Bug 13466 - [SECURITY Hardening] DNS query with escapes characters in dns name makes samba crashing
Summary: [SECURITY Hardening] DNS query with escapes characters in dns name makes samb...
Status: REOPENED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.8.2
Hardware: x64 Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: CVE-2018-1140
Blocks:
  Show dependency treegraph
 
Reported: 2018-06-07 12:01 UTC by Laurent Debomy
Modified: 2018-08-14 22:26 UTC (History)
6 users (show)

See Also:


Attachments
Java code to reproduce the bug (2.03 KB, text/x-java)
2018-06-08 09:50 UTC, Laurent Debomy
no flags Details
patch for master (7.48 KB, patch)
2018-06-08 19:22 UTC, Kai Blin
no flags Details
patch for 4.8 (6.80 KB, patch)
2018-06-08 19:23 UTC, Kai Blin
no flags Details
patch to followup to CVE-2018-1140 to harden the DNS server (50.29 KB, patch)
2018-07-06 03:37 UTC, Andrew Bartlett
no flags Details
patch to followup to CVE-2018-1140 to harden the DNS server (49.53 KB, patch)
2018-07-06 03:59 UTC, Andrew Bartlett
abartlet: review? (dbagnall)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Laurent Debomy 2018-06-07 12:01:54 UTC
Created attachment 14225 [details]
Parts of samba log level 10 related to dns query

Xerox Workcentre 7830 printer sends DNS query with escapes characters in names (see log attached) which makes both of our samba dc crash at the same time. 

I don't know why it queries such a name. Normals DNS clients refused escape codes in DNS names, so I can't reproduce the problem. 

However, it may be security issue if we can reproduced this query using a C program.
Comment 1 Kai Blin 2018-06-07 12:52:29 UTC
Hi Laurent,

Thanks for the report. We'll certainly have to fix the crash, even if regular clients don't let you send these queries.
Comment 2 Kai Blin 2018-06-08 08:46:29 UTC
As a quick update, in my initial tests against the master branch, I can't reproduce the crash, the DNS server returns an NXDOMAIN error code and happily keeps running.
Comment 3 Laurent Debomy 2018-06-08 09:50:29 UTC
Finally I can reproduce the crash using a java program that sends the same dns udp packet as in log file. 

(Java code from https://stackoverflow.com/questions/36743226/java-send-udp-packet-to-dns-server) 

Added as attachment.
Comment 4 Laurent Debomy 2018-06-08 09:50:57 UTC
Created attachment 14228 [details]
Java code to reproduce the bug
Comment 5 Kai Blin 2018-06-08 11:11:08 UTC
Hi Laurent,

thanks for the reproducer. On the first try, this didn't crash for me, but I still need to try with your domain name provisioned.
Comment 6 Kai Blin 2018-06-08 11:15:25 UTC
Ok, I can reproduce the crash now. Thanks again for the reproducer.
Comment 7 Kai Blin 2018-06-08 16:10:13 UTC
I now have a python-based test that reproduces this as well.
Comment 8 Kai Blin 2018-06-08 16:18:35 UTC
This is a bug in LDB, not the DNS server.
Comment 9 Kai Blin 2018-06-08 19:20:02 UTC
I've reproduced the bug in master now.
Comment 10 Kai Blin 2018-06-08 19:22:13 UTC
Created attachment 14229 [details]
patch for master
Comment 11 Kai Blin 2018-06-08 19:23:01 UTC
Created attachment 14230 [details]
patch for 4.8
Comment 12 Björn Jacke 2018-06-12 12:44:39 UTC
Karo: as mentioned yesterday, this should be address in a security update soon. This is a DOS bug that can be triggered by a single UDP packet.
Comment 13 Karolin Seeger 2018-06-14 09:29:16 UTC
(In reply to Björn Jacke from comment #12)
Ok, thanks for the heads-up!
Comment 14 Kai Blin 2018-06-15 10:48:04 UTC
Not sure if I can make time to write a cmocka test for this in the near future.
Comment 15 Karolin Seeger 2018-06-25 09:40:32 UTC
Could someone provide an advisory, please?
Comment 16 Andrew Bartlett 2018-06-25 17:35:09 UTC
This is 'just' another instance of bug #13374 but just with broader consequences.

*** This bug has been marked as a duplicate of bug 13374 ***
Comment 17 Andrew Bartlett 2018-07-03 03:40:05 UTC
I'm re-opening this for the subtle distinction that while LDB should not crash, neither did the DNS server do strict input validation on the DN being constructed. 

The fix is still tagged for the CVE-2018-1140 but this bug number covers preventative input validation that can be done.
Comment 18 Andrew Bartlett 2018-07-06 03:37:44 UTC
Created attachment 14288 [details]
patch to followup to CVE-2018-1140 to harden the DNS server

This needs to be applied to master after CVE-2018-1140 is published, but is NOT considered a security bug itself.
Comment 19 Andrew Bartlett 2018-07-06 03:59:08 UTC
Created attachment 14294 [details]
patch to followup to CVE-2018-1140 to harden the DNS server

This patch uses a new API in LDB ldb_dn_add_child_val() to harden the DNS server by avoiding printf format strings.
Comment 20 Andrew Bartlett 2018-08-14 22:26:05 UTC
Now that CVE-2018-1140 is out, open up the bug with the hardening ideas.