CVE-2017-14491 is a DNS-based vulnerability that affects both directly exposed and internal network setups. Although the latest git version only allows a 2-byte overflow, this could be exploited based on previous research. Before version 2.76 and this commit the overflow is unrestricted.
==1159==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200001dd0b at pc 0x0000005105e7 bp 0x7fff6165b9b0 sp0x7fff6165b9a8
WRITE of size 1 at 0x62200001dd0b thread T0
#0 0x5105e6 in add_resource_record
/test/dnsmasq/src/rfc1035.c:1141:7
#1 0x5127c8 in answer_request /test/dnsmasq/src/rfc1035.c:1428:11
#2 0x534578 in receive_query /test/dnsmasq/src/forward.c:1439:11
#3 0x548486 in check_dns_listeners
/test/dnsmasq/src/dnsmasq.c:1565:2
#4 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7
#5 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
CVE-2017-14493 is a trivial-to-exploit DHCP-based, stack-based buffer overflow vulnerability. In combination with CVE-2017-14494 acting as an info leak, an attacker could bypass ASLR and gain remote code execution.
dnsmasq[15714]: segfault at 1337deadbeef ip 00001337deadbeef sp 00007fff1b66fd10 error 14 in libnss_files-2.24.so[7f7cfbacb000+a000]
Android is affected by CVE-2017-14496 when the attacker is local or tethered directly to the device—the service itself is sandboxed so the risk is reduced. Android partners received patches on 5 September 2017 and devices with a 2017-10-01 security patch level or later address this issue.
Proofs of concept are provided so you can check if you are affected by these issues, and verify any mitigations you may deploy.
We would like to thank the following people for discovering, investigating impact/exploitability and developing PoCs: Felix Wilhelm, Fermin J. Serna, Gabriel Campana, Kevin Hamacher, Ron Bowes and Gynvael Coldwind of the Google Security Team.
Follow