============================================================================= FreeBSD-SA-02:28.resolv Security Advisory The FreeBSD Project Topic: buffer overflow in resolver Category: core Module: libc Announced: 2002-06-26 Credits: Joost Pol Affects: All releases prior to and including 4.6-RELEASE Corrected: 2002-06-26 06:34:18 UTC (RELENG_4) 2002-06-26 08:44:24 UTC (RELENG_4_6) 2002-06-26 18:53:20 UTC (RELENG_4_5) 2002-06-26 21:43:44 UTC (RELENG_4_4) FreeBSD only: NO 0. Revision History v1.0 2002-06-26 Initial release v1.1 2002-06-XX Add RELENG_4_4 update and workaround I. Background The resolver implements functions for making, sending and interpreting query and reply messages with Internet domain name servers. Hostnames, IP addresses, and other information are queried using the resolver. II. Problem Description DNS messages have specific byte alignment requirements, resulting in padding in messages. In a few instances in the resolver code, this padding is not taken into account when computing available buffer space. As a result, the parsing of a DNS message may result in a buffer overrun of up to a few bytes for each record included in the message. III. Impact An attacker (either a malicious domain name server or an agent that can spoof DNS messages) may produce a specially crafted DNS message that will exploit this bug when parsed by an application using the resolver. It may be possible for such an exploit to result in the execution of arbitrary code with the privileges of the resolver-using application. Though no exploits are known to exist today, since practically all Internet applications utilize the resolver, the severity of this issue is high. IV. Workaround By using a local caching nameserver that reconstructs all DNS responses, such as BIND 9, any badly formed DNS responses may be `filtered out', including malicious ones. Note that the name server must be run locally on the same host as the resolver-using application, or other measures must be taken to ensure the integrity of communications between the name server and the application. Failure to do so may allow the possibility of spoofed DNS responses which bypass the name server. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6, RELENG_4_5, or RELENG_4_4 security branch dated after the correction date (4.6-RELEASE-p1, 4.5-RELEASE-p7, or 4.4-RELEASE-p14). 2) To patch your present system: The following patch has been verified to apply to FreeBSD 4.5, FreeBSD 4.4, and FreeBSD 4.6 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating systems as described in . Note that any statically linked applications that are not part of the base system (i.e. from the Ports Collection or other 3rd-party sources) must be recompiled. All affected applications must be restarted for them to use the corrected library. Though not required, rebooting may be the easiest way to accomplish this. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/lib/libc/net/gethostbydns.c RELENG_4 1.27.2.2 RELENG_4_6 1.27.10.1 RELENG_4_5 1.27.8.1 RELENG_4_4 1.27.6.1 src/lib/libc/net/getnetbydns.c RELENG_4 1.13.2.2 RELENG_4_6 1.13.2.1.8.1 RELENG_4_5 1.13.2.1.6.1 RELENG_4_4 1.13.2.1.4.1 src/lib/libc/net/name6.c RELENG_4 1.6.2.6 RELENG_4_6 1.6.2.5.8.1 RELENG_4_5 1.6.2.5.6.1 RELENG_4_4 1.6.2.5.4.1 src/sys/conf/newvers.sh RELENG_4_6 1.44.2.23.2.2 RELENG_4_5 1.44.2.20.2.8 RELENG_4_4 1.44.2.17.2.13 - ------------------------------------------------------------------------- VII. References