Slovejoy/dnsmasq-pre2.76
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
master
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code
-
Clone
Use Git or checkout with SVN using the web URL.
Work fast with our official CLI. Learn more about the CLI.
- Open with GitHub Desktop
- Download ZIP
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
While attempting to use Google Security Team's CVE-2017-14491 in dnsmasq versions <2.78, I found a new exploit present
in dnsmasq <2.76. In this case, an attacker controlled dns server to could send a response greater than 4096 bytes.
Since this response is truncated at 4096 bytes, part of the packet is left off, a "tail." When examing the source code,
I found that dnsmasq in do_doctor() in rfc1035.c iterates through each answer record. In this function, the pointer to
the packet read is incremented by 4 bytes to bypass the time to live section of the answer. Since a large packet is
truncated at 4096 bytes, this pointer can read further beyond the memory allocated to it on the heap, potentially
causing a bad read leading to a crash and denial of service.
The proof-of-concept (poc) provided are heavily based off of the research done by Google's security team in 2017.
Copyright 2017 Google Inc
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Authors:
Fermin J. Serna <fjserna@google.com>
Felix Wilhelm <fwilhelm@google.com>
Gabriel Campana <gbrl@google.com>
Kevin Hamacher <hamacher@google.com>
Gynvael Coldwind <gynvael@google.com>
Ron Bowes - Xoogler :/
See their blogpost here: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
See their github here: https://github.com/google/security-research-pocs/tree/master/vulnerabilities/dnsmasq
For more information on dnsmasq see: https://github.com/imp/dnsmasq
Dnsmasq is a project from Simon Kelley, and can be seen here: http://thekelleys.org.uk/dnsmasq/doc.html
The git commit affected is this one and before: 15379ea1f252d1f53c5d93ae970b22dedb233642
About
vulnerability assessment for early versions of dnsmasq
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published