Remote double-free and memory corruption vulnerabilities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dhcpcd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hey,
I have subjected a crucial part of dhcpcd, the function parse_dhcpmessage() in dhcp.c as well as the functions it invokes, to thorough fuzzing (using AFL) and manual source code inspection. This effort has resulted in the identification of a number of remote memory corruption vulnerabilities.
Please bear in mind that in order to make these routines of dhcpcd fuzzable I needed to modify the main() function such that parse_dhcpmessage() could be directly invoked with input received from the fuzzer. So while the proof of concepts included with this post are tailored to triggering the vulnerabilities this specific set-up, I have very little doubt that they can be triggered in a scenario in which dhcpcd is employed for its actual purpose. In order to emulate exploitation under authentic use of the program, one would need to write a mock DHCP server which responds to the client's inquiries with one of the malicious payloads. The vulnerabilities contained in the Ubuntu version of dhcpcd (3.2.3) are in fact removed in later versions of the upstream version of the application. Whether due to inadequate diligence on the part of its maintainers to report found security vulnerabilities, or due to serendipitous remediation by the virtue of general, pro-active code hardening in the upstream version, I couldn't find any earlier reports (CVE's or otherwise) of these vulnerabilities, which is likely the reason it hasn't been fixed yet in the Ubuntu version.
My proposed patch for the vulnerabilities is basically taken from the way in which later upstream versions deal with the problem. I can guarantee that my set of proof of concept payloads does not trigger memory corruption after the patch has been applied (it doesn't crash nor does ASAN report any corruption). However, you might to double check my changes, especially to see whether the application as a DHCP client keeps working as expected.
By extension of the above reasoning as to why the vulnerability in the Ubuntu version wasn't uncovered and fixed earlier, you might want to consider upgrading to a later upstream version altogether, because more vulnerabilities and bugs might be present in your (rather old) code.
I am including two files with this message: one is the dhcp.c patch, and the other a modified version of dhcpcd.c and a collection of payloads (generated by AFL) that will trigger corruptions. You can copy dhcpcd.c over the original version and then invoke it as: ./dhcpcd <path_to_payload>. You can copy these .c files over the ones that appear after you do 'apt-get source dhcpcd'.
I believe the patch speaks for itself. However, if you require more commentary on the technical reasons of the crashes, I'll be happy to elaborate on this upon your request.
For what it's worth:
$ lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
-
Guido Vranken
Changed in dhcpcd (Ubuntu): | |
status: | New → Confirmed |
What's the plan? Will this be fixed?
Guido