Bug#406465: [bind backend] TXT record parsing overflow with special characters

Thu, 11 Jan 2007 04:25:24 -0800 

Package: pdns-server
Version: 2.9.20-7
Severity: serious
Tags: security

(serious because what I see looks like a buffer overflow, however, I
didn't look into the code yet, so I make no claims as to whether this is
exploitable)

Having a TXT record in a bind-backend zone file that contains a
parentizes "(" character, causes all kinds of weird things.

Firstly, the zone fails to serve. Syslog says:
Jan 11 11:40:47 foo pdns[29515]: Zone 'a-eskwadraat.nl' 
(/etc/powerdns/zonefiles/db.nl.a-eskwadraat) reloaded

but all queries including zone transfers result in servfail:
Jan 11 11:40:47 foo pdns[29515]: Not authoritative for 'foo.a-eskwadraat.nl', 
sending servfail to 127.0.0.1 (recursion was desired)

After replacing

foo TXT "("

with

foo TXT "paren-open"

and reloading, I get the following:

| foo:/etc/powerdns# dig  foo.a-eskwadraat.nl TXT @localhost
| 
| ; <<>> DiG 9.3.3 <<>> foo.a-eskwadraat.nl TXT @localhost
| ; (1 server found)
| ;; global options:  printcmd
| ;; Got answer:
| ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8804
| ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
| 
| ;; QUESTION SECTION:
| ;foo.a-eskwadraat.nl.           IN      TXT
| 
| ;; ANSWER SECTION:
| foo.a-eskwadraat.nl.    3600    IN      TXT     "paren-open"
| foo.a-eskwadraat.nl.    3600    IN      TXT     "foo a 1.2.3.4\010@ ns
| ns1.xel.nl. ns ns3.xel.nl.\010$ttl 1d@ in soa ns.a-eskwadraat.nl.
| sysop.a-eskwadraat.nl. ( 2006110910 6h 30m 4w 1d"

This is interesting, because the data listed here comes from the *old*
zonefile (afaics). Also, of course the TXT record shouldn't suddenly
contain literal zonefile data like this.

Powerdns should really treat such TXT record strings as opaque strings,
and not treat characters in them specially.

--Jeroen

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

-- 
Jeroen van Wolffelaar
[EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to