Headline
CVE-2019-14513: GitHub - Slovejoy/dnsmasq-pre2.76: vulnerability assessment for early versions of dnsmasq
Improper bounds checking in Dnsmasq before 2.76 allows an attacker controlled DNS server to send large DNS packets that result in a read operation beyond the buffer allocated for the packet, a different vulnerability than CVE-2017-14491.
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code
Use Git or checkout with SVN using the web URL.
Open with GitHub Desktop
Download ZIP
Latest commit
Files
Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
While attempting to use Google Security Team’s CVE-2017-14491 in dnsmasq versions <2.78, I found a new exploit present in dnsmasq <2.76. In this case, an attacker controlled dns server to could send a response greater than 4096 bytes. Since this response is truncated at 4096 bytes, part of the packet is left off, a “tail.” When examing the source code, I found that dnsmasq in do_doctor() in rfc1035.c iterates through each answer record. In this function, the pointer to the packet read is incremented by 4 bytes to bypass the time to live section of the answer. Since a large packet is truncated at 4096 bytes, this pointer can read further beyond the memory allocated to it on the heap, potentially causing a bad read leading to a crash and denial of service.
The proof-of-concept (poc) provided are heavily based off of the research done by Google’s security team in 2017. Copyright 2017 Google Inc
Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Authors: Fermin J. Serna [email protected] Felix Wilhelm [email protected] Gabriel Campana [email protected] Kevin Hamacher [email protected] Gynvael Coldwind [email protected] Ron Bowes - Xoogler :/
See their blogpost here: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html See their github here: https://github.com/google/security-research-pocs/tree/master/vulnerabilities/dnsmasq
For more information on dnsmasq see: https://github.com/imp/dnsmasq Dnsmasq is a project from Simon Kelley, and can be seen here: http://thekelleys.org.uk/dnsmasq/doc.html
The git commit affected is this one and before: 15379ea1f252d1f53c5d93ae970b22dedb233642
Related news
In onCreate() of ChooseTypeAndAccountActivity.java, there is a possible way to learn the existence of an account, without permissions, due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-172841550
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSSEC, SHA-1 when it is) this flaw allows an off-path attacker to find several different domains all having the same hash, substantially reducing the number of attempts they would have to perform to forge a reply and get it accepted by dnsmasq. This is in contrast with RFC5452, which specifies that the query name is one of the attributes of a query that must be used to match a reply. This flaw could be abused to perform a DNS Cache Poisoning attack. If chained with CVE-2020-25684 the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.