oss-sec mailing list archives

Re: Remote crash in MaraDNS 2.0.13 and git master

From: Ondřej Surý <ondrej () sury org>
Date: Mon, 14 Nov 2016 06:53:24 +0100

Hi all,

AFL found another 5 crashes totaling to 6 unique crashes. Looking at the
backtraces it
looks like, it's just 3 unique crashes:

- js_readuint16
- js_substr

- process_query -> this in fact looks like stack smashing, since it
crashes on htons in an unrelated place

id:000000
id:000002
Program received signal SIGSEGV, Segmentation fault.
js_readuint16 (js=js@entry=0x6de290, offset=offset@entry=4) at
JsStr.c:1064
1064               (*(js->string + offset + 1) & 0xff);


id:000001
id:000005
Program received signal SIGSEGV, Segmentation fault.
js_substr (source=source@entry=0x6de290, dest=dest@entry=0x6e37f0,
start=start@entry=99, count=count@entry=63743) at JsStr.c:731
731               *(source->string + counter + start *
source->unit_size);

NOTE: id000001 cannot be reproduced on git master, but id000005 still
crashes it, so they probably are separate issues after all.

id:000003
id:000004
Program received signal SIGSEGV, Segmentation fault.
proc_query (raw=0x6de5d0, ect=0x7fffffffd940, sock=0) at MaraDNS.c:2615
2615        ip = htonl((z->sin_addr).s_addr);

This is after 58 AFL cycles.

It will be worth retesting with ASAN enabled.

Cheers,
-- 
Ondřej Surý <ondrej () sury org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu

On Sat, Nov 12, 2016, at 09:39, Ondřej Surý wrote:

Hi,

while playing with fuzzing the DNS servers with AFL (2.35b) I found a
remote crash bug in MaraDNS 2.0.13 js_readuint16. It can be also
reproduced using https://github.com/samboy/MaraDNS/ master branch.

Attached is patch to allow the fuzzing (it overrides getudp() with
read(0, ..)), the input data that crashes MaraDNS, and the bt full
output.

Please assign CVE, I would provide a patch, but MaraDNS code is
extremely hard to navigate for me, so I'll leave the fix for the code
author.

AFL has finished only 1 cycle (and found the 1 unique crash), so I'll
keep it running for a while.

Cheers,
-- 
Ondřej Surý <ondrej () sury org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Knot Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware,
fast DNS(SEC) resolver
Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna a potřeby pro
pečení chleba všeho druhu
Email had 3 attachments:
+ maradns.btfull
  5k (application/octet-stream)
+ allow-fuzzing.patch
  2k (text/x-patch)
+ id:000000,sig:11,src:007564,op:havoc,rep:32
  1k (application/octet-stream)

Current thread:

Remote crash in MaraDNS 2.0.13 and git master Ondřej Surý (Nov 12)
- Re: Remote crash in MaraDNS 2.0.13 and git master Ondřej Surý (Nov 14)
  - Re: Remote crash in MaraDNS 2.0.13 and git master Ondřej Surý (Nov 14)
- Re: Remote crash in MaraDNS 2.0.13 and git master cve-assign (Nov 14)
  - Re: Re: Remote crash in MaraDNS 2.0.13 and git master Salvatore Bonaccorso (Dec 05)