Bug 1321801 - bind: Out-of-bounds read caused by crafted htmd5 key struct
Summary: bind: Out-of-bounds read caused by crafted htmd5 key struct
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1347233 1347234
Blocks: 1321807
TreeView+ depends on / blocked
 
Reported: 2016-03-29 08:06 UTC by Adam Mariš
Modified: 2021-02-17 04:07 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-16 05:07:21 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Adam Mariš 2016-03-29 08:06:38 UTC 
An out-of-bounds read vulnerability was found that can be triggered by crafted htmd5 key struct which is sent by rndc command, allowing to DoS of named server without password.

Affected versions found: bind-9.9.4-29.el7_2.3 and bind-9.10.3-11.P3.fc24

Vulnerable code:

Sexpr.c :

isccc_sexpr_frombinary(const isccc_region_t *region)
{
…
region_size = REGION_SIZE(*region); // region.rstart could point to “hmd5” value
// So region_size could be controlled,
// we could set region_size = 5 (Other number smaller than 22 is fine)
/*
* We add an extra byte when we malloc so we can NUL terminate
* the binary data. This allows the caller to use it as a C
* string. It's up to the caller to ensure this is safe. We don't
* add 1 to the length of the binary region, because the NUL is
* not part of the binary data.
*/
sexpr->value.as_region.rstart = malloc(region_size + 1); // malloc the memory of “hmd5” value , and the size of memory is 5+1 Byte.
…
}

But when named verifies “hmd5” value, the code will read outside of memory bounds as following:

isc_safe_memcmp(const void *s1, const void *s2, size_t n) { // n = HMD5_LENGTH = 22
isc_uint8_t acc = 0;

if (n != 0U) {
const isc_uint8_t *p1 = s1, *p2 = s2; // s1 point to the memory of “hmd5” value whose size is 5+1 Byte.

do {
acc |= *p1++ ^ *p2++; // Here it will read outside  of memory bounds.
} while (--n != 0U);
}
return (ISC_TF(acc == 0));
}
Comment 1 Adam Mariš 2016-03-29 08:06:45 UTC 
Acknowledgments:

Name: Lian Yihan (Qihoo 360)
Comment 2 Huzaifa S. Sidhpurwala 2016-06-16 05:07:21 UTC 
The Red Hat Product Security team does not consider this bug as a security flaw, because of the following reasons:

1. An attacker must be within the network block allowed to connect to the named control channel (as defined by the "controls" statement in named.conf)

2. Because of the way, memory is laid out on modern systems, the chances that the above described OOB read can cause the application to crash is very low. ie its difficult to actively exploit this bug.
Comment 3 Adam Mariš 2016-06-16 10:53:07 UTC 
Created bind tracking bugs for this issue:

Affects: fedora-all [bug 1347233]
Comment 4 Adam Mariš 2016-06-16 10:53:13 UTC 
Created bind99 tracking bugs for this issue:

Affects: fedora-all [bug 1347234]
Comment 5 Tomáš Hozza 2016-06-17 07:40:52 UTC 
Was this issue reported to ISC at all? I don't see any upstream fix nor any announcement mentioning this on upstream mailing lists...
Comment 6 Adam Mariš 2016-06-17 11:23:06 UTC 
(In reply to Tomas Hozza from comment #5)
> Was this issue reported to ISC at all? I don't see any upstream fix nor any
> announcement mentioning this on upstream mailing lists...

Yes it was, but they decided to not consider this as vulnerability, and so do we.
Comment 7 Tomáš Hozza 2016-06-17 11:32:21 UTC 
(In reply to Adam Mariš from comment #6)
> (In reply to Tomas Hozza from comment #5)
> > Was this issue reported to ISC at all? I don't see any upstream fix nor any
> > announcement mentioning this on upstream mailing lists...
> 
> Yes it was, but they decided to not consider this as vulnerability, and so
> do we.

I will close relevant Fedora bugs as WONTFIX then. Thank you.
Note You need to log in before you can comment on or make changes to this bug.