oss-sec mailing list archives
Re: CVE request for dnsmasq DoS
From: Jamie Strandboge <jamie () canonical com>
Date: Sat, 12 Jul 2008 08:28:07 -0400
On Thu, 03 Jul 2008, Jamie Strandboge wrote:
On Tue, 01 Jul 2008, Steven M. Christey wrote:I'm not sure I fully understand Thierry Carrez' comment about the security implications of this issue. It seems like an exploit would require a malicious DHCP server, in which case isn't DHCP service already compromised? If so, then a crash of dnsmasq (null dereference?) doesn't seem to be any worse than the loss of DHCP itself.I haven't had time to develop a PoC, but from the dnsmasq 2.26 announce page at [1], a client need only send a crafted renewal request to crash the server. Thierry's comments were only for trying to reproduce the problem and test the patch.
(resending as the first one didn't make it to the list) I finally had time to develop a PoC and confirm this on my own. A client need only send a DHCPREQUEST for an IP address not on the same network as dnsmasq. Eg: 1. dnsmasq listening on and giving IP addresses for 192.168.122.0/24 2. client requests IP address on another network, such as 192.168.0.1 3. dnsmasq 2.25 (and presumably earlier) crashes This can happen in normal operation with roaming users, but can also happen with a malicious request. Attached is a script to easily test for this (requires python scapy). Jamie -- Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
Attachment:
dhcp_request.py
Description:
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Re: CVE request for dnsmasq DoS Steven M. Christey (Jul 01)
- Re: CVE request for dnsmasq DoS Nico Golde (Jul 02)
- Re: CVE request for dnsmasq DoS Jamie Strandboge (Jul 03)
- Re: CVE request for dnsmasq DoS Jamie Strandboge (Jul 08)
- Re: CVE request for dnsmasq DoS Josh Bressers (Jul 23)
- Re: CVE request for dnsmasq DoS Robert Buchholz (Jul 23)
- Re: CVE request for dnsmasq DoS Robert Buchholz (Jul 23)
- Re: CVE request for dnsmasq DoS Jamie Strandboge (Jul 08)
- Re: CVE request for dnsmasq DoS Jamie Strandboge (Jul 12)