oss-sec mailing list archives
Remote crash in MaraDNS 2.0.13 and git master
From: Ondřej Surý <ondrej () sury org>
Date: Sat, 12 Nov 2016 09:39:45 +0100
Hi, while playing with fuzzing the DNS servers with AFL (2.35b) I found a remote crash bug in MaraDNS 2.0.13 js_readuint16. It can be also reproduced using https://github.com/samboy/MaraDNS/ master branch. Attached is patch to allow the fuzzing (it overrides getudp() with read(0, ..)), the input data that crashes MaraDNS, and the bt full output. Please assign CVE, I would provide a patch, but MaraDNS code is extremely hard to navigate for me, so I'll leave the fix for the code author. AFL has finished only 1 cycle (and found the 1 unique crash), so I'll keep it running for a while. Cheers, -- Ondřej Surý <ondrej () sury org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, fast DNS(SEC) resolver Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro pečení chleba všeho druhu
Attachment:
maradns.btfull
Description:
Attachment:
allow-fuzzing.patch
Description:
Attachment:
id:000000,sig:11,src:007564,op:havoc,rep:32
Description:
Current thread:
- Remote crash in MaraDNS 2.0.13 and git master Ondřej Surý (Nov 12)
- Re: Remote crash in MaraDNS 2.0.13 and git master Ondřej Surý (Nov 14)
- Re: Remote crash in MaraDNS 2.0.13 and git master Ondřej Surý (Nov 14)
- Re: Remote crash in MaraDNS 2.0.13 and git master cve-assign (Nov 14)
- Re: Re: Remote crash in MaraDNS 2.0.13 and git master Salvatore Bonaccorso (Dec 05)
- Re: Remote crash in MaraDNS 2.0.13 and git master Ondřej Surý (Nov 14)