Apr 21, 2023
CVE-2023-31470
Huascar Tejeda of Pentraze Cybersecurity
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
A stack buffer overflow vulnerability exists in the _dns_encode_domain
function in the dns.c
file, which can be triggered by crafting a DNS request that causes the program to write outside the bounds of the packet_buff
variable.
I added the following code to the beginning of the function, which prevents the overflow:
if (_dns_left_len(context) <= 0) {
return -1;
}
=================================================================
==2457317==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffdd8e at pc 0x000000305a31 bp 0x7fffffffaf00 sp 0x7fffffffaef8
WRITE of size 1 at 0x7fffffffdd8e thread T0
#0 0x305a30 in _dns_encode_domain /opt/smartdns/src/dns.c:298:11
#1 0x30bdea in _dns_add_qr_head /opt/smartdns/src/dns.c:461:12
#2 0x30bdea in _dns_add_rr_head /opt/smartdns/src/dns.c:509:8
#3 0x30bdea in dns_add_rr_nested_start /opt/smartdns/src/dns.c:568:8
#4 0x30bdea in dns_add_HTTPS_start /opt/smartdns/src/dns.c:1074:20
#5 0x30bdea in _dns_decode_HTTPS /opt/smartdns/src/dns.c:2007:2
#6 0x30bdea in _dns_decode_an /opt/smartdns/src/dns.c:2192:9
#7 0x30954d in _dns_decode_body /opt/smartdns/src/dns.c:2329:9
#8 0x30954d in dns_decode /opt/smartdns/src/dns.c:2469:8
#9 0x31750d in main /opt/smartdns/src/smartdns.c:49:13
#10 0x7ffff7c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#11 0x7ffff7c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#12 0x2558d4 in _start (/opt/smartdns/src/smartdns+0x2558d4)
Address 0x7fffffffdd8e is located in stack of thread T0 at offset 6190 in frame
#0 0x316cdf in main /opt/smartdns/src/smartdns.c
This frame has 5 object(s):
[32, 6176) 'packet_buff' (line 45) <== Memory access at offset 6190 overflows this variable
[6432, 6436) 'rr_count' (line 53)
[6448, 6452) 'qtype' (line 54)
[6464, 6468) 'qclass' (line 55)
[6480, 6736) 'domain' (line 56)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /opt/smartdns/src/dns.c:298:11 in _dns_encode_domain
Shadow bytes around the buggy address:
0x10007fff7b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7bb0: f2[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x10007fff7bc0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x10007fff7bd0: f8 f2 f8 f2 f8 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x10007fff7be0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x10007fff7bf0: f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x10007fff7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2457317==ABORTING
#0 __pthread_kill_implementation (no_tid=0x0, signo=0x6, threadid=0x7ffff7ee1000) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=0x6, threadid=0x7ffff7ee1000) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=0x7ffff7ee1000, signo=signo@entry=0x6) at ./nptl/pthread_kill.c:89
#3 0x00007ffff7642476 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/posix/raise.c:26
#4 0x00007ffff76287f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007ffff76896f6 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff77db943 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
#6 0x00007ffff773676a in __GI___fortify_fail (msg=msg@entry=0x7ffff77db92b "stack smashing detected") at ./debug/fortify_fail.c:26
#7 0x00007ffff7736736 in __stack_chk_fail () at ./debug/stack_chk_fail.c:24
#8 0x0000555555576b19 in _dns_server_recv (conn=conn@entry=0x55555575a3e0, inpacket=inpacket@entry=0x7fffffff3500 "0000", inpacket_len=<optimized out>, local=local@entry=0x7fffffff2870, local_len=0x10, from=from@entry=0x7fffffff27f0, from_len=0x1c) at dns_server.c:5308
#9 0x0000555555577dfe in _dns_server_process_udp_one (event=<optimized out>, now=<optimized out>, udpconn=<optimized out>) at dns_server.c:5441
#10 _dns_server_process_udp (event=<optimized out>, now=<optimized out>, udpconn=<optimized out>) at dns_server.c:5448
#11 _dns_server_process (now=0x1504f191, event=0x7fffffff28f0, conn=<optimized out>) at dns_server.c:6056
#12 dns_server_run () at dns_server.c:6429
#13 0x000055555555d837 in _smartdns_run () at smartdns.c:536
#14 main (argc=<optimized out>, argv=<optimized out>) at smartdns.c:776
Evaluación proactiva utilizando tácticas, técnicas y procedimientos de atacantes reales para identificar fallas de seguridad, configuraciones incorrectas y vulnerabilidades.
Protección integral de aplicaciones, garantizando la seguridad en todas las fases del desarrollo.
Simulación avanzada de ataques cibernéticos para evaluar y mejorar la capacidad de respuesta de una organización.
Proceso proactivo para identificar, priorizar y abordar las vulnerabilidades de seguridad en sistemas y software, mejorando la defensa de una organización contra las amenazas cibernéticas en evolución.