Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] dproxy - arbitrary code execution through stack buffer overflow vulnerability

From: Alexander Klink (a.klinkcynops.de)
Date: Fri Mar 23 2007 - 08:43:31 CDT

Hash: SHA1

||| Security Advisory AKLINK-SA-2007-001 |||
||| CVE-2007-1465 (CVE candidate) |||

dproxy - remotely exploitable buffer overflow

Date released: 20.03.2007
Date reported: 11.03.2007
$Revision: 1.1 $

by Alexander Klink
   Cynops GmbH
   (S/MIME signed: https://www.cynops.de/advisories/CVE-2007-1465-signed.txt)

Vendor: Matthew Pratt (Open Source)
Product: dproxy - a small caching DNS server
Website: http://dproxy.sourceforge.net
Vulnerability: buffer overflow
Class: remote
Status: unpatched (author is unresponsive)
Severity: high (arbitrary command execution as root)
Releases known to be affected: 0.1, 0.2, 0.3, 0.4, 0.5
Releases known NOT to be affected: dproxy-nexgen


dproxy suffers from a typical buffer overflow condition, which allows
an attacker to overwrite the stack.

Technical details:

In dproxy.c, the UDP packet buffer, which can be up to 4096 bytes long
is copied into a variable called query_string, which is at most 2048
bytes. As this is done using strcpy, the stack can be overwritten
which leads to arbitrary command execution.

Note that one can easily find out whether dproxy is running
using the fpdns tool (see http://www.rfc.se/fpdns/). dproxy also
seems to be used in a number of WLAN access points / routers, but
the version used there (at least in the Linksys WRT54AG, the Asus
WL500g and the Netgear DG834G) seems to be dproxy-nexgen, which is not
vulnerable to this attack.

Thanks to Dan Kaminsky, who provided me with the interesting statistics
that apparently only 20 out of about 2.000.000 DNS servers he scanned
are using dproxy. So this does not look like a major attack vector.


A MetaSploit Framework 2.7 exploit module is available from

It has been tested successfully with both a Debian stable and an
Ubuntu system (with randomize_va_space=0).


Drop packets to the destination UDP port 53 which are larger than
2048 bytes (which is a pretty large DNS query packet anyway).


* 13.03.2007: Author updated on vulnerable versions
* 11.03.2007: First problem report to author


Patch dproxy.c:

- --- dproxy-0.5/dproxy.c 2000-02-03 04:15:35.000000000 +0100
+++ dproxy-0.5.patched/dproxy.c 2007-03-13 13:07:53.000000000 +0100
-105,7 +105,7
   /* child process only here */
   signal(SIGCHLD, SIG_IGN);
- - strcpy( query_string, pkt.buf );
+ strncpy( query_string, pkt.buf, sizeof(query_string) );
   decode_domain_name( query_string );
   debug("query: %s\n", query_string );


Alexander Klink, Cynops GmbH (discovery and exploit development, patch)
Version: GnuPG v1.2.5 (GNU/Linux)


Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klinkcynops.de
 mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer:
     Bad Homburg v. d. Höhe | | Martin Bartosch

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/