13466 – [SECURITY Hardening] DNS query with escapes characters in dns name makes samba crashing

Bug 13466 - [SECURITY Hardening] DNS query with escapes characters in dns name makes samba crashing

Summary: [SECURITY Hardening] DNS query with escapes characters in dns name makes samb...

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.8.2
Hardware:	x64 Linux

Importance:	P5 major (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:	CVE-2018-1140
Blocks:
	Show dependency tree / graph

Reported:	2018-06-07 12:01 UTC by Laurent Debomy
Modified:	2021-02-11 21:38 UTC (History)
CC List:	7 users (show)

See Also:

Attachments
Java code to reproduce the bug (2.03 KB, text/x-java) 2018-06-08 09:50 UTC, Laurent Debomy	no flags	Details
patch for master (7.48 KB, patch) 2018-06-08 19:22 UTC, Kai Blin	no flags	Details
patch for 4.8 (6.80 KB, patch) 2018-06-08 19:23 UTC, Kai Blin	no flags	Details
patch to followup to CVE-2018-1140 to harden the DNS server (50.29 KB, patch) 2018-07-06 03:37 UTC, Andrew Bartlett	no flags	Details
patch to followup to CVE-2018-1140 to harden the DNS server (49.53 KB, patch) 2018-07-06 03:59 UTC, Andrew Bartlett	no flags	Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Laurent Debomy 2018-06-07 12:01:54 UTC

Created attachment 14225 [details]
Parts of samba log level 10 related to dns query

Xerox Workcentre 7830 printer sends DNS query with escapes characters in names (see log attached) which makes both of our samba dc crash at the same time. 

I don't know why it queries such a name. Normals DNS clients refused escape codes in DNS names, so I can't reproduce the problem. 

However, it may be security issue if we can reproduced this query using a C program.

Comment 1 Kai Blin 2018-06-07 12:52:29 UTC

Hi Laurent,

Thanks for the report. We'll certainly have to fix the crash, even if regular clients don't let you send these queries.

Comment 2 Kai Blin 2018-06-08 08:46:29 UTC

As a quick update, in my initial tests against the master branch, I can't reproduce the crash, the DNS server returns an NXDOMAIN error code and happily keeps running.

Comment 3 Laurent Debomy 2018-06-08 09:50:29 UTC

Finally I can reproduce the crash using a java program that sends the same dns udp packet as in log file. 

(Java code from https://stackoverflow.com/questions/36743226/java-send-udp-packet-to-dns-server) 

Added as attachment.

Comment 4 Laurent Debomy 2018-06-08 09:50:57 UTC

Created attachment 14228 [details]
Java code to reproduce the bug

Comment 5 Kai Blin 2018-06-08 11:11:08 UTC

Hi Laurent,

thanks for the reproducer. On the first try, this didn't crash for me, but I still need to try with your domain name provisioned.

Comment 6 Kai Blin 2018-06-08 11:15:25 UTC

Ok, I can reproduce the crash now. Thanks again for the reproducer.

Comment 7 Kai Blin 2018-06-08 16:10:13 UTC

I now have a python-based test that reproduces this as well.

Comment 8 Kai Blin 2018-06-08 16:18:35 UTC

This is a bug in LDB, not the DNS server.

Comment 9 Kai Blin 2018-06-08 19:20:02 UTC

I've reproduced the bug in master now.

Comment 10 Kai Blin 2018-06-08 19:22:13 UTC

Created attachment 14229 [details]
patch for master

Comment 11 Kai Blin 2018-06-08 19:23:01 UTC

Created attachment 14230 [details]
patch for 4.8

Comment 12 Björn Jacke 2018-06-12 12:44:39 UTC

Karo: as mentioned yesterday, this should be address in a security update soon. This is a DOS bug that can be triggered by a single UDP packet.

Comment 13 Karolin Seeger 2018-06-14 09:29:16 UTC

(In reply to Björn Jacke from comment #12)
Ok, thanks for the heads-up!

Comment 14 Kai Blin 2018-06-15 10:48:04 UTC

Not sure if I can make time to write a cmocka test for this in the near future.

Comment 15 Karolin Seeger 2018-06-25 09:40:32 UTC

Could someone provide an advisory, please?

Comment 16 Andrew Bartlett 2018-06-25 17:35:09 UTC

This is 'just' another instance of bug #13374 but just with broader consequences.

*** This bug has been marked as a duplicate of bug 13374 ***

Comment 17 Andrew Bartlett 2018-07-03 03:40:05 UTC

I'm re-opening this for the subtle distinction that while LDB should not crash, neither did the DNS server do strict input validation on the DN being constructed. 

The fix is still tagged for the CVE-2018-1140 but this bug number covers preventative input validation that can be done.

Comment 18 Andrew Bartlett 2018-07-06 03:37:44 UTC

Created attachment 14288 [details]
patch to followup to CVE-2018-1140 to harden the DNS server

This needs to be applied to master after CVE-2018-1140 is published, but is NOT considered a security bug itself.

Comment 19 Andrew Bartlett 2018-07-06 03:59:08 UTC

Created attachment 14294 [details]
patch to followup to CVE-2018-1140 to harden the DNS server

This patch uses a new API in LDB ldb_dn_add_child_val() to harden the DNS server by avoiding printf format strings.

Comment 20 Andrew Bartlett 2018-08-14 22:26:05 UTC

Now that CVE-2018-1140 is out, open up the bug with the hardening ideas.

Comment 21 Björn Jacke 2021-02-11 21:38:36 UTC

a fixed crash bug being open is confising. Additiona enhancement request should go into a new enhancement bug report.