|
Message-ID: <CAPcZBq7YrwpZDJNZ58yQjcYHTZ43qoQWCoUAet9Eb7Dn2sruBQ@mail.gmail.com> Date: Mon, 13 Apr 2015 13:44:04 +0800 From: 罗大龙 <luodalongde@...il.com> To: oss-security@...ts.openwall.com Subject: net-snmp snmp_pdu_parse() function incompletely initializaition vulnerability HI there, Greeting! This is Qinghao Tang from QIHU 360 company, China. I am a security researcher there. I'm writing to apply for a CVE ID, for a 0day vulnerability in net-snmp. Please refer to below report. [requester info] name: Qinghao Tang company: QIHU 360 company, China email: tangqinghao@....cn [vendor info] name: net-snmp email: net-snmp-users@...ts.sourceforge.net website: http://www.net-snmp.org/ [vulnerable net-snmp version] All version [vulnerability Description] Incompletely initialized vulnerability exists in the function ‘snmp_pdu_parse()’ of ‘snmp_api.c', and remote attackers can cause memory leak, DOS and possible command executions by sending malicious packets. Since the vulnerability occurs when parsing the packets, it could have broader impacts. Currently we have find 12 remote DOS methods in the latest version of net-snmp client software. I think this vulnerability could cause even more severe risks. [vulnerability resaon] In the function ‘snmp_pdu_parse()’ of ‘snmp_api.c', the structure of ‘netsnmp_variable_list is initialized incompletely, thus the malicious packets can cause ‘snmp_parse_var_op()’ returning ERROR. When using the uninitialized data(type,val,name_loc,buf) in structure ‘ netsnmp_variable_list’, it will cause memory leak, DOS and possible command executions. int snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length) { …. netsnmp_variable_list *vptemp; vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp)); if (NULL == vptemp) { return -1; } if (NULL == vp) { pdu->variables = vptemp; } else { vp->next_variable = vptemp; } vp = vptemp; vp->next_variable = NULL; vp->val.string = NULL; vp->name_length = MAX_OID_LEN; vp->name = NULL; vp->index = 0; vp->data = NULL; vp->dataFreeHook = NULL; DEBUGDUMPSECTION("recv", "VarBind"); data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type, &vp->val_len, &var_val, length); if (data == NULL) return -1; …… } typedef struct variable_list netsnmp_variable_list; struct variable_list { /** NULL for last variable */ struct variable_list *next_variable; /** Object identifier of variable */ oid *name; /** number of subid's in name */ size_t name_length; /** ASN type of variable */ u_char type; /** value of variable */ netsnmp_vardata val; /** the length of the value to be copied into buf */ size_t val_len; /** 90 percentile < 24. */ oid name_loc[MAX_OID_LEN]; /** 90 percentile < 40. */ u_char buf[40]; /** (Opaque) hook for additional data */ void *data; /** callback to free above */ void (*dataFreeHook)(void *); int index; }; typedef union { long *integer; u_char *string; oid *objid; u_char *bitstring; struct counter64 *counter64; #ifdef OPAQUE_SPECIAL_TYPES float *floatVal; double *doubleVal; /* * t_union *unionVal; */ #endif /* OPAQUE_SPECIAL_TYPES */ } netsnmp_vardata; [crash info from /var/log/messages] sprint_realloc_integer snmpget:0x290a3 overview:Feb 22 11:37:48 localhost kernel: snmpget[24260]: segfault at 0 ip 00007f00cbff20a3 sp 00007fff7bf08620 error 4 in libnetsnmp.so.30.0.3[7f00cbfc9000+ac000] asn_realloc_rbuild_int snmpget:0x4ac0a overview:Feb 22 14:38:10 localhost kernel: snmpget[26825]: segfault at 0 ip 00007f2cbc089c0a sp 00007fff294221f0 error 4 in libnetsnmp.so.30.0.3[7f2cbc03f000+ac000] asn_realloc_rbuild_unsigned_int snmpget:0x4a5e7 overview:Feb 22 18:06:53 localhost kernel: snmpget[29948]: segfault at 0 ip 00007f6bb7a8e5e7 sp 00007fffc6863bc0 error 4 in libnetsnmp.so.30.0.3[7f6bb7a44000+ac000] asn_realloc_rbuild_unsigned_int64 snmpget:0x49832 overview:Feb 22 20:00:22 localhost kernel: snmpget[31802]: segfault at 0 ip 00007f93cb91d832 sp 00007fff7b93f970 error 4 in libnetsnmp.so.30.0.3[7f93cb8d4000+ac000] sprint_realloc_counter snmpget:0x2877b overview:Feb 23 09:31:45 localhost kernel: snmpget[44108]: segfault at 0 ip 00007f1e2fd8477b sp 00007fffe0abf9a0 error 4 in libnetsnmp.so.30.0.3[7f1e2fd5c000+ac000] sprint_realloc_uinteger snmpget:0x28c30 overview:Feb 13 09:54:03 localhost kernel: snmpget[64595]: segfault at 0 ip 00007f29f970dc30 sp 00007fff8c89a0e0 error 4 in libnetsnmp.so.30.0.3[7f29f96e5000+ac000] printI64 snmpget:0x5273e overview:Feb 13 10:52:42 localhost kernel: snmpget[3863]: segfault at 0 ip 00007fe314e4773e sp 00007fff782fcba0 error 4 in libnetsnmp.so.30.0.3[7fe314df5000+ac000] sprint_realloc_gauge snmpget:0x28a73 overview:Feb 13 11:24:17 localhost kernel: snmpget[4879]: segfault at 0 ip 00007fb3f0852a73 sp 00007fffc43f7b10 error 4 in libnetsnmp.so.30.0.3[7fb3f082a000+ac000] sprint_realloc_timeticks snmpget:0x29277 overview:Feb 13 12:10:08 localhost kernel: snmpget[6623]: segfault at 0 ip 00007f171c1ad277 sp 00007fff9fad9720 error 4 in libnetsnmp.so.30.0.3[7f171c184000+ac000] printU64 snmpget:0x52675 overview:Feb 13 13:48:11 localhost kernel: snmpget[9878]: segfault at 0 ip 00007fc3b04ed675 sp 00007fff4d0a3cb0 error 4 in libnetsnmp.so.30.0.3[7fc3b049b000+ac000] sprint_realloc_float snmpget:0x29c57 overview:Feb 18 23:31:41 localhost kernel: snmpget[57217]: segfault at 0 ip 00007f625c50ac57 sp 00007fffe60ebdb0 error 4 in libnetsnmp.so.30.0.3[7f625c4e1000+ac000] asn_realloc_rbuild_signed_int64 snmpget:0x4934d overview:Feb 21 18:21:13 localhost kernel: snmpget[9149]: segfault at 0 ip 00007f431746e34d sp 00007fffbcac3ed0 error 4 in libnetsnmp.so.30.0.3[7f4317425000+ac000] [patch] --- snmp_api.c 2014-12-09 04:23:22.000000000 +0800 +++ snmp_api.c.patch 2015-03-04 10:44:03.896001377 +0800 @@ -4518,6 +4518,9 @@ vp->index = 0; vp->data = NULL; vp->dataFreeHook = NULL; + vp->type = 0; + vp->name_loc = 0; + vp->buf = 0; DEBUGDUMPSECTION("recv", "VarBind"); data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type, &vp->val_len, &var_val, length)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.