Memory issues

[arthubhub]

Summary

The project contains some errors in memory managing and access. I have found two types of errors:

• Segmentation fault
• Double free

How I have found these bugs

Running the tool on files from https://github.com/pevma/mrp, I have got these results:

for line in $(ls -1 mrp | grep pcap) ; do dns_parse/bin/dns_parse "mrp/${line}" ; echo "File : $line" ; read -n 1  ; done  

Here is the outputs of the tool on malformed files:

arp-dns-eth-icmp-ip-udp-goodhttp-gooddns.pcapng ✅

pcap_dispatch: an interface has a snapshot length 5000 different from the snapshot length of the first interface

arp-dns-eth-icmp-ip-udp.pcapng ❌

7U\x83Y\xbdH\xc4g[n(\xdf\xcc\x95\xb7\xdc\xc3;\xccg\xd3\xef\x85\xbem\x05(\x99\xf3\xe8\x86\x92\x91\x84\x89\xbc$E\xf7\xf4\xda8\xbbg\x9e\x82\x8b\x06\xae 0 0
Unsupported EtherType: 9b29
Unsupported Transport Protocol(1)
256.000000,208.21.2.184,10.1.1.99,29440,u,q,AA
Unsupported EtherType: 0806
257.000000,208.21.2.184,10.1.1.99,65535,u,r,NA
Unsupported EtherType: f9a9
Unsupported Transport Protocol(1)
257.000000,208.21.2.184,10.1.1.99,5078,u,r,NA
Unsupported EtherType: 0806
Truncated Packet(dns): 0
Segmentation fault: 11

arp.pcap ✅

Unsupported EtherType: 0806
Unsupported EtherType: 0806
Unsupported EtherType: 0806
Unsupported EtherType: 0806
Unsupported EtherType: 0806
Unsupported EtherType: 0806
Unsupported EtherType: 0806

bgp.pcap ✅

No output

bvlc.pcap ❌

\xc6Nf\xf3\xbaU|\x1f\x0eupGwA\xbb\xca\xcaDx\xef\xd8,\x03\x91\xd0\x05\x1c\xd2I\xf6\xe2\xab\x1c\x94\x1b\xcf\x1f\xbb\x10\xd5\xe5z\xa2N %\xbd\x82\xd6fd\x1b\xeb\x88\xc2\x1c\x18\xc9\xd2\xcb+\xe7\x9b\xe3\xfd\xacv&\xa4\x05C\x11\xa9\x0f\xaa\x9c\x0f\xdf\xcds\x12\xe8|\xa86\x93\xdbva\xb7\xbf\x9f\xe9\xe3_\x98\x93\x18\xc3\xc4'_J\xc3\x8a\xa9;u\xff\x0f\xff\xee\x8bXX\x13\x96\xe5i]t?A\x8f\x0b.\xcc\x1af4_| 0 0
Truncated Packet(dns): \x81A\xa2\xcf\xa5\xc5\xc1\x05\xade
160.000000,193.255.25.30,193.255.25.255,255,u,r,AA      ? (null) 0 0
dns_parse(24842,0x7ff850f3fa00) malloc: Double free of object 0x7f8aa4705f00
dns_parse(24842,0x7ff850f3fa00) malloc: *** set a breakpoint in malloc_error_break to debug
Abort trap: 6

dns.pcap ✅

\xf8\xeb)\xd5\xbb\xb1\x19\xc6\x17*K\x9d\xfd\xdd\xc6\x88\xb7\x96\x1d\xa9\x83\xcd_\x82\xf5\xadC\xf91-\x90\x958\xe2\x94\xd2\x07~\x82\x80\x1e\xdd\x1eO\xda\xbe\xc1U\x5c\x99\xcf\xa4"D\x17ML\xb3\x93\xfe\x0e\xfe\xf5[\x82\xb6 0 0
998.000000,208.21.2.184,10.1.1.99,65535,u,q,AA
999.000000,208.21.2.184,10.1.1.99,65535,u,q,AA

eth.pcap ✅

Unsupported EtherType: 98af
Unsupported EtherType: b296
Unsupported EtherType: a34f
Unsupported EtherType: f85a
Unsupported EtherType: 2c18
Unsupported EtherType: 3f2d
Unsupported EtherType: 1821

fddi.pcap ✅

Unsupported data link layer: 10

giop.pcap ✅

No output

icmp.pcap ✅

Unsupported Transport Protocol(1)
Unsupported Transport Protocol(1)
Unsupported Transport Protocol(1)

ip.pcap ❌

Truncated Packet(ipv4)
Segmentation fault: 11

llc.pcap ✅

Unsupported data link layer: 6

m2m.pcap ✅

Unsupported EtherType: 08f0
Unsupported EtherType: 08f0
Unsupported EtherType: 08f0

megaco.pcap ✅

Unsupported Transport Protocol(132)
Unsupported Transport Protocol(132)
Unsupported Transport Protocol(132)

nbns.pcap ✅

996.000000,208.21.2.184,10.1.1.99,0,u,r,AA
997.000000,208.21.2.184,10.1.1.99,0,u,q,AA
998.000000,208.21.2.184,10.1.1.99,0,u,q,NA
DNS question error
999.000000,208.21.2.184,10.1.1.99,0,u,r,AA      ? Bad DNS question: \xce

ncp2222.pcap ✅

Unsupported data link layer: 6

sctp.pcap ✅

Unsupported Transport Protocol(132)
Unsupported Transport Protocol(132)
Unsupported Transport Protocol(132)

syslog.pcap ✅

\x870\xfb`cn\x83\xd2X\xb7\x7f\xf3\xcb-*\x5c\x83\x13\xcd\xe7|\xae\xa5j 0 0
997.000000,208.21.2.184,10.1.1.99,80,u,q,NA
998.000000,208.21.2.184,10.1.1.99,80,u,q,NA
999.000000,208.21.2.184,10.1.1.99,80,u,q,NA

tcp.pcap ✅

Unsupported data link layer: 6

tds.pcap ✅

No output

tr.pcap ✅

Unsupported data link layer: 6

udp.pcap ❌

Truncated Packet(dns): 
572.000000,208.21.2.184,10.1.1.99,32866,u,r,AA  ? (null) 0 0
dns_parse(25015,0x7ff850f3fa00) malloc: Double free of object 0x7f7ee0804140
dns_parse(25015,0x7ff850f3fa00) malloc: *** set a breakpoint in malloc_error_break to debug
Abort trap: 6

usb-linux.pcap ✅

Unsupported data link layer: 189

Summary

Error type	File
Segmentation fault: 11	arp-dns-eth-icmp-ip-udp.pcapng
Double free	bvlc.pcap
Segmentation fault: 11	ip.pcap
Double free	udp.pcap

So we can guess that there are at least two vulnerabilities, triggered with these malformed packets.

Debugging

When compiling :

root@4a9d7ac3330c:~/dns_parse# make
gcc -Wall -O2 -mtune=native  -c rtypes.c
gcc -Wall -O2 -mtune=native  -c strutils.c
gcc -Wall -O2 -mtune=native  -c network.c
gcc -Wall -O2 -mtune=native  -c tcp.c
tcp.c: In function 'tcp_assemble':
tcp.c:542:18: warning: 'final_data' may be used uninitialized [-Wmaybe-uninitialized]
  542 |     origin->data = final_data;
      |     ~~~~~~~~~~~~~^~~~~~~~~~~~
tcp.c:373:15: note: 'final_data' was declared here
  373 |     uint8_t * final_data;
      |               ^~~~~~~~~~
tcp.c: In function 'tcp_save_state':
tcp.c:568:9: warning: argument 1 null where non-null expected [-Wnonnull]
  568 |         fclose(outfile);
      |         ^~~~~~~~~~~~~~~
In file included from tcp.c:1:
/usr/include/stdio.h:184:12: note: in a call to function 'fclose' declared 'nonnull'
  184 | extern int fclose (FILE *__stream) __nonnull ((1));
      |            ^~~~~~
mkdir -p bin
gcc -Wall -O2 -mtune=native  rtypes.o strutils.o network.o tcp.o -o bin/dns_parse dns_parse.c -lpcap
dns_parse.c: In function 'print_summary':
dns_parse.c:393:36: warning: '%s' directive argument is null [-Wformat-overflow=]
  393 |                 printf("%s UNKNOWN(%s,%d)", qnext->name, parser->name, qnext->type);
      |                                    ^~
/usr/bin/ld: tcp.o:(.bss+0x0): multiple definition of `IP_STR_BUFF'; network.o:(.bss+0x0): first defined here
/usr/bin/ld: /tmp/ccA7JsME.o:(.bss+0x0): multiple definition of `default_rr_parser'; rtypes.o:(.data.rel.local+0x260): first defined here
/usr/bin/ld: /tmp/ccA7JsME.o:(.bss+0x40): multiple definition of `IP_STR_BUFF'; network.o:(.bss+0x0): first defined here
collect2: error: ld returned 1 exit status
make: *** [Makefile:29: bin/dns_parse] Error 1

I was not able to compile the program for debugging. Due to dependencies errors.

I debugged on MacOS

(lldb) bt 20
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
  * frame #0: 0x00007ff80d82b196 libsystem_kernel.dylib`__pthread_kill + 10
    frame #1: 0x00007ff80d862ee6 libsystem_pthread.dylib`pthread_kill + 263
    frame #2: 0x00007ff80d789b45 libsystem_c.dylib`abort + 123
    frame #3: 0x00007ff80d6a0752 libsystem_malloc.dylib`malloc_vreport + 888
    frame #4: 0x00007ff80d6b5a08 libsystem_malloc.dylib`malloc_zone_error + 183
    frame #5: 0x0000000100005918 **dns_parse`print_summary + 504**
    frame #6: 0x0000000100004fcd dns_parse`handler + 1293
    frame #7: 0x00007ff8196f7341 libpcap.A.dylib`pcap_offline_read + 200
    frame #8: 0x0000000100004767 dns_parse`main + 1207
    frame #9: 0x00007ff80d508418 dyld`start + 1896

From radare2:

[0x00000000]> iE~print_summary
37  0x00005720 0x100005720 GLOBAL FUNC 0        _print_summary
[0x00000000]> s 0x100005720 + 504
[0x100005918]> pd 20
            0x100005918      498b7e20       mov rdi, qword [r14 + 0x20]
            0x10000591c      e88f020000     call sym._dns_rr_free
            0x100005921      498b7e30       mov rdi, qword [r14 + 0x30]
            0x100005925      e886020000     call sym._dns_rr_free
            0x10000592a      498b7e40       mov rdi, qword [r14 + 0x40]
            0x10000592e      e87d020000     call sym._dns_rr_free

For the segfault:

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x1)
    frame #0: 0x0000000100005820 dns_parse`print_summary + 256
dns_parse`print_summary:
->  0x100005820 <+256>: movq   (%r12), %rsi
    0x100005824 <+260>: movzwl 0x8(%r12), %edx
    0x10000582a <+266>: movzwl 0xa(%r12), %ecx
    0x100005830 <+272>: leaq   0x254b(%rip), %rdi        ; "%s %d %d"
Target 0: (dns_parse) stopped.

From radare2:

[0x1000057fc]> s 0x100005720 + 256
[0x100005820]> pd 10
            0x100005820      498b3424       mov rsi, qword [r12]
            0x100005824      410fb7542408   movzx edx, word [r12 + 8]
            0x10000582a      410fb74c240a   movzx ecx, word [r12 + 0xa]
            0x100005830      488d3d4b2500.  lea rdi, str._s__d__d      ; 0x100007d82 ; "%s %d %d"

Description of the bugs you found

Double free

When initialising object dns_info dns at line 324, we don’t set the value at 0. When calling free at line 409, some value may still not be initialised, causing an error:

    dns_question_free(dns->queries);
    dns_rr_free(dns->answers);
    dns_rr_free(dns->name_servers);
    dns_rr_free(dns->additional);

Segmentation Fault

When trying to debug, the program outputs the content of varibales of dns->queries. Not being initialised, it will make the program crash:

printf("%s %d %d", qnext->name, qnext->type, qnext->cls);