Nmap Development mailing list archives
Stack overflow in dns-zone-transfer.nse
From: David Fifield <david () bamsoftware com>
Date: Fri, 6 Feb 2009 12:36:37 -0700
On Fri, Feb 06, 2009 at 12:23:05PM -0700, David Fifield wrote:
DNS zone transfers happen over TCP. When DNS goes over TCP, multiple discrete messages can appear in one TCP stream. Each message is prefixed by a two-byte length field so you can separate them (RFC 1035 section 4.2.2). Another part of DNS is message compression (section 4.1.4), which allows a domain name to point back to a different name to complete it. For example, a DNS message might have a record for insecure.org at index 12 and one for svn.insecure.org at some later index. The record for svn.insecure.org might be just "svn." with a pointer back to index 12 to finish it.
Incidentally, the DNS parser in dns-zone-transfer.nse is vulnerable to the same infinite recursion bug that affected dns.lua (http://seclists.org/nmap-dev/2008/q4/0526.html). The problem happens when an index pointer directly or indirectly points to itself, creating a loop. You can easily verify the bug by setting up Ncat as a DNS server. The attached file dns_tcp_bytes contains a crafted DNS message with a parsing loop. Run ncat -l 53 --sh-exec "cat dns_tcp_bytes" to set up your DNS server and then run nmap -d --script=dns-zone-transfer -p 53 localhost You will see Running 1 script threads: NSE (0.375s): Starting /usr/share/nmap/scripts/dns-zone-transfer.nse against 127.0.0.1:53. NSE (0.626s): /usr/share/nmap/scripts/dns-zone-transfer.nse against 127.0.0.1:53 ended with error: /usr/share/nmap/nselib/strbuf.lua:136: stack overflow Completed NSE at 12:30, 0.26s elapsed We have a perfectly good DNS parser in dns.lua, so there's no reason to have a duplicate in dns-zone-transfer.nse. Does anyone want to try to fix this? The only tricky part is that the script's parser is set up to deal with the two-byte length prefix mentioned in http://seclists.org/nmap-dev/2009/q1/0316.html and dns.lua's is not. So the first step is to change responses_iter in dns-zone-transfer.nse to strip the length prefixes. After that it should be possible to drop in the dns.lua replacement. David Fifield
Attachment:
dns_tcp_bytes
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- DNS decoding bug in dns-zone-transfer.nse fixed David Fifield (Feb 06)
- Stack overflow in dns-zone-transfer.nse David Fifield (Feb 06)
- Re: Stack overflow in dns-zone-transfer.nse David Fifield (Feb 07)
- Re: Stack overflow in dns-zone-transfer.nse David Fifield (Feb 09)
- Re: DNS decoding bug in dns-zone-transfer.nse fixed Fyodor (Feb 06)
- Stack overflow in dns-zone-transfer.nse David Fifield (Feb 06)