By Jake Edge
November 14, 2012
The domain name system (DNS) seems relatively straightforward, at least
from a high level, but there are some darker corners of the protocol that
could easily trip
up the unwary—or even the wary. A recent vulnerability
in the Exim mail transfer agent shows one
such example, but there are more. In fact, Exim developer Phil Pennock,
who patched the recent vulnerability, has collected up a number of these places
where DNS parsing can go awry.
The Exim hole was a fairly standard buffer overflow, but it came about
because of the way DNS messages are structured. When a program requests a
TXT record (for, say, a DomainKeys
Identified Mail (DKIM) public key), the reply is broken up into
multiple DNS "strings". The TXT record itself can be up to 64K in
size, with an overall length specified in the "resource record"
(RR) header, but it is broken up into multiple strings, each of
which is prefaced with a length.
Each string is a one-octet length value, followed by that many octets of data.
To construct the full TXT record, one collects each of the
string payloads into a buffer, which is where Exim went astray. For DKIM
verification, a 4K buffer was allocated for the TXT record. Each
string was length checked, so that it couldn't overrun the buffer, but the
loop did not terminate once the buffer was exhausted. An
attacker-controlled DNS server (or a benign server that just had a
TXT record larger than 4K) could send a large record and either
crash Exim or execute arbitrary code.
The fix
is simple, making two changes: check for buffer exhaustion before looking
at the next string and increase the size of the buffer to 64K. Either of
those would be sufficient to fix the problem, doing both just provides a
more robust fix. It's not clear why the original 4K buffer size was
chosen, but Pennock speculated that it seemed a reasonable limit to the
original developer given that there was a test for overflow (though it
turned out to be incorrect).
The problem was found in an Exim DKIM code
inspection that was done after a
US-CERT advisory as
and a Wired
article raised DKIM issues. While the specific problems reported were
not present in
Exim, Pennock was
concerned that increased attention would be focused on that code, thus the
code review.
There are other implications to consider with the strings that make up a
TXT record. At first blush, joining the strings directly (rather
than with a space or newline character) makes sense, but there are
protocols that depend on the strings within a TXT record being
treated as separate entities. DKIM and Sender Policy
Framework (SPF) both explicitly say that the strings
should be joined directly, but forcing that behavior for all TXT
records retrieved by Exim broke some ad hoc uses.
Likewise, there is a question of how to handle multiple TXT
records. Those records will be returned in random order, so two DKIM key
TXT records (i.e. prefaced with "v=DKIM1;") could be returned in a
query. If
applications don't check for that possibility, or handle it differently
than the DNS administrator creating the TXT records expected,
problems could result. Once again, DKIM and SPF explicitly disallow
multiple TXT records for their information, so compliant programs
need to check. Other protocols may not be as clear.
Beyond that, DNS has some surprises in the kinds of names it allows. Many
believe that domain and host names are restricted to certain subsets of
characters, but that is not true. As RFC 2181 specifies, the
limits are purely length-based (63 octets per component, 255 octets for a
domain name). Each octet of the name can contain any value from 0 to 255.
Looking at the host names returned by the following command is rather
interesting:
$ host -lva test.globnix.net nlns.globnix.net
...
foo\\.bar.test.globnix.net. 600 IN A 192.0.2.8
...
cr\013\010lf.test.globnix.net. 600 IN AAAA 2a02:898:31:dead:beef::32
...
i-want-nul.test.globnix.net. 600 IN CNAME nul\000gap.test.globnix.net.
...
That domain is one that Pennock has had for years, and the entries are
meant to be somewhat eye-opening. For example, note that '.' is legal in
the components
of a host name (represented textually as foo\.bar...). And that
brackets ([, ]), colons, NULs (\000), newlines, backslashes, and so on are all
legal. Any of those could pose a problem for a program that didn't expect
to receive them. One of the ways that might happen is with a reverse
lookup, where an IP address to host name mapping is sought.
For actual domain names, it may be difficult or impossible to
register any with "weird" characters, but they are definitely legal as far
as DNS is concerned.
The registrars will shy away from those kinds of domains because they
aren't legal in email addresses or URLs. But, as Pennock's examples show,
domains with their own DNS can create all sorts of problematic host names.
These dark corners are hopefully well-known to DNS server and library
developers, but they aren't necessarily obvious to those outside of those
specialties. One
can well imagine that there are bugs lurking in applications and tools that
use DNS at a medium or low level. Some of those could easily result in security
vulnerabilities.
[I would like to thank Phil Pennock for sharing his research and answering
questions about DNS handling.]
Comments (26 posted)
Brief items
Put another way, having the career of the beloved CIA Director and the
commanding general in Afghanistan instantly destroyed due to highly
invasive and unwarranted electronic surveillance is almost enough to make
one believe not only that there is a god, but that he is an ardent civil
libertarian.
--
Glenn Greenwald
In part it is because encryption with customer controlled keys is
inconsistent with portions of their business model. This architecture
limits a cloud provider's ability to data mine or otherwise exploit the
users' data. If a provider does not have access to the keys, they lose
access to the data for their own use. While a cloud provider may agree to
keep the data confidential (i.e., they won't show it to anyone else) that
promise does not prevent their own use of the data to improve search
results or deliver ads. Of course, this kind of access to the data has huge
value to some cloud providers and they believe that data access in exchange
for providing below-cost cloud services is a fair trade.
--
Richard
Falkenrath and Paul Rosenzweig at Nextgov
The concept is simple enough. We need to make abuse of the patent and copyright enforcement system so painful that even the most dedicated corporate executive masochist will think twice before pulling the trigger on their attacks.
Threats and the filing of takedowns, lawsuits, and other actions in the absence of strong and verifiable evidence of significant wrongdoing, not just haphazard shotgun barrages based on mere suspicion and wishful thinking, must trigger significant financial penalties and perhaps other serious sanctions as well.
How about a fine of a million dollars per false attack? Or 1% of gross earnings? And perhaps a five year prohibition against more filings?
If these sound draconian, or unrealistic, that's OK -- consider these to be the outer bounds starting points for discussion.
--
Lauren Weinstein
Comments (3 posted)
New vulnerabilities
catdoc: denial of service
| Package(s): | catdoc |
CVE #(s): | |
| Created: | November 13, 2012 |
Updated: | November 21, 2012 |
| Description: |
From the Red Hat bugzilla:
A Debian bug report noted that there is a buffer overflow in catdoc's src/xlsparse.c, which contains:
for (i=0;i<NUMOFDATEFORMATS; i++);
FormatIdxUsed[i]=0;
Because of the ";" at the end of the first line, it effectively sets i to NUMOFDATEFORMATS, which will cause it to write past defined buffer. This could lead to a denial of service (crash of catdoc). The Debian bug report indicates that this could possibly be used for worse things than a crash, but I'm not sure (I can see it writing past the end of the buffer, but all it is writing is 0's and not anything user-defined).
|
| Alerts: |
|
Comments (11 posted)
cgit: code execution
| Package(s): | cgit |
CVE #(s): | CVE-2012-4548
|
| Created: | November 12, 2012 |
Updated: | November 28, 2012 |
| Description: |
From the openSUSE advisory:
Specially-crafted commits can cause code to be executed on
the clients due to improperly quoted arguments. |
| Alerts: |
|
Comments (none posted)
gegl: code execution
| Package(s): | gegl |
CVE #(s): | CVE-2012-4433
|
| Created: | November 13, 2012 |
Updated: | January 23, 2013 |
| Description: |
From the Red Hat advisory:
An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way the gegl utility processed .ppm (Portable Pixel Map) image
files. An attacker could create a specially-crafted .ppm file that, when
opened in gegl, would cause gegl to crash or, potentially, execute
arbitrary code. |
| Alerts: |
|
Comments (none posted)
glance: access restriction bypass
| Package(s): | openstack-glance |
CVE #(s): | CVE-2012-4573
|
| Created: | November 8, 2012 |
Updated: | December 11, 2012 |
| Description: |
From the SUSE advisory:
OpenStack glance had a bug where image deletion was allowed
for all logged in users (CVE-2012-4573). |
| Alerts: |
|
Comments (none posted)
icedtea-web: code execution
| Package(s): | icedtea-web |
CVE #(s): | CVE-2012-4540
|
| Created: | November 8, 2012 |
Updated: | January 23, 2013 |
| Description: |
From the Red Hat advisory:
A buffer overflow flaw was found in the IcedTea-Web plug-in. Visiting a
malicious web page could cause a web browser using the IcedTea-Web plug-in
to crash or, possibly, execute arbitrary code. (CVE-2012-4540) |
| Alerts: |
|
Comments (none posted)
libav: multiple unspecified vulnerabilities
| Package(s): | libav |
CVE #(s): | CVE-2012-2772
CVE-2012-2775
CVE-2012-2776
CVE-2012-2777
CVE-2012-2779
CVE-2012-2784
CVE-2012-2786
CVE-2012-2787
CVE-2012-2788
CVE-2012-2789
CVE-2012-2790
CVE-2012-2793
CVE-2012-2794
CVE-2012-2796
CVE-2012-2798
CVE-2012-2800
CVE-2012-2801
CVE-2012-2802
|
| Created: | November 12, 2012 |
Updated: | February 18, 2013 |
| Description: |
From the CVE entries:
Unspecified vulnerability in the ff_rv34_decode_frame function in libavcodec/rv34.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to "width/height changing with frame threading." (CVE-2012-2772)
Unspecified vulnerability in the read_var_block_data function in libavcodec/alsdec.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to a large order and an "out of array write in quant_cof." (CVE-2012-2775)
Unspecified vulnerability in the decode_cell_data function in libavcodec/indeo3.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to an "out of picture write." (CVE-2012-2776)
Unspecified vulnerability in the decode_pic function in libavcodec/cavsdec.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to "width/height changing in CAVS," a different vulnerability than CVE-2012-2784. (CVE-2012-2777)
Unspecified vulnerability in the decode_frame function in libavcodec/indeo5.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to an invalid "gop header" and decoding in a "half initialized context." (CVE-2012-2779)
Unspecified vulnerability in the decode_pic function in libavcodec/cavsdec.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to "width/height changing in CAVS," a different vulnerability than CVE-2012-2777. (CVE-2012-2784)
Unspecified vulnerability in the decode_wdlt function in libavcodec/dfa.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to an "out of array write." (CVE-2012-2786)
Unspecified vulnerability in the decode_frame function in libavcodec/indeo4.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to the "setup width/height." (CVE-2012-2787)
Unspecified vulnerability in the avi_read_packet function in libavformat/avidec.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to an "out of array read" when a "packet is shrunk." (CVE-2012-2788)
Unspecified vulnerability in the avi_read_packet function in libavformat/avidec.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to a large number of vector coded coefficients (num_vec_coeffs). (CVE-2012-2789)
Unspecified vulnerability in the read_var_block_data function in libavcodec/alsdec.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to the "number of decoded samples in first sub-block in BGMC mode." (CVE-2012-2790)
Unspecified vulnerability in the lag_decode_zero_run_line function in libavcodec/lagarith.c in FFmpeg before 0.11 has unknown impact and attack vectors related to "too many zeros." (CVE-2012-2793)
Unspecified vulnerability in the decode_mb_info function in libavcodec/indeo5.c in FFmpeg before 0.11 has unknown impact and attack vectors in which the "allocated tile size ... mismatches parameters." (CVE-2012-2794)
Unspecified vulnerability in the vc1_decode_frame function in libavcodec/vc1dec.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to inconsistencies in "coded slice positions and interlacing" that trigger "out of array writes." (CVE-2012-2796)
Unspecified vulnerability in the decode_dds1 function in libavcodec/dfa.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to an "out of array write." (CVE-2012-2798)
Unspecified vulnerability in the ff_ivi_process_empty_tile function in libavcodec/ivi_common.c in FFmpeg before 0.11 has unknown impact and attack vectors in which the "tile size ... mismatches parameters" and triggers "writing into a too small array." (CVE-2012-2800)
Unspecified vulnerability in libavcodec/avs.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to dimensions and "out of array writes." (CVE-2012-2801)
Unspecified vulnerability in the ac3_decode_frame function in libavcodec/ac3dec.c in FFmpeg before 0.11 has unknown impact and attack vectors, related to the "number of output channels" and "out of array writes." (CVE-2012-2802) |
| Alerts: |
|
Comments (none posted)
mantisbt: multiple vulnerabilities
| Package(s): | mantisbt |
CVE #(s): | CVE-2011-3578
CVE-2011-3755
CVE-2012-1121
CVE-2012-2691
|
| Created: | November 9, 2012 |
Updated: | November 14, 2012 |
| Description: |
Cross-site scripting (XSS) vulnerability in bug_actiongroup_ext_page.php in MantisBT before 1.2.8 allows remote attackers to inject arbitrary web script or HTML via the action parameter, related to bug_actiongroup_page.php, a different vulnerability than CVE-2011-3357. (CVE-2011-3578)
MantisBT 1.2.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by view_all_inc.php and certain other files. (CVE-2011-3755)
MantisBT before 1.2.9 does not properly check permissions, which allows remote authenticated users with manager privileges to (1) modify or (2) delete global categories. (CVE-2012-1121)
The mc_issue_note_update function in the SOAP API in MantisBT before 1.2.11 does not properly check privileges, which allows remote attackers with bug reporting privileges to edit arbitrary bugnotes via a SOAP request. (CVE-2012-2691) |
| Alerts: |
|
Comments (none posted)
nspluginwrapper: insecure Private Browsing
| Package(s): | nspluginwrapper |
CVE #(s): | CVE-2011-2486
|
| Created: | November 13, 2012 |
Updated: | November 22, 2012 |
| Description: |
From the Red Hat advisory:
It was not possible for plug-ins wrapped by nspluginwrapper to discover
whether the browser was running in Private Browsing mode. This flaw could
lead to plug-ins wrapped by nspluginwrapper using normal mode while they
were expected to run in Private Browsing mode. |
| Alerts: |
|
Comments (none posted)
openvswitch: unintended file access
| Package(s): | openvswitch |
CVE #(s): | CVE-2012-3449
|
| Created: | November 13, 2012 |
Updated: | November 14, 2012 |
| Description: |
From the CVE entry:
Open vSwitch 1.4.2 uses world writable permissions for (1) /var/lib/openvswitch/pki/controllerca/incoming/ and (2) /var/lib/openvswitch/pki/switchca/incoming/, which allows local users to delete and overwrite arbitrary files. |
| Alerts: |
|
Comments (none posted)
plib: buffer overflow
| Package(s): | plib |
CVE #(s): | CVE-2012-4552
|
| Created: | November 12, 2012 |
Updated: | November 22, 2012 |
| Description: |
From the Red Hat bugzilla:
Plib is prone to a stack based buffer overflow in the
error function in ssg/ssgParser.cxx when it loads 3d model files as X
(Direct x), ASC, ASE, ATG, and OFF, if a very long error message is passed
to the function. |
| Alerts: |
|
Comments (none posted)
radsecproxy: SSL certificate verification weakness
| Package(s): | radsecproxy |
CVE #(s): | CVE-2012-4523
CVE-2012-4566
|
| Created: | November 12, 2012 |
Updated: | November 14, 2012 |
| Description: |
From the Debian advisory:
Ralf Paffrath reported that Radsecproxy, a RADIUS protocol proxy, mixed up
pre- and post-handshake verification of clients. This vulnerability may
wrongly accept clients without checking their certificate chain under
certain configurations.
Raphael Geissert spotted that the fix for CVE-2012-4523 was incomplete,
giving origin to CVE-2012-4566. |
| Alerts: |
|
Comments (none posted)
xen: denial of service
| Package(s): | xen |
CVE #(s): | CVE-2012-4544
|
| Created: | November 12, 2012 |
Updated: | February 8, 2013 |
| Description: |
From the CVE entry:
The PV domain builder in Xen 4.2 and earlier does not validate the size of the kernel or ramdisk (1) before or (2) after decompression, which allows local guest administrators to cause a denial of service (domain 0 memory consumption) via a crafted (a) kernel or (b) ramdisk.
|
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
