Arbitrary memory read while parsing malicious mDNS queries

Issue #10 new
CVE Reporting
created an issue

Function uncompress_nlabel that uncompresses mDNS nlabels reads data from arbitrary address based on input from mDNS packet.

Based on DNS specification: "A compression label is a pointer that occupies the NAME field of the Answer section (16 bits). The first 2 bits are set to 1, the 14 remaining bits describe the offset, i.e. the position of the compression target from the beginning of the DNS message."

Offset to next label is calculated in mdns.c:237 (the same code is duplicated at line 255):
uint8_t p2 = pkt_buf + (((p[0] & ~0xC0) << 8) | p[1]);
And immediately used in next line without any check whether p2 is within allocated buffer:
llen =
p2 + 1;
This allows to arbitrary data read up to 16383 bytes from the start of the buffer. This can lead do segmentation fault and crash of the server (depending on the memory protection of the CPU and the operating system) or disclosing the memory content via error messages or server response.

Proposed CVSS 3.0 score:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H (9.3 Critical)

Packet that triggers this issue:
crash_000_uncompress_nlabel_SEGV_16140.raw

Mitigation :
While parsing the input buffer current offset should be checked and return with error when pkt_len is reached.
Please take a look at patch that was produced to fix this issues in TizenRT (that uses tinysvcmdns):
https://github.com/Samsung/TizenRT/pull/810/commits/2d9a3f156f1a5b551403aabef2fa9edfe1ad12bc

Crash details using Address Sanitizer:

ASAN:SIGSEGV
=================================================================
==14253==ERROR: AddressSanitizer: SEGV on unknown address 0x606000012fbf (pc 0x000000402c45 bp 0x60600000eff9 sp 0x7ffdd4c6e1c0 T0)
    #0 0x402c44 in uncompress_nlabel src/tinysvcmdns-latest/mdns.c:238
    #1 0x40bdaf in mdns_parse_rr src/tinysvcmdns-latest/mdns.c:658
    #2 0x40bdaf in mdns_parse_pkt src/tinysvcmdns-latest/mdns.c:806
    #3 0x4012bf in main src/tinysvcmdns-latest/test_mdns.c:106
    #4 0x7f12b3f9c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x401878 in _start (src/tinysvcmdns-latest/test_mdns+0x401878)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/tinysvcmdns-latest/mdns.c:238 uncompress_nlabel
==14253==ABORTING

Comments (0)

  1. Log in to comment