nstxd Null Pointer Dereference Flaw Lets Remote Users Crash the Process
|
|
SecurityTracker Alert ID: 1009567
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Mar 27 2004
|
Original Entry Date: Mar 27 2004
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.1-beta3 and prior versions
|
Description: A vulnerability was reported in nstxd. A remote user can cause the daemon to crash.
Laurent Oudot of Rstack Team reported that a remote user can send specially crafted input to the target system on UDP port 53 to
trigger a null pointer dereference. The remote user can cause the daemon to crash.
Sending 500 'A' characters to the target
nstxd service can cause the crash, the report said.
|
Impact: A remote user can cause the daemon to crash.
|
Solution: The vendor has issued a fixed version (nstx-1.1-beta4), available at:
http://nstx.dereference.de/nstx/
http://nstx.dereference.de/nstx/nstx-1.1-beta4.tgz
|
Vendor URL: nstx.dereference.de/nstx/ (Links to External Site)
|
Cause: Boundary error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: laurent oudot <oudot@rstack.org>
|
Message History:
None.
|
Source Message Contents
|
Date: 26 Mar 2004 22:27:37 -0000
From: laurent oudot <oudot@rstack.org>
Subject: Nstxd vulnerability
|
----------------------------------------------------------------------
Rstack Team (Rstack.org) --- Security Advisory
Advisory Number: RSTACK-20040325
Subject: Nstxd remote DoS-Bug (NULL-pointer-dereference)
Author: Laurent Oudot <oudot@rstack.org>
Discovered: ...
Published: March 25, 2004
----------------------------------------------------------------------
Problem description
===================
Nstxd is the server from the Nstx project. Nstx can be used to create
IP trafic over DNS (can be used by blackhats for special Wifi networks
with DNS open for everybody).
Unexpected input may crash the server called nstxd which will at least
result in a DOS due to a NULL-pointer-dereference.
The service nstxd runs as root to bind the UDP port 53.
Vulnerable versions
===================
Tests were done with the latest version : nstx-1.1-beta3
http://debmail.dereference.de/nstx/nstx-1.1-beta3.tgz
Vendor status
=============
The Nstx team quickly solved this bug.
A new release is available : nstx-1.1-beta4.
>From the ChangeLog :
1.1-beta4: sky
2004/03/26
* Fixed a remote DoS-Bug (NULL-pointer-dereference)
Solutions
=========
* Upgrade your Nstx version at :
http://debmail.dereference.de/nstx/nstx-1.1-beta4.tgz
* Workaround: Containment (chroot, jail...) and low level security
solutions (grsecurity, systrace...) should be use to improve
the security of such a server.
Example
=======
** On the server (assume the IP is 192.168.1.34 for this example):
nstx-1.1-beta3# ./nstxd tun.mydomain.com
** On a remote "evil" client:
remote-hacker$ perl -e '{ print "A" x 500 }' | nc -u 192.168.1.34 53
This will segfault the server.
It might be dangerous as nstxd needs root priviledges (bind port 53).
No exploit to get a remote shell has been reported (just a DOS).
----------------------------------------------------------------------
Copyright (c) Rstack Team
This document is copyrighted. It can't be edited nor republished
without explicit consent of Rstack Team.
For more informations, feel free to contact us.
http://www.rstack.org/
----------------------------------------------------------------------
|
|
