Remote double-free and memory corruption vulnerabilities

Bug #1517226 reported by Guido on 2015-11-17
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dhcpcd (Ubuntu)
Undecided
Unassigned

Bug Description

Hey,

I have subjected a crucial part of dhcpcd, the function parse_dhcpmessage() in dhcp.c as well as the functions it invokes, to thorough fuzzing (using AFL) and manual source code inspection. This effort has resulted in the identification of a number of remote memory corruption vulnerabilities.

Please bear in mind that in order to make these routines of dhcpcd fuzzable I needed to modify the main() function such that parse_dhcpmessage() could be directly invoked with input received from the fuzzer. So while the proof of concepts included with this post are tailored to triggering the vulnerabilities this specific set-up, I have very little doubt that they can be triggered in a scenario in which dhcpcd is employed for its actual purpose. In order to emulate exploitation under authentic use of the program, one would need to write a mock DHCP server which responds to the client's inquiries with one of the malicious payloads. The vulnerabilities contained in the Ubuntu version of dhcpcd (3.2.3) are in fact removed in later versions of the upstream version of the application. Whether due to inadequate diligence on the part of its maintainers to report found security vulnerabilities, or due to serendipitous remediation by the virtue of general, pro-active code hardening in the upstream version, I couldn't find any earlier reports (CVE's or otherwise) of these vulnerabilities, which is likely the reason it hasn't been fixed yet in the Ubuntu version.

My proposed patch for the vulnerabilities is basically taken from the way in which later upstream versions deal with the problem. I can guarantee that my set of proof of concept payloads does not trigger memory corruption after the patch has been applied (it doesn't crash nor does ASAN report any corruption). However, you might to double check my changes, especially to see whether the application as a DHCP client keeps working as expected.

By extension of the above reasoning as to why the vulnerability in the Ubuntu version wasn't uncovered and fixed earlier, you might want to consider upgrading to a later upstream version altogether, because more vulnerabilities and bugs might be present in your (rather old) code.

I am including two files with this message: one is the dhcp.c patch, and the other a modified version of dhcpcd.c and a collection of payloads (generated by AFL) that will trigger corruptions. You can copy dhcpcd.c over the original version and then invoke it as: ./dhcpcd <path_to_payload>. You can copy these .c files over the ones that appear after you do 'apt-get source dhcpcd'.

I believe the patch speaks for itself. However, if you require more commentary on the technical reasons of the crashes, I'll be happy to elaborate on this upon your request.

For what it's worth:

$ lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04

-
Guido Vranken

Guido (guidovranken) wrote :
Guido (guidovranken) wrote :

What's the plan? Will this be fixed?

Guido

Seth Arnold (seth-arnold) wrote :

Guido, some of the other distributions asked for more time to investigate; I've asked them to report back on their progress.

Thanks

Seth Arnold (seth-arnold) wrote :

Guido's patch from the tarball

information type: Private Security → Public Security

The attachment "dhcp.c.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Seth Arnold (seth-arnold) wrote :

MITRE assigned CVEs: http://www.openwall.com/lists/oss-security/2015/12/03/1

Quoting MITRE:

Use CVE-2012-6698 for the vulnerability in which the possibility of
"out == start" wasn't considered, leading to an out-of-bounds write.

Use CVE-2012-6699 for this loop error that results in an out-of-bounds read.

Use CVE-2012-6700 for the presence of the free call in an incorrect place.

Seth Arnold (seth-arnold) wrote :

Guido, are you in a position to prepare updates for sponsoring? There's information on how to prepare updates at https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Thanks

Changed in dhcpcd (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dhcpcd - 1:3.2.3-11+deb7u1build0.14.04.1

---------------
dhcpcd (1:3.2.3-11+deb7u1build0.14.04.1) trusty-security; urgency=medium

  * fake sync from Debian (LP: #1517226)

dhcpcd (1:3.2.3-11+deb7u1) oldstable-security; urgency=high

  * Fix CVE-2012-6698, CVE-2012-6699, CVE-2012-6700,
    out-of-bound reads/writes and use-after-free issues with specially
    crafted DHCP messages.
    This is a forward port of the patch applied to squeeze-lts since
    wheezy uses the same upstream version. (LP: #1517226)

 -- Tyler Hicks <email address hidden> Wed, 30 Mar 2016 17:40:57 -0500

Changed in dhcpcd (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers