Vigil@nce: ldns, buffer overflow
May 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can create a malicious DNS packet in order to create a
denial of service or to execute code in applications linked to the
ldns library.
Severity: 2/4
Consequences: user access/rights, denial of service of service
Provenance: internet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 07/05/2009
IMPACTED PRODUCTS
– Debian Linux
– Novell Linux Desktop
– Novell Open Enterprise Server
– OpenSUSE
– SUSE Linux Enterprise Server
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The ldns library is used to implement DNS clients or servers.
A DNS record contains:
– a name
– a type (A, PTR, etc.)
– a TTL
– a class ("IN" in most cases)
– a value
The ldns_rr_new_frm_str_internal() function of ldns allocates 11
bytes to store the class, but the ldns_bget_token() function which
fills in this field uses a 16 bytes limit (LDNS_SYNTAX_DATALEN).
An overflow of 5 bytes thus occurs.
An attacker can therefore create a malicious DNS packet in order
to create a denial of service or to execute code in applications
linked to the ldns library.
CHARACTERISTICS
Identifiers: CVE-2009-1086, DSA 1795-1, SUSE-SR:2009:010,
VIGILANCE-VUL-8695