xorl %eax, %eax

Squid DNS Header Packet assert() DoS

leave a comment »

Another vulnerability discovered by fabs and presented in his “cat /proc/sys/net/ipv4/fuckups” talk at 26c3 is this one. While he was attempting to perform reliable DNS cache poisoning in Squid caching server, he discovered an assert(3) remote DoS in the DNS resolving code which resides in lib/rfc1035.c and here is the equivalent code from 3.0-STABLE21 release of the popular server…

/*
 * rfc1035NameUnpack()
 * 
 * Unpacks a Name in a message buffer into a char*.
 * Note 'buf' points to the beginning of the whole message,
 * 'off' points to the spot where the Name begins, and 'sz'
 * is the size of the whole message.  'name' must be allocated
 * by the caller.
 *
 * Supports the RFC1035 message compression through recursion.
 *
 * Updates the new buffer offset.
 *
 * Returns 0 (success) or 1 (error)
 */
static int
rfc1035NameUnpack(const char *buf, size_t sz, unsigned int *off, unsigned short *rdlength, char *name, size_t ns, int rdepth)
{
    unsigned int no = 0;
    unsigned char c;
    size_t len;
    assert(ns > 0);
    do {
	assert((*off) < sz);
	c = *(buf + (*off));
	if (c > 191) {
            /* blasted compression */
       ...
    return 0;
}

Since fabs was sending header only DNS packets just to determine the limit of DNS requests that could be stored in queue, the ‘off’ that points to the beginning of the name was less than the size (there was no name) of the whole message which is represented by ‘sz’ unsigned integer. Because of this, the above assertion was triggered and this of course leads to a remote DoS since it will terminate Squid.

Written by xorl

January 2, 2010 at 03:40

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s