Heap-based buffer overread while parsing mDNS RR section (off-by-one) #12

New Issue

Open

opened 2020-07-19 02:04:20 +00:00 by df · 0 comments

df commented 2020-07-19 02:04:20 +00:00

Owner

Copy Link

CVE Reporting (2018-12-27) reporter

Function mdns_parse_rr that parses mDNS RR (resource records) section goes outside data buffer - offset variables (off and p) go outside size of input buffer (pkt_len). Vulnerable lines: mdns.c:665 mdns.c:668

Proposed CVSS 3.0 score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L (3.7 Low)

Mitigation : While parsing the input buffer current offset should be checked and return with error when pkt_len is reached. Please take a look at patch that was produced to fix this issues in TizenRT (that uses tinysvcmdns): 2d9a3f156f

Packets that trigger this issue: crash_005_parse_rr.raw crash_007_parse_rr.raw

Crash details using Address Sanitizer:

=================================================================
==26284==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000f04c at pc 0x00000040fc05 bp 0x7ffc7325fc40 sp 0x7ffc7325fc30
READ of size 1 at 0x60600000f04c thread T0
    #0 0x40fc04 in mdns_read_u16 src/tinysvcmdns-latest/mdns.c:549
    #1 0x40fc04 in mdns_parse_rr src/tinysvcmdns-latest/mdns.c:665
    #2 0x40fc04 in mdns_parse_pkt src/tinysvcmdns-latest/mdns.c:806
    #3 0x4012bf in main src/tinysvcmdns-latest/test_mdns.c:106
    #4 0x7f6a9821982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x401878 in _start (src/tinysvcmdns-latest/test_mdns+0x401878)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow src/tinysvcmdns-latest/mdns.c:549 mdns_read_u16
Shadow bytes around the buggy address:
  0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 01
=>0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==26284==ABORTING

crash_007_mdns_parse_rr.raw
crash_005_mdns_parse_rr.raw

# CVE Reporting (2018-12-27) reporter Function mdns_parse_rr that parses mDNS RR (resource records) section goes outside data buffer - offset variables (off and p) go outside size of input buffer (pkt_len). Vulnerable lines: mdns.c:665 mdns.c:668 Proposed CVSS 3.0 score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L (3.7 Low) Mitigation : While parsing the input buffer current offset should be checked and return with error when pkt_len is reached. Please take a look at patch that was produced to fix this issues in TizenRT (that uses tinysvcmdns): https://github.com/Samsung/TizenRT/pull/810/commits/2d9a3f156f1a5b551403aabef2fa9edfe1ad12bc Packets that trigger this issue: crash_005_parse_rr.raw crash_007_parse_rr.raw Crash details using Address Sanitizer: ``` ================================================================= ==26284==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000f04c at pc 0x00000040fc05 bp 0x7ffc7325fc40 sp 0x7ffc7325fc30 READ of size 1 at 0x60600000f04c thread T0 #0 0x40fc04 in mdns_read_u16 src/tinysvcmdns-latest/mdns.c:549 #1 0x40fc04 in mdns_parse_rr src/tinysvcmdns-latest/mdns.c:665 #2 0x40fc04 in mdns_parse_pkt src/tinysvcmdns-latest/mdns.c:806 #3 0x4012bf in main src/tinysvcmdns-latest/test_mdns.c:106 #4 0x7f6a9821982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x401878 in _start (src/tinysvcmdns-latest/test_mdns+0x401878) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: heap-buffer-overflow src/tinysvcmdns-latest/mdns.c:549 mdns_read_u16 Shadow bytes around the buggy address: 0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 01 =>0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa 0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==26284==ABORTING ``` [crash_007_mdns_parse_rr.raw](https://bitbucket.org/geekman/tinysvcmdns/issues/attachments/13/geekman/tinysvcmdns/1545922104.82/13/crash_007_mdns_parse_rr.raw) [crash_005_mdns_parse_rr.raw](https://bitbucket.org/geekman/tinysvcmdns/issues/attachments/13/geekman/tinysvcmdns/1545922104.72/13/crash_005_mdns_parse_rr.raw)

df referenced this issue from a commit 2020-07-23 11:10:32 +00:00

Initial working responder version reabsorbing TizenRT changes. Consequently: - fixes #9 Arbitrary memory read while parsing malicious mDNS queries (mdns.c); - fixes #10 Denial of Service vulnerability (infinite loop) while parsing malicious mDNS queries (mdns.c); - fixes #11 Heap-based buffer overread (off-by-one) (mdns.c); - fixes #12 Heap-based buffer overread while parsing mDNS RR section (off-by-one) (mdns.c).

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

HummyNew

IP-TTL-255-patch

TizenRT

philippe44_tsm

HummyPkg

zeroconf_2.0-0

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: df/zeroconf#12

No description provided.