df/zeroconf
1
0
Fork 0
Code Issues 7 Pull Requests 1 Releases Wiki Activity

Denial of Service vulnerability (infinite loop) while parsing malicious mDNS queries #10

New Issue
Open
opened 2020-07-19 01:52:59 +00:00 by df · 0 comments
df commented 2020-07-19 01:52:59 +00:00
Owner
Copy Link

CVE Reporting (2018-12-27) reporter

Maliciously crafted mDNS (Multicast DNS) packet triggers infinite loop while parsing mDNS query. mDNS compressed labels points to each other and function uncompress_nlabel goes into infinite loop trying to analyze the packet with mDNS query. As a result mDNS server hangs after receiving malicious mDNS packet - sample packet attached (raw format - one version is only UDP payload part of packet and second is full UDP packet).

Vulnerable loop: mdns.c: 1st loop: lines 234-245 2nd loop: lines 252-265

Similar issue was described in the following CVE: https://www.kb.cert.org/vuls/id/23495

Proposed CVSS 3.0 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H (8.6 - High)

(tinysvcmdns is frequently used in embedded environments where infinite loop in one module affects whole system, because there is not pre-emptive OS used)

Mitigation : mDNS server should detect loops while parsing DNS compressed labels. The simplest way to detect it is to have a counter of processed labels and trigger error if the counter hits some defined value. Please take a look at patch that was produced to fix this issues in TizenRT (that uses tinysvcmdns): 2d9a3f156f

Packet that triggers this issue: hang_01_uncompress_nlabel.raw

hang_01_uncompress_nlabel.raw

# CVE Reporting (2018-12-27) reporter Maliciously crafted mDNS (Multicast DNS) packet triggers infinite loop while parsing mDNS query. mDNS compressed labels points to each other and function uncompress_nlabel goes into infinite loop trying to analyze the packet with mDNS query. As a result mDNS server hangs after receiving malicious mDNS packet - sample packet attached (raw format - one version is only UDP payload part of packet and second is full UDP packet). Vulnerable loop: mdns.c: 1st loop: lines 234-245 2nd loop: lines 252-265 Similar issue was described in the following CVE: https://www.kb.cert.org/vuls/id/23495 Proposed CVSS 3.0 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H (8.6 - High) (tinysvcmdns is frequently used in embedded environments where infinite loop in one module affects whole system, because there is not pre-emptive OS used) Mitigation : mDNS server should detect loops while parsing DNS compressed labels. The simplest way to detect it is to have a counter of processed labels and trigger error if the counter hits some defined value. Please take a look at patch that was produced to fix this issues in TizenRT (that uses tinysvcmdns): https://github.com/Samsung/TizenRT/pull/810/commits/2d9a3f156f1a5b551403aabef2fa9edfe1ad12bc Packet that triggers this issue: hang_01_uncompress_nlabel.raw [hang_01_uncompress_nlabel.raw](https://bitbucket.org/geekman/tinysvcmdns/issues/attachments/11/geekman/tinysvcmdns/1545921907.72/11/hang_01_uncompress_nlabel.raw)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: df/zeroconf#10
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?