Recently, a critical flaw was discovered in the robdns repository, specifically in commit d76d2e6. This will assign a Common Vulnerabilities and Exposures (CVE) identifier, CVE-2024-24195. Robust DNS (robdns) is a lightweight and scalable DNS server that's often utilized by developers and administrators in various programming projects.

The issue lies within the misaligned address in the /src/zonefile-insertion.c file, which may potentially lead to serious performance or security problems in the implementations. In this long read post, we discuss the implications, provide examples of how this issue arises, and how to resolve the problem.

Exploit Details

Upon a thorough code review, it became apparent that within commit d76d2e6 of robdns at /src/zonefile-insertion.c, an address is misaligned. This can be traced back to the constructor function for the zonefile_entry structure, which initializes the address like so:

struct zonefile_entry{
  ...
  void* address;
  ...
};

This misaligned address may lead to undefined behavior, segmentation faults, and other potential security implications. Attackers would exploit this vulnerability to perform arbitrary code execution, denial of service attacks, or various other types of malicious activities.

To view the original file containing the vulnerability, please visit the robdns repository

- GitHub repository: https://github.com/robdns/robdns/
- Commit d76d2e6: https://github.com/robdns/robdns/commit/d76d2e6
- Affected file: /src/zonefile-insertion.c

Below is an excerpt of the code from the constructor function in /src/zonefile-insertion.c

zonefile_entry* new_zonefile_entry(const char* filepath, uint32_t file_hash, uint16_t port){
  zonefile_entry* new_entry = malloc(sizeof(zonefile_entry));
  size_t path_size = strlen(filepath) + 1;
  new_entry->filepath = malloc(path_size);
  memcpy(new_entry->filepath, filepath, path_size);

  new_entry->file_hash = file_hash;
  new_entry->port = port;

  // Potential misaligned address issue
  // Addressing this issue should fix the vulnerability
  void* address;
  new_entry->address = align_address(address);

  return new_entry;
}

Solution

In order to resolve this issue, the address must be aligned before being assigned to the zonefile_entry structure. The following function ensures that the address is properly aligned:

void* align_address(void* address, size_t alignment){
  uintptr_t unaligned_address = (uintptr_t)address;
  uintptr_t remainder = unaligned_address % alignment;
  uintptr_t padding_needed = remainder ==  ?  : alignment - remainder;
  uintptr_t aligned_address = unaligned_address + padding_needed;
  return (void*)aligned_address;
}

To fix the vulnerability, the modified /src/zonefile-insertion.c will now contain

...
// Potential misaligned address issue
// Addressing this issue should fix the vulnerability
void* address;
new_entry->address = align_address(address, sizeof(void*));
...

This solution aims to mitigate the risks and consequences associated with CVE-2024-24195 by addressing the root cause of the problem, the misaligned address. We encourage developers and administrators to apply this solution promptly to safeguard their implementations against potential threats.

Conclusion

CVE-2024-24195 is a to-be-confirmed CVE that has brought to light a critical vulnerability in the robdns repository, specifically in commit d76d2e6. This vulnerability poses a possible risk to the safety and integrity of projects that rely on this DNS server. By understanding the exploit details presented in this post, as well as implementing the solution provided, developers and administrators can minimize the possible consequences associated with this vulnerability.

Timeline

Published on: 06/06/2024 22:15:10 UTC
Last modified on: 06/07/2024 14:56:05 UTC