Discussion:
[Dnsmasq-discuss] Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly
Alexander E. Patrakov
2016-04-18 12:52:43 UTC
Permalink
Hi.

The company I work for has a server with Ubuntu 16.04 installed on it
(yes, I know, not officially out yet, but the server is not in
production either). Dnsmasq (version 2.75) is there because it is the
simplest option to provide DHCP and DNS to LXC containers.

While playing with this setup, I found a reproducible crasher. I have
set up a domain name, broken-record.chickenkiller.com, that can be used
to expose this crash.

To reproduce the crasher, please create a VM with Ubuntu 16.04, on a
network that has both IPv4 and IPv6, with static addresses.

In /etc/hostname, put this line:

broken-record

In /etc/hosts, put these lines:

127.0.0.1 localhost.localdomain localhost
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

<ipv4-address> broken-record.chickenkiller.com broken-record
<ipv6-address> broken-record.chickenkiller.com broken-record

Ubuntu runs dnsmasq as follows:

/usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -r
/var/run/dnsmasq/resolv.conf -7
/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service
--trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

There is already a record in DNS that maps
crashme.broken-record.chickenkiller.com. as a CNAME to
broken-record.chickenkiller.com. Also, there is an A record for
broken-record.chickenkiller.com, but there is no AAAA record.

Again, it is important to name the VM as
"broken-record.chickenkiller.com", because the crash happens only if a
CNAME points to a record that exists in /etc/hosts as an IPv6 address.

So - this query reliably crashes dnsmasq:

dig @127.0.0.1 crashme.broken-record.chickenkiller.com. AAAA

The crash is in cache_insert(), which is called from extract_addresses().
--
Alexander E. Patrakov
Simon Kelley
2016-05-03 15:37:59 UTC
Permalink
I'm pretty sure that this is fixed in the current code.

From the CHANGELOG:

Fix crash when an A or AAAA record is defined locally,
in a hosts file, and an upstream server sends a reply
that the same name is empty. Thanks to Edwin Török for
the patch.


Cheers,

Simon.
Post by Alexander E. Patrakov
Hi.
The company I work for has a server with Ubuntu 16.04 installed on it
(yes, I know, not officially out yet, but the server is not in
production either). Dnsmasq (version 2.75) is there because it is the
simplest option to provide DHCP and DNS to LXC containers.
While playing with this setup, I found a reproducible crasher. I have
set up a domain name, broken-record.chickenkiller.com, that can be used
to expose this crash.
To reproduce the crasher, please create a VM with Ubuntu 16.04, on a
network that has both IPv4 and IPv6, with static addresses.
broken-record
127.0.0.1 localhost.localdomain localhost
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrowww.bbc.net.ukuters
ff02::3 ip6-allhosts
<ipv4-address> broken-record.chickenkiller.com broken-record
<ipv6-address> broken-record.chickenkiller.com broken-record
/usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -r
/var/run/dnsmasq/resolv.conf -7
/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service
--trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
There is already a record in DNS that maps
crashme.broken-record.chickenkiller.com. as a CNAME to
broken-record.chickenkiller.com. Also, there is an A record for
broken-record.chickenkiller.com, but there is no AAAA record.
Again, it is important to name the VM as
"broken-record.chickenkiller.com", because the crash happens only if a
CNAME points to a record that exists in /etc/hosts as an IPv6 address.
The crash is in cache_insert(), which is called from extract_addresses().
Alexander E. Patrakov
2016-05-03 16:45:00 UTC
Permalink
Post by Simon Kelley
I'm pretty sure that this is fixed in the current code.
It is indeed fixed in git! But distributions (including Ubuntu and
Arch) are still distributing a vulnerable version and are probably
unaware of it. Could you please apply for a CVE ID (if it doesn't
already exist) so that they fix their packages?
Post by Simon Kelley
Fix crash when an A or AAAA record is defined locally,
in a hosts file, and an upstream server sends a reply
that the same name is empty. Thanks to Edwin Török for
the patch.
Post by Alexander E. Patrakov
The crash is in cache_insert(), which is called from extract_addresses().
--
Alexander E. Patrakov
Albert ARIBAUD
2016-05-03 17:28:53 UTC
Permalink
Hi Alexander,

Le Tue, 3 May 2016 21:45:00 +0500
Post by Alexander E. Patrakov
Post by Simon Kelley
I'm pretty sure that this is fixed in the current code.
It is indeed fixed in git! But distributions (including Ubuntu and
Arch) are still distributing a vulnerable version and are probably
unaware of it. Could you please apply for a CVE ID (if it doesn't
already exist) so that they fix their packages?
A CVE ID? For a crash caused by a specific local name record which
clashes with the public one? What's the vulnerability or exposure here?

Besides, one cannot burden the author of some software with the
task of making sure it is up to date in distros -- unless of course he
happens to also be the package manager for some given distro, in
which case he could be held responsible for keeping that distro up to
date.

In the general case, some user (you for instance) should open a bug
report (not a CVE) to get the package updated.

Amicalement,
--
Albert.
Alexander E. Patrakov
2016-05-03 17:56:45 UTC
Permalink
Post by Albert ARIBAUD
Hi Alexander,
Le Tue, 3 May 2016 21:45:00 +0500
Post by Alexander E. Patrakov
Post by Simon Kelley
I'm pretty sure that this is fixed in the current code.
It is indeed fixed in git! But distributions (including Ubuntu and
Arch) are still distributing a vulnerable version and are probably
unaware of it. Could you please apply for a CVE ID (if it doesn't
already exist) so that they fix their packages?
A CVE ID? For a crash caused by a specific local name record which
clashes with the public one? What's the vulnerability or exposure here?
This is actually crashable by querying any CNAME that points to
localhost.localdomain, given that upstream is 8.8.8.8, because
localhost.localdomain nearly universally exists in /etc/hosts as ::1,
and 8.8.8.8 doesn't have an AAAA entry for it. So this is a security issue.
--
Alexander E. Patrakov
Albert ARIBAUD
2016-05-03 19:02:44 UTC
Permalink
Hi Alexander,

Le Tue, 3 May 2016 22:56:45 +0500
Post by Alexander E. Patrakov
Post by Albert ARIBAUD
Hi Alexander,
Le Tue, 3 May 2016 21:45:00 +0500
Post by Alexander E. Patrakov
Post by Simon Kelley
I'm pretty sure that this is fixed in the current code.
It is indeed fixed in git! But distributions (including Ubuntu and
Arch) are still distributing a vulnerable version and are probably
unaware of it. Could you please apply for a CVE ID (if it doesn't
already exist) so that they fix their packages?
A CVE ID? For a crash caused by a specific local name record which
clashes with the public one? What's the vulnerability or exposure here?
This is actually crashable by querying any CNAME that points to
localhost.localdomain, given that upstream is 8.8.8.8, because
localhost.localdomain nearly universally exists in /etc/hosts as ::1,
and 8.8.8.8 doesn't have an AAAA entry for it. So this is a security issue.
I am still not seeing what the *security* issue is. How can this problem
be *exploited* in order to cause a DoS or compromise a host for
instance?

Amicalement,
--
Albert.
Alexander E. Patrakov
2016-05-03 20:20:14 UTC
Permalink
Post by Albert ARIBAUD
Hi Alexander,
Le Tue, 3 May 2016 22:56:45 +0500
Post by Alexander E. Patrakov
Post by Albert ARIBAUD
Hi Alexander,
Le Tue, 3 May 2016 21:45:00 +0500
Post by Alexander E. Patrakov
Post by Simon Kelley
I'm pretty sure that this is fixed in the current code.
It is indeed fixed in git! But distributions (including Ubuntu and
Arch) are still distributing a vulnerable version and are probably
unaware of it. Could you please apply for a CVE ID (if it doesn't
already exist) so that they fix their packages?
A CVE ID? For a crash caused by a specific local name record which
clashes with the public one? What's the vulnerability or exposure here?
This is actually crashable by querying any CNAME that points to
localhost.localdomain, given that upstream is 8.8.8.8, because
localhost.localdomain nearly universally exists in /etc/hosts as ::1,
and 8.8.8.8 doesn't have an AAAA entry for it. So this is a security issue.
I am still not seeing what the *security* issue is. How can this problem
be *exploited* in order to cause a DoS or compromise a host for
instance?
The only security issue here is a DoS.

There are systems like antispam filters that resolve e.g. domains found
in email messages. Also there are browsers that resolve names in order
to e.g. display iframes for ads. So it is possible for a third party
("hacker"), by sending an email to an email server or showing a bad ad
to the user, to cause his antispam client or browser to try to resolve a
domain of hacker's choice for an AAAA record. If this name happens to be
a CNAME that points to localhost.localdomain., then dnsmasq (which was
supposed to give the DNS answer to the antispam or the browser) gets
crashed.

Or just consider a dnsmasq shared between several users. One of them
tries to resolve an AAAA record for some name (which is actually a CNAME
pointing to localhost.localdomain.), and crashes dnsmasq, thus causing
irritation to other users until the admin restarts dnsmasq.
--
Alexander E. Patrakov
Loading...