Skip Menu |
 

This queue is for tickets about the Net-DNS CPAN distribution.

Report information
The Basics
Id: 30316
Status: resolved
Priority: 0/
Queue: Net-DNS

People
Owner: Nobody in particular
Requestors: noamr [...] beyondsecurity.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in:
  • 0.63
  • 0.63



CC: Yoav Naveh <yoavn [...] beyondsecurity.com>, Aviram Jenik <aviram [...] beyondsecurity.com>
Subject: Security issue with Net::DNS::Resolver
Date: Sun, 28 Oct 2007 17:17:16 +0200
To: bug-Net-DNS [...] rt.cpan.org
From: Noam Rathaus <noamr [...] beyondsecurity.com>
Download (untitled) / with headers
text/plain 1.5k
Hi, We have been able to trigger a "croak" assertion in the code of Net::DNS by responding to the package with a malformed DNS response. The croak itself doesn't allow you to overflow or execute arbitrary code, but as it cannot be captured using normal Perl code - as with an eval() function for example - a user of the Net::DNS package can be caused to "crash", his program to forcefully terminate if it encounters this DNS response. The problem steams from the fact that: if ($self->{"rdlength"} > 0) { $self->{"address"} = inet_ntoa(substr($$data, $offset, 4)); } found in Net/DNS/RR/A.pm Doesn't properly verify that $$data has 4 bytes to read before attempting to substr - which in turn causes the data sent to inet_ntoa to not have enough bytes which causes this code: ip_address = SvPVbyte(ip_address_sv, addrlen); if (addrlen == sizeof(addr) || addrlen == 4) addr.s_addr = (ip_address[0] & 0xFF) << 24 | (ip_address[1] & 0xFF) << 16 | (ip_address[2] & 0xFF) << 8 | (ip_address[3] & 0xFF); else croak("Bad arg length for %s, length is %d, should be %d", "Socket::inet_ntoa", addrlen, sizeof(addr)); To issue a "croak" - causing the perl to abort. Let me know if you need additional information to fix this issue, additional technical details or even an exploit code. --   Noam Rathaus   CTO   noamr@beyondsecurity.com   http://www.beyondsecurity.com
Download (untitled) / with headers
text/plain 248b
Show quoted text
> Let me know if you need additional information to fix this issue, > additional > technical details or even an exploit code. >
It is fairly clear what happens and there will be a solution, however not in the forthcoming 0.62 release. --Olaf
Download (untitled) / with headers
text/plain 390b
Fix rt.cpan.org #30316 Security issue with Net::DNS Resolver. Net/DNS/RR/A.pm in Net::DNS 0.60 build 654 allows remote attackers to cause a denial of service (program "croak") via a crafted DNS response (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6341). Packet parsing routines are now enclosed in eval blocks to trap exception and avoid premature termination of user program.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.