#2615 net-snmp snmp_pdu_parse() function incompletely initialization vulnerability
HI there,
Greeting! This is Qinghao Tang from QIHU 360 company, China. I am a security researcher there.
I'm writing to apply for a CVE ID, for a 0day vulnerability in net-snmp. Please refer to below report.
[requester info]
name: Qinghao Tang company: QIHU 360 company, China email: tangqinghao@360.cn
[vendor info]
name: net-snmp
email: net-snmp-users@lists.sourceforge.net
website: http://www.net-snmp.org/
[vulnerable net-snmp version]
All version
[vulnerability Description]
Incompletely initialized vulnerability exists in the function ‘snmp_pdu_parse()’ of ‘snmp_api.c', and remote attackers can cause memory leak, DOS and possible command executions by sending malicious packets.
Since the vulnerability occurs when parsing the packets, it could have broader impacts. Currently we have find 12 remote DOS methods in the latest version of net-snmp client software. I think this vulnerability could cause even more severe risks.
[vulnerability resaon]
In the function ‘snmp_pdu_parse()’ of ‘snmp_api.c', the structure of ‘netsnmp_variable_list is initialized incompletely, thus the malicious packets can cause ‘snmp_parse_var_op()’ returning ERROR. When using the uninitialized data(type,val,name_loc,buf) in structure ‘ netsnmp_variable_list’, it will cause memory leak, DOS and possible command executions.
int snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length) { …. netsnmp_variable_list *vptemp; vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp)); if (NULL == vptemp) { return -1; } if (NULL == vp) { pdu->variables = vptemp; } else { vp->next_variable = vptemp; } vp = vptemp; vp->next_variable = NULL; vp->val.string = NULL; vp->name_length = MAX_OID_LEN; vp->name = NULL; vp->index = 0; vp->data = NULL; vp->dataFreeHook = NULL; DEBUGDUMPSECTION("recv", "VarBind"); data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type, &vp->val_len, &var_val, length); if (data == NULL) return -1; …… } typedef struct variable_list netsnmp_variable_list; struct variable_list { /** NULL for last variable */ struct variable_list *next_variable; /** Object identifier of variable */ oid *name; /** number of subid's in name */ size_t name_length; /** ASN type of variable */ u_char type; /** value of variable */ netsnmp_vardata val; /** the length of the value to be copied into buf */ size_t val_len; /** 90 percentile < 24. */ oid name_loc[MAX_OID_LEN]; /** 90 percentile < 40. */ u_char buf[40]; /** (Opaque) hook for additional data */ void *data; /** callback to free above */ void (*dataFreeHook)(void *); int index; }; typedef union { long *integer; u_char *string; oid *objid; u_char *bitstring; struct counter64 *counter64; #ifdef OPAQUE_SPECIAL_TYPES float *floatVal; double *doubleVal; /* * t_union *unionVal; */ #endif /* OPAQUE_SPECIAL_TYPES */ } netsnmp_vardata;
[crash info from /var/log/messages]
sprint_realloc_integer
snmpget:0x290a3
overview:Feb 22 11:37:48 localhost kernel: snmpget[24260]: segfault at 0 ip 00007f00cbff20a3 sp 00007fff7bf08620 error 4 in libnetsnmp.so.30.0.3[7f00cbfc9000+ac000]
asn_realloc_rbuild_int
snmpget:0x4ac0a
overview:Feb 22 14:38:10 localhost kernel: snmpget[26825]: segfault at 0 ip 00007f2cbc089c0a sp 00007fff294221f0 error 4 in libnetsnmp.so.30.0.3[7f2cbc03f000+ac000]
asn_realloc_rbuild_unsigned_int
snmpget:0x4a5e7
overview:Feb 22 18:06:53 localhost kernel: snmpget[29948]: segfault at 0 ip 00007f6bb7a8e5e7 sp 00007fffc6863bc0 error 4 in libnetsnmp.so.30.0.3[7f6bb7a44000+ac000]
asn_realloc_rbuild_unsigned_int64
snmpget:0x49832
overview:Feb 22 20:00:22 localhost kernel: snmpget[31802]: segfault at 0 ip 00007f93cb91d832 sp 00007fff7b93f970 error 4 in libnetsnmp.so.30.0.3[7f93cb8d4000+ac000]
sprint_realloc_counter
snmpget:0x2877b
overview:Feb 23 09:31:45 localhost kernel: snmpget[44108]: segfault at 0 ip 00007f1e2fd8477b sp 00007fffe0abf9a0 error 4 in libnetsnmp.so.30.0.3[7f1e2fd5c000+ac000]
sprint_realloc_uinteger
snmpget:0x28c30
overview:Feb 13 09:54:03 localhost kernel: snmpget[64595]: segfault at 0 ip 00007f29f970dc30 sp 00007fff8c89a0e0 error 4 in libnetsnmp.so.30.0.3[7f29f96e5000+ac000]
printI64
snmpget:0x5273e
overview:Feb 13 10:52:42 localhost kernel: snmpget[3863]: segfault at 0 ip 00007fe314e4773e sp 00007fff782fcba0 error 4 in libnetsnmp.so.30.0.3[7fe314df5000+ac000]
sprint_realloc_gauge
snmpget:0x28a73
overview:Feb 13 11:24:17 localhost kernel: snmpget[4879]: segfault at 0 ip 00007fb3f0852a73 sp 00007fffc43f7b10 error 4 in libnetsnmp.so.30.0.3[7fb3f082a000+ac000]
sprint_realloc_timeticks
snmpget:0x29277
overview:Feb 13 12:10:08 localhost kernel: snmpget[6623]: segfault at 0 ip 00007f171c1ad277 sp 00007fff9fad9720 error 4 in libnetsnmp.so.30.0.3[7f171c184000+ac000]
printU64
snmpget:0x52675
overview:Feb 13 13:48:11 localhost kernel: snmpget[9878]: segfault at 0 ip 00007fc3b04ed675 sp 00007fff4d0a3cb0 error 4 in libnetsnmp.so.30.0.3[7fc3b049b000+ac000]
sprint_realloc_float
snmpget:0x29c57
overview:Feb 18 23:31:41 localhost kernel: snmpget[57217]: segfault at 0 ip 00007f625c50ac57 sp 00007fffe60ebdb0 error 4 in libnetsnmp.so.30.0.3[7f625c4e1000+ac000]
asn_realloc_rbuild_signed_int64
snmpget:0x4934d
overview:Feb 21 18:21:13 localhost kernel: snmpget[9149]: segfault at 0 ip 00007f431746e34d sp 00007fffbcac3ed0 error 4 in libnetsnmp.so.30.0.3[7f4317425000+ac000]
[patch]
--- snmp_api.c 2014-12-09 04:23:22.000000000 +0800 +++ snmp_api.c.patch 2015-03-04 10:44:03.896001377 +0800 @@ -4518,6 +4518,9 @@ vp->index = 0; vp->data = NULL; vp->dataFreeHook = NULL; + vp->type = 0; + vp->name_loc = 0; + vp->buf = 0; DEBUGDUMPSECTION("recv", "VarBind"); data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type, &vp->val_len, &var_val, length);
----------------------------------poc-----------------------------------
[Environmental Information]
os version:centos 6.2 x64
net-snmp version: 5.7.3
net-snmp url : http://jaist.dl.sourceforge.net/project/net-snmp/net-snmp/5.7.3/net-snmp-5.7.3.tar.gz
snmpget commands: snmpget -v 3 -u user2 -l authNoPriv -A \"012345678\" 10.18.25.51 1.3.6.1.2.1.1.1.0
[crash info from /var/log/messages]
sprint_realloc_integer
snmpget:0x290a3
overview:Feb 22 11:37:48 localhost kernel: snmpget[24260]: segfault at 0 ip 00007f00cbff20a3 sp 00007fff7bf08620 error 4 in libnetsnmp.so.30.0.3[7f00cbfc9000+ac000]
[pcap]
Please find attached pcap documents for 0x290a3.
Diff:
Hi Qinghao Tang,
Thank you for your report. I am curious about your patch. Since the type of
name_locisoid[], and ofbufisu_char[], how do you assign 0 to them? When I try your patch, gcc tells me:From the bits of crash info that you provided, and my reading of the code, it looks like the problem is that after snmp_pdu_parse has returned an error, the varbind list could have a varbind entry in it that contains a valid type (because malloc returned memory that happens to have a valid value in
vp->type) but NULL name and/or data.The packet captures don't make it easy to replicate the crashes; can you say more about the server against which you were running these test cases? Did it just return random packet contents?
Can you replicate these crashes with more information - e.g.,
1) using
-DALLon thesnmpgetcommand line2) under gdb and get a full stack trace of the snmpget process when it crashes?
Can you crash a running snmpd by sending it this type of packet, or is it only the client applications that are vulnerable against a malicious server?
Do you have any evidence that network-provided data can make it into the data structure (making remote code execution much more plausible), or are all the crashes due to NULL pointer dereference?
The net-snmp project is not a CVE numbering authority, so I suggest contacting cve-assign@mitre.org directly. See https://cve.mitre.org/cve/request_id.html .
According to SNMP v3 protocol, you should not reuse the packet captures easily without any modification.
This vulnerability will cause many types of crashes , I have highlighted crashed functions in my last email .
I think this vulnerability may cause net-snmp server dos under some certain circumstances,but it does not occur when I use default configuration .
More gdb info :
发自我的 iPhone
发自我的 iPhone
Related
Bugs:
#2615We've analysed the problem a bit further and have an alternate patch that we think will likely fix the problem. Thank you for reporting the issue, as we do take DOS attacks seriously. In your original text you said you thought it might have broader impacts than a DOS attack, but we don't see that as a possibility based on our analysis. Do you have evidence that a more significant threat actually exists?
I think this patch will fix the vulnerability valid.
发自我的 iPhone
Related
Bugs:
#2615I think this patch will fix the vulnerability valid.
发自我的 iPhone
Related
Bugs:
#2615Our patch has been applied to all branches. The patch
- clears allocated memory before use
- only adds varbinds to the pdu if the parse succeeds
Please let us know if this doesn't address all of your concerns.