored in a short
(line 109). The length is later passed to option constructors as an
int. The length will be sign-extended and may be incorrectly used as
a negative signed integer or a large unsigned integer. For example,
if the code is OPTION_CLIENTID and the length is -1, the server will
eventually attempt to allocate 4294967295 bytes to store the DUID
(Misc/DUID.cpp, line 26). This allocation will usually fail and the
server will abort.

Code snippet of SrvMessages/SrvMsg.cpp starting at line 106:
while (pos<bufSize) {
short code = ntohs( * ((short*) (buf+pos)));
pos+=2;
short length = ntohs(*((short*)(buf+pos)));
pos+=2;
...
case OPTION_CLIENTID:
ptr = new TSrvOptClientIdentifier(buf+pos,length,this);

Continuing in SrvOptions/SrvOptClientIdentifier.cpp, line 23:
TSrvOptClientIdentifier::TSrvOptClientIdentifier(
SmartPtr<TDUID> duid, TMsg* parent)
: TOptDUID(OPTION_CLIENTID, duid, parent)

Continuing in Options/OptDUID.cpp, line 61:
TOptDUID::TOptDUID(int type, char* &buf, int &bufsize, TMsg* parent)
:TOpt(type, parent)
{
this->DUID=new TDUID(buf,bufsize);

Continuing in Misc/DUID.cpp, line 26:
TDUID::TDUID(const char* DUID,int DUIDlen)
{
...
if ((DUID)&&(DUIDlen))
{
this->DUID=new char[DUIDlen];

There are similar vulnerabilities in other constructors (e.g.,
TClntMsg, TClntOptIAAddress, TClntOptIAPrefix, TOptVendorSpecInfo, and
TOptOptionRequest) and methods (e.g., TRelIfaceMgr::decodeRelayRepl,
TRelMsg::decodeOpts, TSrvIfaceMgr::decodeRelayForw).

* Invalid lengths

In many places, lengths are not validated against buffer sizes
resulting in potential buffer overreads. For example, the TSrvMsg
constructor does not check the buffer size correctly before reading
the option code and option length (SrvMessages/SrvMsg.cpp, line 106 -
see code snippet above) and does not check the option length against
the buffer size before parsing the options.

* Malformed IA_NA options in a REBIND message

A REBIND with an invalid IA_NA can cause a null pointer dereference
due to a logic error. In TSrvOptIA_NA::rebind()
(SrvOptions/SrvOptIA_NA.cpp, line 407), the TAddrIA (ptrIA) is
retrieved from the TAddrClient (ptrClient) and then the client
(ptrClient) is checked against NULL. The TAddrIA (ptrIA) should be
checked against NULL. It can be NULL and the pointer is later
dereferenced.

Code snippet starting at line 407:
ptrIA = ptrClient->getIA(this->IAID);
if (!ptrClient) {
...
return;
}
...
ptrIA->setTimestamp();


Vendor Response / Solution:

Fixed in Dibbler 0.6.1
Available from http://klub.com.pl/dhcpv6/

History:
May 30, 2007 - First contact with vendor
May 31, 2007 - Vendor acknowledges vulnerability
July 5, 2007 - Vendor releases security fix
July 5, 2007 - Notify vendor of additional issues
July 6, 2007 - Vendor releases snapshot
July 11, 2007 - Notify vendor of additional issues
July 13, 2007 - Vendor releases snapshot
July 30, 2007 - Notify vendor of additional issues
August 26, 2007 - Vendor releases snapshot
August 26, 2007 - Vendor releases snapshot
September 11, 2007 - Vendor releases official fix
September 18, 2007 - Advisory released

Credit:

This vulnerability was discovered by the Mu Security research team.

http://labs.musecurity.com/pgpkey.txt

Mu Security offers a new class of security analysis system, delivering a
rigorous and streamlined methodology for verifying the robustness and security
readiness of any IP-based product or application. Founded by the pioneers of
intrusion detection and prevention technology, Mu Security is backed by
preeminent venture capital firms that include Accel Partners, Benchmark
Capital and DAG Ventures. The company is headquartered in Sunnyvale, CA. For
more information, visit the company's website at http://www.musecurity.com.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFG8ExC+aa9jJz2VeARApJYAJ0ZAdm8ILcHJGqCX1q8fFxRraCt5ACfZlUn
5dQKBnJtd6250am+2Tm3ElU=
=SU4M
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close