DoS in POC

[secretsquirrel]

My CVE-2015-7547 POC POC

The cause of this crash is a due to an unbounds check in processed data, assuming that at least four bytes of data are sent in the DNS request. This causes a DoS condition in the POC, potentially stopping users from using the POC in hostile environments.

sh-4.2$ sudo python CVE-2015-7547-poc.py &
[1] 32066
sh-4.2$ nc -v localhost 53
Connected with 127.0.0.1:37640
Connection to localhost 53 port [tcp/domain] succeeded!
j
[TCP] Total Data len recv 2
[TCP] Request1 len recv 27146
Traceback (most recent call last):
  File "CVE-2015-7547-poc.py", line 176, in <module>
    tcp_thread()
  File "CVE-2015-7547-poc.py", line 116, in tcp_thread
    id1 = struct.unpack('>H', data1[0:2])[0]
struct.error: unpack requires a string argument of length 2
[1]+  Done(1)                 sudo python CVE-2015-7547-poc.py

[hdm]

@secretsquirrel Have you requested a CVE? This looks serious! 😆

[secretsquirrel]

@hdm Just doing my part. 👅

[fenner]

In fact, dnsmasq can send the TCP request in multiple segments, resulting in a single read of length 1 and then another read of the rest of the data. One cheesy way to work around this (which still allows the proof of concept to work against glibc) is to time.sleep( 5 ) before calling conn.recv(), to allow the data to coalesce in the socket buffer before you try to read it.