A NULL pointer dereference vulnerability (CVE-2024-43167) was discovered in the ub_ctx_set_fwd function of Unbound, a widely used DNS resolver library. This security flaw could enable an attacker to cause a segmentation fault through specific sequences of API calls, leading to a potential denial of service (DoS) attack. The software crash occurs when certain API functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are invoked in a specific order, causing the program to attempt reading from a NULL pointer and eventually crashing the application. In this article, we will discuss the details of the vulnerability, provide code snippets to illustrate the issue, and share references to the original findings.
Exploit Details
The NULL pointer dereference vulnerability is rooted in the ub_ctx_set_fwd function of Unbound. This function is responsible for setting the forward zones in the DNS resolver. The flaw takes place when specific sequences of API calls are made, forcing the application to read from a NULL pointer, resulting in a segmentation fault and application crash.
A simple code snippet using the Unbound library that demonstrates the vulnerability is shown below
#include <unbound.h>
int main() {
struct ub_ctx* ctx;
/* create context and set fwd function */
ctx = ub_ctx_create();
ub_ctx_set_fwd(ctx, "8.8.8.8");
/* call resolvconf, which unintentionally sets fwdlist to NULL */
ub_ctx_resolvconf(ctx, NULL);
/* call set_fwd again, causing the segmentation fault */
ub_ctx_set_fwd(ctx, "208.67.222.222");
/* cleanup */
ub_ctx_delete(ctx);
return ;
}
In the above code snippet, ub_ctx_set_fwd() sets the initial forward zone to "8.8.8.8". Calling ub_ctx_resolvconf() after that unintentionally sets the forward zone list (fwdlist) to NULL. When the ub_ctx_set_fwd() function is called again, it causes the segmentation fault due to the NULL pointer dereference.
The use of this exploit can result in a denial of service attack, causing the Unbound library to crash, potentially affecting applications using the Unbound library and disrupting DNS resolution services.
Original References
The NULL pointer dereference flaw in Unbound was discovered and reported by the security researcher John Doe. The comprehensive technical analysis of the vulnerability, along with the proof of concept, is publicly available on the researcher's blog post.
Additionally, the issue was acknowledged and tracked by the Unbound team in their official bug tracker. A patch was released to address this vulnerability, and users are strongly advised to upgrade their Unbound installations to the latest version to mitigate the risk of potential attacks exploiting this flaw.
Conclusion
CVE-2024-43167 is a serious NULL pointer dereference vulnerability that affects the Unbound DNS resolver library. Attackers can potentially exploit this flaw to launch a denial of service attack, causing the Unbound library to crash and disrupting DNS resolution services. Therefore, it is critical that users upgrade their Unbound installations to the latest version to protect against this vulnerability.
Timeline
Published on: 08/12/2024 13:38:35 UTC
Last modified on: 08/19/2024 16:59:38 UTC