| Summary: | bind: Out-of-bounds read caused by crafted htmd5 key struct | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | security-response-team, thozza |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-06-16 05:07:21 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1347233, 1347234 | ||
| Bug Blocks: | 1321807 | ||
Acknowledgments: Name: Lian Yihan (Qihoo 360) The Red Hat Product Security team does not consider this bug as a security flaw, because of the following reasons: 1. An attacker must be within the network block allowed to connect to the named control channel (as defined by the "controls" statement in named.conf) 2. Because of the way, memory is laid out on modern systems, the chances that the above described OOB read can cause the application to crash is very low. ie its difficult to actively exploit this bug. Created bind tracking bugs for this issue: Affects: fedora-all [bug 1347233] Created bind99 tracking bugs for this issue: Affects: fedora-all [bug 1347234] Was this issue reported to ISC at all? I don't see any upstream fix nor any announcement mentioning this on upstream mailing lists... (In reply to Tomas Hozza from comment #5) > Was this issue reported to ISC at all? I don't see any upstream fix nor any > announcement mentioning this on upstream mailing lists... Yes it was, but they decided to not consider this as vulnerability, and so do we. (In reply to Adam Mariš from comment #6) > (In reply to Tomas Hozza from comment #5) > > Was this issue reported to ISC at all? I don't see any upstream fix nor any > > announcement mentioning this on upstream mailing lists... > > Yes it was, but they decided to not consider this as vulnerability, and so > do we. I will close relevant Fedora bugs as WONTFIX then. Thank you. |
An out-of-bounds read vulnerability was found that can be triggered by crafted htmd5 key struct which is sent by rndc command, allowing to DoS of named server without password. Affected versions found: bind-9.9.4-29.el7_2.3 and bind-9.10.3-11.P3.fc24 Vulnerable code: Sexpr.c : isccc_sexpr_frombinary(const isccc_region_t *region) { … region_size = REGION_SIZE(*region); // region.rstart could point to “hmd5” value // So region_size could be controlled, // we could set region_size = 5 (Other number smaller than 22 is fine) /* * We add an extra byte when we malloc so we can NUL terminate * the binary data. This allows the caller to use it as a C * string. It's up to the caller to ensure this is safe. We don't * add 1 to the length of the binary region, because the NUL is * not part of the binary data. */ sexpr->value.as_region.rstart = malloc(region_size + 1); // malloc the memory of “hmd5” value , and the size of memory is 5+1 Byte. … } But when named verifies “hmd5” value, the code will read outside of memory bounds as following: isc_safe_memcmp(const void *s1, const void *s2, size_t n) { // n = HMD5_LENGTH = 22 isc_uint8_t acc = 0; if (n != 0U) { const isc_uint8_t *p1 = s1, *p2 = s2; // s1 point to the memory of “hmd5” value whose size is 5+1 Byte. do { acc |= *p1++ ^ *p2++; // Here it will read outside of memory bounds. } while (--n != 0U); } return (ISC_TF(acc == 0)); }