Arbitrary memory read while parsing malicious mDNS queries #9

New Issue

Open

opened 2020-07-19 01:50:25 +00:00 by df · 0 comments

df commented 2020-07-19 01:50:25 +00:00

Owner

Copy Link

CVE Reporting (2018-12-27) reporter

Function uncompress_nlabel that uncompresses mDNS nlabels reads data from arbitrary address based on input from mDNS packet.

Based on DNS specification: "A compression label is a pointer that occupies the NAME field of the Answer section (16 bits). The first 2 bits are set to 1, the 14 remaining bits describe the offset, i.e. the position of the compression target from the beginning of the DNS message."

Offset to next label is calculated in mdns.c:237 (the same code is duplicated at line 255): uint8_t p2 = pkt_buf + (((p[0] & ~0xC0) << 8) | p[1]); And immediately used in next line without any check whether p2 is within allocated buffer: llen = p2 + 1; This allows to arbitrary data read up to 16383 bytes from the start of the buffer. This can lead do segmentation fault and crash of the server (depending on the memory protection of the CPU and the operating system) or disclosing the memory content via error messages or server response.

Proposed CVSS 3.0 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H (9.3 Critical)

Packet that triggers this issue: crash_000_uncompress_nlabel_SEGV_16140.raw

Mitigation : While parsing the input buffer current offset should be checked and return with error when pkt_len is reached. Please take a look at patch that was produced to fix this issues in TizenRT (that uses tinysvcmdns): 2d9a3f156f

Crash details using Address Sanitizer:

ASAN:SIGSEGV
=================================================================
==14253==ERROR: AddressSanitizer: SEGV on unknown address 0x606000012fbf (pc 0x000000402c45 bp 0x60600000eff9 sp 0x7ffdd4c6e1c0 T0)
    #0 0x402c44 in uncompress_nlabel src/tinysvcmdns-latest/mdns.c:238
    #1 0x40bdaf in mdns_parse_rr src/tinysvcmdns-latest/mdns.c:658
    #2 0x40bdaf in mdns_parse_pkt src/tinysvcmdns-latest/mdns.c:806
    #3 0x4012bf in main src/tinysvcmdns-latest/test_mdns.c:106
    #4 0x7f12b3f9c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x401878 in _start (src/tinysvcmdns-latest/test_mdns+0x401878)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/tinysvcmdns-latest/mdns.c:238 uncompress_nlabel
==14253==ABORTING

crash_000_uncompress_nlabel_SEGV_16140.raw

# CVE Reporting (2018-12-27) reporter Function uncompress_nlabel that uncompresses mDNS nlabels reads data from arbitrary address based on input from mDNS packet. Based on DNS specification: "A compression label is a pointer that occupies the NAME field of the Answer section (16 bits). The first 2 bits are set to 1, the 14 remaining bits describe the offset, i.e. the position of the compression target from the beginning of the DNS message." Offset to next label is calculated in mdns.c:237 (the same code is duplicated at line 255): uint8_t p2 = pkt_buf + (((p[0] & ~0xC0) << 8) | p[1]); And immediately used in next line without any check whether p2 is within allocated buffer: llen = p2 + 1; This allows to arbitrary data read up to 16383 bytes from the start of the buffer. This can lead do segmentation fault and crash of the server (depending on the memory protection of the CPU and the operating system) or disclosing the memory content via error messages or server response. Proposed CVSS 3.0 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H (9.3 Critical) Packet that triggers this issue: crash_000_uncompress_nlabel_SEGV_16140.raw Mitigation : While parsing the input buffer current offset should be checked and return with error when pkt_len is reached. Please take a look at patch that was produced to fix this issues in TizenRT (that uses tinysvcmdns): https://github.com/Samsung/TizenRT/pull/810/commits/2d9a3f156f1a5b551403aabef2fa9edfe1ad12bc ``` Crash details using Address Sanitizer: ASAN:SIGSEGV ================================================================= ==14253==ERROR: AddressSanitizer: SEGV on unknown address 0x606000012fbf (pc 0x000000402c45 bp 0x60600000eff9 sp 0x7ffdd4c6e1c0 T0) #0 0x402c44 in uncompress_nlabel src/tinysvcmdns-latest/mdns.c:238 #1 0x40bdaf in mdns_parse_rr src/tinysvcmdns-latest/mdns.c:658 #2 0x40bdaf in mdns_parse_pkt src/tinysvcmdns-latest/mdns.c:806 #3 0x4012bf in main src/tinysvcmdns-latest/test_mdns.c:106 #4 0x7f12b3f9c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x401878 in _start (src/tinysvcmdns-latest/test_mdns+0x401878) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV src/tinysvcmdns-latest/mdns.c:238 uncompress_nlabel ==14253==ABORTING ``` [crash_000_uncompress_nlabel_SEGV_16140.raw](https://bitbucket.org/geekman/tinysvcmdns/issues/attachments/10/geekman/tinysvcmdns/1545921628.04/10/crash_000_uncompress_nlabel_SEGV_16140.raw)

df referenced this issue from a commit 2020-07-23 11:10:32 +00:00

Initial working responder version reabsorbing TizenRT changes. Consequently: - fixes #9 Arbitrary memory read while parsing malicious mDNS queries (mdns.c); - fixes #10 Denial of Service vulnerability (infinite loop) while parsing malicious mDNS queries (mdns.c); - fixes #11 Heap-based buffer overread (off-by-one) (mdns.c); - fixes #12 Heap-based buffer overread while parsing mDNS RR section (off-by-one) (mdns.c).

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

HummyNew

IP-TTL-255-patch

TizenRT

philippe44_tsm

HummyPkg

zeroconf_2.0-0

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: df/zeroconf#9

No description provided.