igalic
commented
1 year ago what does the crash look like? do you have a core file? can you extract anything useful from it?
Closed pistachio77 closed 1 year ago
igalic
commented
1 year ago what does the crash look like? do you have a core file? can you extract anything useful from it?
rsmarples
commented
1 year ago For clarity, @pistachio77 contacted me off list a few days ago about this and my current view is that the issue described is handled gracefully by dhcpcd.
Based on the linked PoC, I added this to my testing ISC dhcpd server
option break-dns code 119 = string;
option break-dns 02:c0:01:00:01:41:c0:01;And the dhcpcd master branch emits this:
vtnet0: dhcp_envoption 119: Result too large
vtnet0: dhcp_envoption 119: Result too large
vtnet0: executing: /libexec/dhcpcd-run-hooks BOUNDThis mean the PoC is doing something else which as yet I haven't had time to look into because the scappy python plugin which the PoC uses doesn't work on the OS's I am testing with.
pistachio77
commented
1 year ago @igalic Sorry for late reply. In my opinion, it seems like there is a crash occurring when trying to use the data from 119 I think the absence of NULL at the end of the FQDN might be the issue
dhcp = DHCP( options=[ ("message-type", "ack"), ("server_id", src_addr), ("lease_time", 43200), ("subnet_mask", subnet_mask), ( 119, b"\x02\xc0\x01\x00\x01\x41\xc0\x02\x01", # crash
),
("end"),
]
)dhcpcd log wlan0: soliciting a DHCP lease wlan0: truncated packet (66) from 127.0.0.1 wlan0: truncated packet (66) from 127.0.0.1 wlan0: invalid UDP packet from 0.0.0.0: Numerical result out of range wlan0: offered 192.168.0.3 from 192.168.0.18 wlan0: ignoring offer of 192.168.0.3 from 192.168.0.1 wlan0: leased 192.168.0.3 for 43200 seconds dhcp_bind: Read-only file system wlan0: adding route to 192.168.0.0/24 wlan0: dhcp_envoption 119: Numerical result out of range malloc(): invalid size (unsorted) Aborted (core dumped)
core dump
No locals.
ctx = 0x555aa57010 <_logctx>
len = 13 args = {__stack = 0x7fe54bea50, __gr_top = 0x7fe54bea50, __vr_top = 0x7fe54bea10, __gr_offs = -56, __vr_offs = -128} ifp = <optimized out>
state = <optimized out>
buf = "p\353K\345\177\000\000\000l\273\240ZU\000\000\000`\245\262\222U\000\000\000\260\212\261\222U\000\000\000\250\355K\345\177\000\000\000\000`\245ZU\000\000\000`\245\262\222U\000\000"
bytes = <optimized out>
__func__ = "arp_read" n = <optimized out>
e = <optimized out>
t = 0x5592b18ab0
now = {tv_sec = 3754, tv_nsec = 880300448}
ts = <optimized out>
tsp = <optimized out>
t0 = <optimized out>
epe = {events = 1, data = {ptr = 0x5592b17570, fd = -1833863824, u32 = 2461103472, u64 = 367533323632}}
timeout = <optimized out> ctx = {pidfile = "/var/run/dhcpcd-wlan0.pid", '\000' <repeats 17 times>, cffile = 0x7fe54bfe94 "/etc/dhcpcd/dhcpcd.conf", options = 310326614976628744, logfile = 0x0, argc = 5, argv = 0x7fe54bf0a8, ifac = 0, ifav = 0x0, ifdc = 0, ifdv = 0x0, ifc = 1, ifv = 0x7fe54bf0c8, ifcc = 1, ifcv = 0x5592b2a4f0, duid = 0x5592b36d30 "", duid_len = 14, ifaces = 0x5592b2a6d0, routes = {rbt_root = 0x5592b18a28, rbt_ops = 0x555aa559e0 <rt_compare_os_ops>, rbt_minmax = {0x5592b18a28, 0x5592b18a28}}, froutes = {rbt_root = 0x5592b17be8, rbt_ops = 0x555aa55a00 <rt_compare_free_ops>, rbt_minmax = {0x5592b176a8, 0x5592b386b8}}, rt_order = 1, pf_inet_fd = 9, priv = 0x5592b2a600, link_fd = 5, link_rcvbuf = 0, seq = 30, sseq = 0, sigset = {__val = {0 <repeats 16 times>}}, eloop = 0x5592b2a560, script_fp = 0x5592b2e1c0, script_buf = 0x5592b34ce0 "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", script_buflen = 577, script_env = 0x5592b18b70, script_envlen = 22, control_fd = -1, control_unpriv_fd = -1, control_fds = {tqh_first = 0x0, tqh_last = 0x7fe54bee60}, control_sock = '\000' <repeats 40 times>, control_group = 0, vivso = 0x0, vivso_len = 0, randomstate = 0x0, dhcp_opts = 0x5592b275f0, dhcp_opts_len = 124, udp_fd = 13, opt_buffer = 0x0, opt_buffer_len = 0, secret = 0x0, secret_len = 0, nd_fd = -1, ra_routers = 0x5592b34010, dhcp6_fd = -1, nd_opts = 0x5592b298e0, nd_opts_len = 6, dhcp6_opts = 0x5592b31c40, dhcp6_opts_len = 79, dev_load = 0x0, dev_fd = -1, dev = 0x0, dev_handle = 0x0}
ifaddrs = 0x0
ifo = 0x0
ifp = 0x0
family = <optimized out>
opt = 1
oi = 0
i = 1
logopts = <optimized out>
t = <optimized out>
len = <optimized out>
pid = <optimized out>
sig = <optimized out>
siga = <optimized out>
__func__ = "main"Based on the coredump, the crash is not related to the DHCP message at all, but looks like an ARP packet was received with a zero length hardware address. I've also improved the validation of DNS validation a little, but that has zero impact on the above as far as I can tell.
@pistachio77 can you test this please?
rsmarples
commented
1 year ago I adjusted the prior commit to terminate on overflow with a buffer as well.
rsmarples
commented
1 year ago It would help if I actually pushed the modified patch :)
rsmarples
commented
1 year ago Any feedback on if the patch helps dhcpcd to stop crashing with your ARP issues?
rsmarples
commented
1 year ago Somewhat related to this issue, this fixes privsep builds asserting on script buffer: 13cce2c82e41c28d989d5ce150e0fe837d7254f4
I'm currently check the CVE issue.
Is dhcpcd considered for CVE-2020-7461?
When running the PoC tool, dhcpcd crash occure [PoC Code URL] https://github.com/knqyf263/CVE-2020-7461