Nmap Development mailing list archives

Stack overflow in dns-zone-transfer.nse

From: David Fifield <david () bamsoftware com>
Date: Fri, 6 Feb 2009 12:36:37 -0700

On Fri, Feb 06, 2009 at 12:23:05PM -0700, David Fifield wrote:

DNS zone transfers happen over TCP. When DNS goes over TCP, multiple
discrete messages can appear in one TCP stream. Each message is prefixed
by a two-byte length field so you can separate them (RFC 1035 section
4.2.2). Another part of DNS is message compression (section 4.1.4),
which allows a domain name to point back to a different name to complete
it. For example, a DNS message might have a record for insecure.org at
index 12 and one for svn.insecure.org at some later index. The record
for svn.insecure.org might be just "svn." with a pointer back to index
12 to finish it.


Incidentally, the DNS parser in dns-zone-transfer.nse is vulnerable to
the same infinite recursion bug that affected dns.lua
(http://seclists.org/nmap-dev/2008/q4/0526.html). The problem happens
when an index pointer directly or indirectly points to itself, creating
a loop.

You can easily verify the bug by setting up Ncat as a DNS server. The
attached file dns_tcp_bytes contains a crafted DNS message with a
parsing loop. Run
        ncat -l 53 --sh-exec "cat dns_tcp_bytes"
to set up your DNS server and then run
        nmap -d --script=dns-zone-transfer -p 53 localhost

You will see

Running 1 script threads:
NSE (0.375s): Starting /usr/share/nmap/scripts/dns-zone-transfer.nse against 127.0.0.1:53.
NSE (0.626s): /usr/share/nmap/scripts/dns-zone-transfer.nse against 127.0.0.1:53 ended with error: 
/usr/share/nmap/nselib/strbuf.lua:136: stack overflow
Completed NSE at 12:30, 0.26s elapsed

We have a perfectly good DNS parser in dns.lua, so there's no reason to
have a duplicate in dns-zone-transfer.nse. Does anyone want to try to
fix this? The only tricky part is that the script's parser is set up to
deal with the two-byte length prefix mentioned in
http://seclists.org/nmap-dev/2009/q1/0316.html and dns.lua's is not. So
the first step is to change responses_iter in dns-zone-transfer.nse to
strip the length prefixes. After that it should be possible to drop in
the dns.lua replacement.

David Fifield

Attachment: dns_tcp_bytes
Description:


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

DNS decoding bug in dns-zone-transfer.nse fixed David Fifield (Feb 06)
- Stack overflow in dns-zone-transfer.nse David Fifield (Feb 06)
  - Re: Stack overflow in dns-zone-transfer.nse David Fifield (Feb 07)
  - Re: Stack overflow in dns-zone-transfer.nse David Fifield (Feb 09)
- Re: DNS decoding bug in dns-zone-transfer.nse fixed Fyodor (Feb 06)