seek YYY below for comments
On Thu, Aug 10, 2023 at 08:31:55PM +0200, p...@delphinusdns.org wrote:
> >Synopsis: no termination on buffer
> >Category: library
> >Environment:
> System : OpenBSD 7.3
> Details : OpenBSD 7.3 (GENERIC.MP) #2080: Sat Mar 25 14:20:25 MDT
> 2023
>
> dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
>
> Architecture: OpenBSD.arm64
> Machine : arm64
> >Description:
>
> This is all just theory as I'm code reading. Let's start in
> setup_query() in /usr/src/lib/libc/asr/res_send_async.c ,...
<some cut>
YYY
OK I did the PoC or GTFO and well it's not exploitable (though the buffer is
able to be non-terminated) it doesn't help because it is checked before the
strdup. I want to share my findings so someone doesn't have to look at this:
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
void writesomejunkonstack(void);
int
main(void)
{
int result;
char hostbuf[1026];
struct rrsetinfo *fingerprints = NULL;
char *hostname =
"123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.AAAAAAA.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxyy";
strlcpy(hostbuf, hostname, sizeof(hostbuf));
//hostbuf[strlen(hostbuf) - 2] = '\0';
printf("%s %lu\n", hostbuf, strlen(hostbuf));
writesomejunkonstack();
result = getrrsetbyname(hostbuf, 1, 1, 0, &fingerprints);
if (result) {
return -1;
}
freerrset(fingerprints);
printf("hit control-c\n");
for (;;)
sleep (10);
}
void
writesomejunkonstack(void)
{
char junk[10240 * 3];
memset(&junk, 0x31, sizeof(junk));
return;
}
pjp@polarstern$ gdb ./testdns
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "amd64-unknown-openbsd7.3"...
(gdb) break _res_query_async_ctx
Function "_res_query_async_ctx" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (_res_query_async_ctx) pending.
(gdb) run
Starting program: /home/pjp/testdns
Error while reading shared library symbols:
Dwarf Error: wrong version in compilation unit header (is 4, should be 2) [in
module /usr/libexec/ld.so]
Breakpoint 2 at 0x24222c573a9: file /usr/src/lib/libc/asr/res_send_async.c,
line 128.
Pending breakpoint "_res_query_async_ctx" resolved
123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.AAAAAAA.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxyy
1024
Breakpoint 2, _res_query_async_ctx (
name=0x242afa31000
"123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789."...,
class=1,
type=1, a_ctx=0x242afa4fc00) at /usr/src/lib/libc/asr/res_send_async.c:128
128 if ((as = _asr_async_new(a_ctx, ASR_SEND)) == NULL)
Current language: auto; currently minimal
(gdb) list
123 {
...
(gdb)
343 static int
344 setup_query(struct asr_query *as, const char *name, const char *dom,
345 int class, int type)
...
(gdb)
363
364 if (_asr_dname_from_fqdn(fqdn, dname, sizeof(dname)) == -1) {
365 errno = EINVAL;
366 DPRINT("asr_dname_from_fqdn: invalid\n");
367 return (-1);
368 }
369
370 if (as->as.dns.obuf == NULL) {
371 as->as.dns.obufsize = PACKETSZ;
372 as->as.dns.obuf = malloc(as->as.dns.obufsize);
(gdb) break _asr_dname_from_fqdn
Breakpoint 3 at 0x24222c0ed41: file /usr/src/lib/libc/asr/asr_utils.c, line 71.
(gdb) c
Continuing.
Breakpoint 3, _asr_dname_from_fqdn (
str=0x756bb5abc9d0
"123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789.123456789."...,
dst=0x756bb5abcde0 '1' <repeats 200 times>..., max=1025)
at /usr/src/lib/libc/asr/asr_utils.c:71
71 if (str[0] == '.') {
(gdb) list
...
105 if (dst)
(gdb)
106 *dst++ = '\0';
107
108 return (res + 1);
109 }
...
(gdb) break 107
Breakpoint 4 at 0x24222c0ee4b: file /usr/src/lib/libc/asr/asr_utils.c, line 107.
(gdb) c
Continuing.
Breakpoint 4, _asr_dname_from_fqdn (str=Variable "str" is not available.
)
at /usr/src/lib/libc/asr/asr_utils.c:109
109 }
(gdb) x 0x756bb5abcde0/1040b
Invalid number "1040b".
(gdb) x/1040b 0x756bb5abcde0
0x756bb5abcde0: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abcde8: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abcdf0: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abcdf8: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abce00: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abce08: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abce10: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abce18: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abce20: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abce28: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abce30: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abce38: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abce40: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abce48: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abce50: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abce58: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abce60: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abce68: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abce70: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abce78: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abce80: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abce88: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
---Type <return> to continue, or q <return> to quit---
0x756bb5abce90: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abce98: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abcea0: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abcea8: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abceb0: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abceb8: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abcec0: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abcec8: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abced0: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abced8: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abcee0: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abcee8: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abcef0: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abcef8: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abcf00: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abcf08: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abcf10: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abcf18: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abcf20: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abcf28: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abcf30: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abcf38: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
---Type <return> to continue, or q <return> to quit---
0x756bb5abcf40: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abcf48: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abcf50: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abcf58: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abcf60: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abcf68: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abcf70: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abcf78: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abcf80: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abcf88: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abcf90: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abcf98: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abcfa0: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abcfa8: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abcfb0: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abcfb8: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abcfc0: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abcfc8: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abcfd0: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abcfd8: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abcfe0: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abcfe8: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
---Type <return> to continue, or q <return> to quit---
0x756bb5abcff0: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abcff8: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abd000: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abd008: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abd010: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abd018: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abd020: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abd028: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abd030: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abd038: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abd040: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abd048: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abd050: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abd058: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abd060: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abd068: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abd070: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abd078: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abd080: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abd088: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abd090: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abd098: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
---Type <return> to continue, or q <return> to quit---
0x756bb5abd0a0: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abd0a8: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abd0b0: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abd0b8: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abd0c0: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abd0c8: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abd0d0: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abd0d8: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abd0e0: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abd0e8: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abd0f0: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abd0f8: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abd100: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abd108: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abd110: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abd118: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abd120: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abd128: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abd130: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abd138: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abd140: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abd148: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
---Type <return> to continue, or q <return> to quit---
0x756bb5abd150: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abd158: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abd160: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abd168: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abd170: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abd178: 0x09 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x756bb5abd180: 0x38 0x39 0x09 0x31 0x32 0x33 0x34 0x35
0x756bb5abd188: 0x36 0x37 0x38 0x39 0x09 0x31 0x32 0x33
0x756bb5abd190: 0x34 0x35 0x36 0x37 0x38 0x39 0x09 0x31
0x756bb5abd198: 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39
0x756bb5abd1a0: 0x07 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0x756bb5abd1a8: 0x31 0x31 0x31 0x31 0x31 0x31 0x31 0x31
0x756bb5abd1b0: 0x31 0x31 0x31 0x31 0x31 0x31 0x31 0x31
0x756bb5abd1b8: 0x31 0x31 0x31 0x31 0x31 0x31 0x31 0x31
0x756bb5abd1c0: 0x31 0x31 0x31 0x31 0x31 0x31 0x31 0x31
0x756bb5abd1c8: 0x31 0x31 0x31 0x31 0x31 0x31 0x31 0x31
0x756bb5abd1d0: 0x31 0x31 0x31 0x31 0x31 0x31 0x31 0x31
0x756bb5abd1d8: 0x31 0x31 0x31 0x31 0x31 0x31 0x31 0x31
0x756bb5abd1e0: 0x31 0x31 0x31 0x31 0x31 0x31 0x31 0x31
0x756bb5abd1e8: 0x31 0x31 0x31 0x31 0x31 0x31 0x31 0x31
(gdb)
--
Over thirty years experience on Unix-like Operating Systems starting with QNX.
