xorl %eax, %eax

CVE-2008-5081: Avahi DNS Assert DoS

leave a comment »

This is an old and crappy bug. It was discovered by Hugo Dias and disclosed on 11 December 2008. Avahi is a project used among most of the popular open source operating systems. It’s used for service discovery based on Lennart Poettering’s mDNS implementation. Releases before 0.6.24 are vulnerable to the following bug.

The code presented here is taken from Avahi Daemon 0.6.23 release. The vulnerable function is located in avahi-core/server.c:

829  static int originates_from_local_legacy_unicast_socket(AvahiServer *s, const AvahiAddress *address, uint16_t port) {
830      assert(s);
831      assert(address);
832      assert(port > 0);
858              return lsa.sin6_port == port;
859      }
861      return 0;
862  }

Here everything looks perfect. Personally, I hate seeing assert() on production code but anyway. At line 832 it checks that port cannot be 0. So.. if you send out a packet with source port set to 0 then you can trigger that assert() and terminate the Avahi Daemon. For your information, avahi makes wide use assert() so similar bugs should be pretty straightforward to locate. Anyway, here is the patch:

+    if (port <= 0) {
+        /* This fixes RHBZ #475394 */
+        avahi_log_warn("Received packet from invalid source port.");
+        return;
+    }
     if (avahi_address_is_ipv4_in_ipv6(src_address))

Which for some strange reason was not being done on originates_from_local_legacy_unicast_socket() in order to replace that ugly assert() but it was done at dispatch_packet() which uses the previous function. In addition to this, it also checks for port numbers less than zero which is impossible since port is declared as an unsigned short… Anyway, the trigger of this bug is something that even a 10 year old boy can do. Just generate a UDP packet for DNS with source port set to 0.

Written by xorl

March 11, 2009 at 13:34

Posted in vulnerabilities

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s