11686 – (CVE-2016-0771) [SECURITY] CVE-2016-0771: Read of uninitialized memory DNS TXT handling

Bug 11686 (CVE-2016-0771) - [SECURITY] CVE-2016-0771: Read of uninitialized memory DNS TXT handling

Summary: [SECURITY] CVE-2016-0771: Read of uninitialized memory DNS TXT handling

Status:	RESOLVED FIXED

Alias:	CVE-2016-0771

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DNS server (internal) (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Garming Sam
QA Contact:	Samba QA Contact

URL:	https://bugzilla.samba.org/show_bug.c...
Keywords:

Depends on:
Blocks:	11630
	Show dependency tree / graph

Reported:	2016-01-22 08:21 UTC by Stefan Metzmacher
Modified:	2021-08-31 04:04 UTC (History)
CC List:	10 users (show)

See Also:

Attachments
Patches with tests (95.69 KB, patch) 2016-01-29 05:17 UTC, Garming Sam	no flags	Details
Patches for master (95.14 KB, patch) 2016-02-10 04:07 UTC, Garming Sam	abartlet: review+	Details
Patches for 4.1 (84.36 KB, patch) 2016-02-10 04:11 UTC, Garming Sam	abartlet: review+	Details
Patches for 4.2 (91.00 KB, patch) 2016-02-10 04:12 UTC, Garming Sam	no flags	Details
Patches for 4.3 (94.10 KB, patch) 2016-02-10 04:14 UTC, Garming Sam	abartlet: review+	Details
Updated patches for 4.2 (91.06 KB, patch) 2016-02-10 07:45 UTC, Garming Sam	abartlet: review+	Details
CVE Description (1.72 KB, text/plain) 2016-02-10 09:28 UTC, Garming Sam	abartlet: review+	Details
CVE-2016-0771-description.txt (1.94 KB, text/plain) 2016-02-22 17:32 UTC, Stefan Metzmacher	metze: review? (abartlet) garming: review+	Details
CVE-2016-0771-master.patches.txt (96.53 KB, patch) 2016-02-22 17:34 UTC, Stefan Metzmacher	metze: review? (abartlet) garming: review+	Details
CVE-2016-0771-v4-4.patches.txt (96.53 KB, patch) 2016-02-22 17:35 UTC, Stefan Metzmacher	metze: review? (abartlet) garming: review+	Details
CVE-2016-0771-v4-3.patches.txt (95.49 KB, patch) 2016-02-22 17:36 UTC, Stefan Metzmacher	metze: review? (abartlet) garming: review+	Details
CVE-2016-0771-v4-2.patches.txt (92.43 KB, patch) 2016-02-22 17:37 UTC, Stefan Metzmacher	metze: review? (abartlet) garming: review+	Details
CVE-2016-0771-v4-1.patches.txt (85.64 KB, patch) 2016-02-22 17:37 UTC, Stefan Metzmacher	metze: review? (abartlet) garming: review+	Details
Show Obsolete (7) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2016-01-22 08:21:23 UTC

https://bugzilla.samba.org/show_bug.cgi?id=11128 is public,
so we don't add an explicit 'depends on'!

From garming:

Hi,

After looking into the DNS server and TXT records, I found that the
dnsserver would segfault on certain input strings. The issues in parsing
are well known (https://bugzilla.samba.org/show_bug.cgi?id=11128 along
with fixes by metze and ones I concocted myself), but apparently not the
consequences.

Attached is an input case which causes the segfault. The text string
itself in this case does not seem that important, only that it fails to
send anything useful onto the wire TXT={len=0 str=). After storing the
record in the database, a subsequent query will trigger the segfault by
the use of a talloc_asprintf call in dns_query.c. It seems to
dereferences an array of length 0 (not checking the count of 0), using
that pointer as a string to return to the client. If by coincidence it
was valid, the client could possibly get some random string returned in
the query TXT record as long as it ended in NULL.

This is only the first bug I've found in the server, it looks like there
might be another but there's more testing to be made. Our original
intention with this test case was the try to see if it could read up to
255 bytes off the end, but it never actually got passed the client.


Cheers,

Garming

Comment 1 Stefan Metzmacher 2016-01-22 08:27:20 UTC

(In reply to Stefan Metzmacher from comment #0)

Hi Garming,

> After looking into the DNS server and TXT records, I found that the
> dnsserver would segfault on certain input strings. The issues in parsing
> are well known (https://bugzilla.samba.org/show_bug.cgi?id=11128 along
> with fixes by metze and ones I concocted myself), but apparently not the
> consequences.

Do you have the patches ready, so we can get a CVE number and do
security release soon? Are my fixes enough to fix the security part
of the problem?

> Attached is an input case which causes the segfault. The text string
> itself in this case does not seem that important, only that it fails to
> send anything useful onto the wire TXT={len=0 str=). After storing the
> record in the database, a subsequent query will trigger the segfault by
> the use of a talloc_asprintf call in dns_query.c. It seems to
> dereferences an array of length 0 (not checking the count of 0), using
> that pointer as a string to return to the client. If by coincidence it
> was valid, the client could possibly get some random string returned in
> the query TXT record as long as it ended in NULL.
>
> This is only the first bug I've found in the server, it looks like there
> might be another but there's more testing to be made. Our original
> intention with this test case was the try to see if it could read up to
> 255 bytes off the end, but it never actually got passed the client.

It will not happen often, but it certainly possible.
And it's at least always a denial of service attack.

metze

Comment 2 Garming Sam 2016-01-29 05:17:28 UTC

Created attachment 11799 [details]
Patches with tests

These are the patches to modify the IDL as well as the tests. All of them pass Windows, besides two which have been mentioned in the changes. There are probably some more tests that can be added as well as round-tripping via RPC for other record types, but I think most of the basic aspects have been covered.

Comment 3 Stefan Metzmacher 2016-01-29 14:10:56 UTC

I've asked secalert@redhat.com for a CVE number...

Comment 4 Stefan Metzmacher 2016-02-01 12:23:44 UTC

We can use CVE-2016-0771.

Comment 5 Stefan Metzmacher 2016-02-01 20:08:09 UTC

Comment on attachment 11799 [details]
Patches with tests

The patches look good so far, thanks! I'm trying a private autobuild with them
now and they pass

Can you write a CVE text and prepare patches with CVE and BUG markers,
similar to commit bc2d8592f4e22dd91790bcd78e7a1a99b8a83de5?
You can squash the fixme commit and add my review where required.
I think we should also remove unused commits (the last two patches for example
are not really related).

The attachments for version 1 of the patches should be:
CVE-2016-0771-description.garming01.txt
CVE-2016-0771.master.patches.garming01.txt
CVE-2016-0771.v4-3.patches.garming01.txt
CVE-2016-0771.v4-2.patches.garming01.txt
CVE-2016-0771.v4-1.patches.garming01.txt

We'll remove the garming01 part once it's the final version.

Thanks!
metze

Comment 6 Karolin Seeger 2016-02-03 11:14:07 UTC

We need
-the final patchset with complete commit messages incl. bug numbers and CVE number,
-backports for all affected versions,
-reviews and
-the CVE advisory
for this one.

Any volunteers?

Comment 7 Karolin Seeger 2016-02-05 09:06:00 UTC

(In reply to Karolin Seeger from comment #6)
ping

Comment 8 Garming Sam 2016-02-06 12:52:33 UTC

(In reply to Karolin Seeger from comment #7)
Sorry, been travelling. At the very least I should be able to handle the final patches and write something plausible for the CVE text. Hopefully I can get those done soon.

Comment 9 Garming Sam 2016-02-10 04:07:27 UTC

Created attachment 11824 [details]
Patches for master

Comment 10 Garming Sam 2016-02-10 04:11:00 UTC

Created attachment 11825 [details]
Patches for 4.1

Needed to remove all references to settimeout because of the old socket wrapper. Seems to pass all the dns tests. Still need to run a full autobuilds.

Comment 11 Garming Sam 2016-02-10 04:12:00 UTC

Created attachment 11826 [details]
Patches for 4.2

Comment 12 Garming Sam 2016-02-10 04:14:10 UTC

Created attachment 11827 [details]
Patches for 4.3

Comment 13 Garming Sam 2016-02-10 07:45:29 UTC

Created attachment 11828 [details]
Updated patches for 4.2

Comment 14 Garming Sam 2016-02-10 09:28:38 UTC

Created attachment 11829 [details]
CVE Description

Comment 15 Andrew Bartlett 2016-02-16 03:43:08 UTC

Comment on attachment 11824 [details]
Patches for master

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Comment 16 Andrew Bartlett 2016-02-16 03:48:50 UTC

Comment on attachment 11825 [details]
Patches for 4.1

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Comment 17 Andrew Bartlett 2016-02-16 03:58:07 UTC

Comment on attachment 11829 [details]
CVE Description

This is OK, but even better would mention the default of:

 allow dns updates = secure only

(and that nonsecure is a much bigger risk here)

Also, investigate which class of accounts can add a problem record - presumably at least machine accounts.

Comment 18 Stefan Metzmacher 2016-02-22 17:32:29 UTC

Created attachment 11850 [details]
CVE-2016-0771-description.txt

Changed versions to 4.4.0rc4, 4.3.6, 4.2.9 and 4.1.23.

Added:

+By default only authenticated accounts can upload DNS records,
+as "allow dns updates = secure only" is the default.
+Any other value would allow anonymous clients to trigger this
+bug, which is a much higher risk.

Changes links to https://

Comment 19 Stefan Metzmacher 2016-02-22 17:34:52 UTC

Created attachment 11851 [details]
CVE-2016-0771-master.patches.txt

Added review tags based on the old attachment (and my review).

Comment 20 Stefan Metzmacher 2016-02-22 17:35:44 UTC

Created attachment 11852 [details]
CVE-2016-0771-v4-4.patches.txt

Comment 21 Stefan Metzmacher 2016-02-22 17:36:19 UTC

Created attachment 11853 [details]
CVE-2016-0771-v4-3.patches.txt

Comment 22 Stefan Metzmacher 2016-02-22 17:37:02 UTC

Created attachment 11854 [details]
CVE-2016-0771-v4-2.patches.txt

Added review tags based on the old attachment (and my review).

Comment 23 Stefan Metzmacher 2016-02-22 17:37:40 UTC

Created attachment 11855 [details]
CVE-2016-0771-v4-1.patches.txt

Added review tags based on the old attachment (and my review).

Comment 24 Stefan Metzmacher 2016-02-25 09:23:32 UTC

Comment on attachment 11850 [details]
CVE-2016-0771-description.txt

Change name to CVE-2016-0771-description.txt

Comment 25 Stefan Metzmacher 2016-02-25 09:24:07 UTC

Comment on attachment 11851 [details]
CVE-2016-0771-master.patches.txt

Change name to CVE-2016-0771-master.patches.txt

Comment 26 Stefan Metzmacher 2016-02-25 09:24:41 UTC

Comment on attachment 11852 [details]
CVE-2016-0771-v4-4.patches.txt

Change name to CVE-2016-0771-v4-4.patches.txt

Comment 27 Stefan Metzmacher 2016-02-25 09:25:14 UTC

Comment on attachment 11853 [details]
CVE-2016-0771-v4-3.patches.txt

Change name to CVE-2016-0771-v4-3.patches.txt

Comment 28 Stefan Metzmacher 2016-02-25 09:25:50 UTC

Comment on attachment 11854 [details]
CVE-2016-0771-v4-2.patches.txt

Change name to CVE-2016-0771-v4-2.patches.txt

Comment 29 Stefan Metzmacher 2016-02-25 09:26:27 UTC

Comment on attachment 11855 [details]
CVE-2016-0771-v4-1.patches.txt

Change name to CVE-2016-0771-v4-1.patches.txt

Comment 30 Stefan Metzmacher 2016-02-25 09:34:15 UTC

Adding samba-vendor@samba.org alias.

Scheduled public release date is Tuesday March 8th 2016.

The tarballs are available now:
https://20160225:ialeew3aeNge@download.samba.org/security/fd9a7a5c

Comment 31 Stefan Metzmacher 2016-03-08 13:32:25 UTC

This is public now. Pushing patches to master now.

Comment 32 Karolin Seeger 2016-03-11 08:28:36 UTC

(In reply to Stefan Metzmacher from comment #31)
Patches ended up in master and the release branches.
Closing out bug report.

Thanks!

Comment 33 Andrew Bartlett 2021-08-31 04:04:21 UTC

Removing embargo from long-fixed security bug.