| CC: | Yoav Naveh <yoavn [...] beyondsecurity.com>, Aviram Jenik <aviram [...] beyondsecurity.com> |
| Subject: | Security issue with Net::DNS::Resolver |
| Date: | Sun, 28 Oct 2007 17:17:16 +0200 |
| To: | bug-Net-DNS [...] rt.cpan.org |
| From: | Noam Rathaus <noamr [...] beyondsecurity.com> |
Hi,
We have been able to trigger a "croak" assertion in the code of Net::DNS by
responding to the package with a malformed DNS response.
The croak itself doesn't allow you to overflow or execute arbitrary code, but
as it cannot be captured using normal Perl code - as with an eval() function
for example - a user of the Net::DNS package can be caused to "crash", his
program to forcefully terminate if it encounters this DNS response.
The problem steams from the fact that:
if ($self->{"rdlength"} > 0) {
$self->{"address"} = inet_ntoa(substr($$data, $offset, 4));
}
found in Net/DNS/RR/A.pm
Doesn't properly verify that $$data has 4 bytes to read before attempting to
substr - which in turn causes the data sent to inet_ntoa to not have enough
bytes which causes this code:
ip_address = SvPVbyte(ip_address_sv, addrlen);
if (addrlen == sizeof(addr) || addrlen == 4)
addr.s_addr =
(ip_address[0] & 0xFF) << 24 |
(ip_address[1] & 0xFF) << 16 |
(ip_address[2] & 0xFF) << 8 |
(ip_address[3] & 0xFF);
else
croak("Bad arg length for %s, length is %d, should be %d",
"Socket::inet_ntoa",
addrlen, sizeof(addr));
To issue a "croak" - causing the perl to abort.
Let me know if you need additional information to fix this issue, additional
technical details or even an exploit code.
--
Noam Rathaus
CTO
noamr@beyondsecurity.com
http://www.beyondsecurity.com