Apr 21, 2023
CVE-2023-31470
Huascar Tejeda of Pentraze Cybersecurity
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
A stack buffer overflow vulnerability exists in the _dns_encode_domain function in the dns.c file, which can be triggered by crafting a DNS request that causes the program to write outside the bounds of the packet_buff variable.
I added the following code to the beginning of the function, which prevents the overflow:
if (_dns_left_len(context) <= 0) {
return -1;
}
=================================================================
==2457317==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffdd8e at pc 0x000000305a31 bp 0x7fffffffaf00 sp 0x7fffffffaef8
WRITE of size 1 at 0x7fffffffdd8e thread T0
#0 0x305a30 in _dns_encode_domain /opt/smartdns/src/dns.c:298:11
#1 0x30bdea in _dns_add_qr_head /opt/smartdns/src/dns.c:461:12
#2 0x30bdea in _dns_add_rr_head /opt/smartdns/src/dns.c:509:8
#3 0x30bdea in dns_add_rr_nested_start /opt/smartdns/src/dns.c:568:8
#4 0x30bdea in dns_add_HTTPS_start /opt/smartdns/src/dns.c:1074:20
#5 0x30bdea in _dns_decode_HTTPS /opt/smartdns/src/dns.c:2007:2
#6 0x30bdea in _dns_decode_an /opt/smartdns/src/dns.c:2192:9
#7 0x30954d in _dns_decode_body /opt/smartdns/src/dns.c:2329:9
#8 0x30954d in dns_decode /opt/smartdns/src/dns.c:2469:8
#9 0x31750d in main /opt/smartdns/src/smartdns.c:49:13
#10 0x7ffff7c29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#11 0x7ffff7c29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#12 0x2558d4 in _start (/opt/smartdns/src/smartdns+0x2558d4)
Address 0x7fffffffdd8e is located in stack of thread T0 at offset 6190 in frame
#0 0x316cdf in main /opt/smartdns/src/smartdns.c
This frame has 5 object(s):
[32, 6176) 'packet_buff' (line 45) <== Memory access at offset 6190 overflows this variable
[6432, 6436) 'rr_count' (line 53)
[6448, 6452) 'qtype' (line 54)
[6464, 6468) 'qclass' (line 55)
[6480, 6736) 'domain' (line 56)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /opt/smartdns/src/dns.c:298:11 in _dns_encode_domain
Shadow bytes around the buggy address:
0x10007fff7b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007fff7ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7bb0: f2[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x10007fff7bc0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x10007fff7bd0: f8 f2 f8 f2 f8 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x10007fff7be0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x10007fff7bf0: f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
0x10007fff7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2457317==ABORTING
#0 __pthread_kill_implementation (no_tid=0x0, signo=0x6, threadid=0x7ffff7ee1000) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=0x6, threadid=0x7ffff7ee1000) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=0x7ffff7ee1000, signo=signo@entry=0x6) at ./nptl/pthread_kill.c:89
#3 0x00007ffff7642476 in __GI_raise (sig=sig@entry=0x6) at ../sysdeps/posix/raise.c:26
#4 0x00007ffff76287f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007ffff76896f6 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff77db943 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
#6 0x00007ffff773676a in __GI___fortify_fail (msg=msg@entry=0x7ffff77db92b "stack smashing detected") at ./debug/fortify_fail.c:26
#7 0x00007ffff7736736 in __stack_chk_fail () at ./debug/stack_chk_fail.c:24
#8 0x0000555555576b19 in _dns_server_recv (conn=conn@entry=0x55555575a3e0, inpacket=inpacket@entry=0x7fffffff3500 "0000", inpacket_len=<optimized out>, local=local@entry=0x7fffffff2870, local_len=0x10, from=from@entry=0x7fffffff27f0, from_len=0x1c) at dns_server.c:5308
#9 0x0000555555577dfe in _dns_server_process_udp_one (event=<optimized out>, now=<optimized out>, udpconn=<optimized out>) at dns_server.c:5441
#10 _dns_server_process_udp (event=<optimized out>, now=<optimized out>, udpconn=<optimized out>) at dns_server.c:5448
#11 _dns_server_process (now=0x1504f191, event=0x7fffffff28f0, conn=<optimized out>) at dns_server.c:6056
#12 dns_server_run () at dns_server.c:6429
#13 0x000055555555d837 in _smartdns_run () at smartdns.c:536
#14 main (argc=<optimized out>, argv=<optimized out>) at smartdns.c:776
Proactive assessment using tactics, techniques, and procedures of actual attackers to identify security flaws, incorrect configurations, and vulnerabilities.
Comprehensive application protection, ensuring robust security throughout the entire software development lifecycle.
Simulate and emulate advanced cyber attacks to pinpoint vulnerabilities and test your organization's defense mechanisms, ensuring robust resilience against real-world threats.
Proactive process to identify, prioritize, and address security vulnerabilities in systems and software, enhancing an organization's defense against evolving cyber threats.