[CVE-2021-25216] ZDI-CAN-13347: A second vulnerability in BIND's GSSAPI security policy negotiation can be targeted by a buffer overflow attack

CVE-specific actions

• Assign a CVE identifier
• Determine CVSS score
• Determine the range of BIND versions affected (including the Subscription Edition)
• Determine whether workarounds for the problem exists
• Prepare a detailed description of the problem which should include the following by default:
  • instructions for reproducing the problem (a system test is good enough)
  • explanation of code flow which triggers the problem (a system test is not good enough)
• Prepare a private merge request containing the following items in separate commits:
  • a test for the issue (may be moved to a separate merge request for deferred merging)
  • a fix for the issue
  • documentation updates (CHANGES, release notes, anything else applicable)
• Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions
• Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff
• Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description)
• Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch

Release-specific actions

• Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
• Reserve a block of CHANGES placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
• Ensure the merge requests containing CVE fixes are merged into security-* branches in CVE identifier order

---

CVSS

8.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

ABSTRACT

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: ISC - BIND

VULNERABILITY DETAILS

• Version tested:9.16.13
• Installer file:https://downloads.isc.org/isc/bind9/9.16.13/bind-9.16.13.tar.xz
• Platform tested:debian-10.8.0-i386-netinst

---

Analysis

integer overflow exist in der_get_oid() and leads to a wild-copy
it affected 32-bit only

lib/dns/spnego.c
der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
   int n;
   size_t oldlen = len;

   data->components = NULL;
   data->length = 0;
   if (len < 1U) {
       return (ASN1_OVERRUN);
   }

[1] data->components = malloc((len + 1) * sizeof(*data->components));
   ...
}

On 32 bit platforms 'len' is unsigned integer. On line #1 integer overflow occurs if we set 'len' to 0x40000000, thus small buffer will be allocated. Later it will be overwritten in oid decoding loop

debug log

Thread 2 "isc-net-0000" hit Breakpoint 2, 0x00d4dc9e in der_get_oid ()
1: x/i $pc
=> 0xd4dc9e <der_get_oid+171>:	add    eax,0x1
(gdb) i r $eax
eax            0x40000000          1073741824
(gdb) si
0x00d4dca1 in der_get_oid ()
1: x/i $pc
=> 0xd4dca1 <der_get_oid+174>:	shl    eax,0x2
(gdb) si
0x00d4dca4 in der_get_oid ()
1: x/i $pc
=> 0xd4dca4 <der_get_oid+177>:	sub    esp,0xc
(gdb) si
0x00d4dca7 in der_get_oid ()
1: x/i $pc
=> 0xd4dca7 <der_get_oid+180>:	push   eax
(gdb) si
0x00d4dca8 in der_get_oid ()
1: x/i $pc
=> 0xd4dca8 <der_get_oid+181>:	call   0x5aa260 <malloc@plt>
(gdb) i r $eax
eax            0x4                 4		// integer overflowed
(gdb) bt
#0  0x00d4dca8 in der_get_oid ()
#1  0x00d4f03a in decode_oid ()
#2  0x00d45878 in decode_MechType ()
#3  0x00d46108 in decode_MechTypeList ()
#4  0x00d478c0 in decode_NegTokenInit ()
#5  0x00d4c117 in gss_accept_sec_context_spnego ()
#6  0x00d0530a in dst_gssapi_acceptctx ()
#7  0x00b89bc8 in process_gsstkey ()
#8  0x00b8c332 in dns_tkey_processquery ()
#9  0x00712d33 in ns_query_start ()
#10 0x006998ed in ns.client_request ()
#11 0x00e17092 in isc.nm_async_readcb ()
#12 0x00e166c2 in isc.nm_readcb ()
#13 0x00e4266e in processbuffer ()
#14 0x00e4a2f5 in process_sock_buffer ()
#15 0x00e43038 in read_cb ()
#16 0xb740a727 in ?? () from /lib/i386-linux-gnu/libuv.so.1
#17 0xb740b2b7 in ?? () from /lib/i386-linux-gnu/libuv.so.1
#18 0xb7410468 in uv.io_poll () from /lib/i386-linux-gnu/libuv.so.1
#19 0xb7401146 in uv_run () from /lib/i386-linux-gnu/libuv.so.1
#20 0x00e068e7 in nm_thread ()
#21 0x00e9c1e0 in isc.trampoline_run ()
#22 0xb793d321 in ?? () from /lib/i386-linux-gnu/libasan.so.5
#23 0xb73cdfd2 in start_thread (arg=<optimized out>) at pthread_create.c:486
#24 0xb72b96d6 in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:108

ASAN report

=================================================================
==6064==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4a23154 at pc 0x00d4de48 bp 0xb26f8a38 sp 0xb26f8a2c
WRITE of size 4 at 0xb4a23154 thread T1
   #0 0xd4de47 in der_get_oid (/var/bind/sbin/named+0x868e47)
   #1 0xd4f039 in decode_oid (/var/bind/sbin/named+0x86a039)
   #2 0xd45877 in decode_MechType (/var/bind/sbin/named+0x860877)
   #3 0xd46107 in decode_MechTypeList (/var/bind/sbin/named+0x861107)
   #4 0xd478bf in decode_NegTokenInit (/var/bind/sbin/named+0x8628bf)
   #5 0xd4c116 in gss_accept_sec_context_spnego (/var/bind/sbin/named+0x867116)
   #6 0xd05309 in dst_gssapi_acceptctx (/var/bind/sbin/named+0x820309)
   #7 0xb89bc7 in process_gsstkey (/var/bind/sbin/named+0x6a4bc7)
   #8 0xb8c331 in dns_tkey_processquery (/var/bind/sbin/named+0x6a7331)
   #9 0x712d32 in ns_query_start (/var/bind/sbin/named+0x22dd32)
   #10 0x6998ec in ns__client_request (/var/bind/sbin/named+0x1b48ec)
   #11 0xe17091 in isc__nm_async_readcb (/var/bind/sbin/named+0x932091)
   #12 0xe166c1 in isc__nm_readcb (/var/bind/sbin/named+0x9316c1)
   #13 0xe4266d in processbuffer (/var/bind/sbin/named+0x95d66d)
   #14 0xe4a2f4 in process_sock_buffer (/var/bind/sbin/named+0x9652f4)
   #15 0xe43037 in read_cb (/var/bind/sbin/named+0x95e037)
   #16 0xb740a726  (/lib/i386-linux-gnu/libuv.so.1+0x17726)
   #17 0xb740b2b6  (/lib/i386-linux-gnu/libuv.so.1+0x182b6)
   #18 0xb7410467 in uv__io_poll (/lib/i386-linux-gnu/libuv.so.1+0x1d467)
   #19 0xb7401145 in uv_run (/lib/i386-linux-gnu/libuv.so.1+0xe145)
   #20 0xe068e6 in nm_thread (/var/bind/sbin/named+0x9218e6)
   #21 0xe9c1df in isc__trampoline_run (/var/bind/sbin/named+0x9b71df)
   #22 0xb793d320  (/lib/i386-linux-gnu/libasan.so.5+0x4a320)
   #23 0xb73cdfd1 in start_thread /build/glibc-Stc26X/glibc-2.28/nptl/pthread_create.c:486
   #24 0xb72b96d5 in __clone (/lib/i386-linux-gnu/libc.so.6+0xfa6d5)

0xb4a23154 is located 0 bytes to the right of 4-byte region [0xb4a23150,0xb4a23154)
allocated by thread T1 here:
   #0 0xb79de5d4 in __interceptor_malloc (/lib/i386-linux-gnu/libasan.so.5+0xeb5d4)
   #1 0xd4dcac in der_get_oid (/var/bind/sbin/named+0x868cac)
   #2 0xd4f039 in decode_oid (/var/bind/sbin/named+0x86a039)
   #3 0xd45877 in decode_MechType (/var/bind/sbin/named+0x860877)
   #4 0xd46107 in decode_MechTypeList (/var/bind/sbin/named+0x861107)
   #5 0xd478bf in decode_NegTokenInit (/var/bind/sbin/named+0x8628bf)
   #6 0xd4c116 in gss_accept_sec_context_spnego (/var/bind/sbin/named+0x867116)
   #7 0xd05309 in dst_gssapi_acceptctx (/var/bind/sbin/named+0x820309)
   #8 0xb89bc7 in process_gsstkey (/var/bind/sbin/named+0x6a4bc7)
   #9 0xb8c331 in dns_tkey_processquery (/var/bind/sbin/named+0x6a7331)
   #10 0x712d32 in ns_query_start (/var/bind/sbin/named+0x22dd32)
   #11 0x6998ec in ns__client_request (/var/bind/sbin/named+0x1b48ec)
   #12 0xe17091 in isc__nm_async_readcb (/var/bind/sbin/named+0x932091)
   #13 0xe166c1 in isc__nm_readcb (/var/bind/sbin/named+0x9316c1)
   #14 0xe4266d in processbuffer (/var/bind/sbin/named+0x95d66d)
   #15 0xe4a2f4 in process_sock_buffer (/var/bind/sbin/named+0x9652f4)
   #16 0xe43037 in read_cb (/var/bind/sbin/named+0x95e037)
   #17 0xb740a726  (/lib/i386-linux-gnu/libuv.so.1+0x17726)

Thread T1 created by T0 here:
   #0 0xb79c6b50 in pthread_create (/lib/i386-linux-gnu/libasan.so.5+0xd3b50)
   #1 0xed85a5 in isc_thread_create (/var/bind/sbin/named+0x9f35a5)
   #2 0xe03a94 in isc_nm_start (/var/bind/sbin/named+0x91ea94)
   #3 0x5cc8f5 in create_managers (/var/bind/sbin/named+0xe78f5)
   #4 0x5cd5ea in setup (/var/bind/sbin/named+0xe85ea)
   #5 0x5cdc89 in main (/var/bind/sbin/named+0xe8c89)
   #6 0xb71d9b40 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow (/var/bind/sbin/named+0x868e47) in der_get_oid
Shadow bytes around the buggy address:
 0x369445d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x369445e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x369445f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x36944600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0x36944610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36944620: fa fa fa fa fa fa fa fa fa fa[04]fa fa fa 00 fa
 0x36944630: fa fa 00 01 fa fa 00 04 fa fa 04 fa fa fa fd fa
 0x36944640: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
 0x36944650: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
 0x36944660: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
 0x36944670: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
 Addressable:           00
 Partially addressable: 01 02 03 04 05 06 07
 Heap left redzone:       fa
 Freed heap region:       fd
 Stack left redzone:      f1
 Stack mid redzone:       f2
 Stack right redzone:     f3
 Stack after return:      f5
 Stack use after scope:   f8
 Global redzone:          f9
 Global init order:       f6
 Poisoned by user:        f7
 Container overflow:      fc
 Array cookie:            ac
 Intra object redzone:    bb
 ASan internal:           fe
 Left alloca redzone:     ca
 Right alloca redzone:    cb
==6064==ABORTING

CREDIT

This vulnerability was discovered by: Anonymous working with Trend Micro Zero Day Initiative

FURTHER DETAILS

If supporting files were contained with this report they are provided within a password protected ZIP file. The password is the ZDI candidate number in the form: ZDI-CAN-XXXX where XXXX is the ID number.

Please confirm receipt of this report. We expect all vendors to remediate ZDI vulnerabilities within 120 days of the reported date. If you are ready to release a patch at any point leading up to the deadline, please coordinate with us so that we may release our advisory detailing the issue. If the 120-day deadline is reached and no patch has been made available we will release a limited public advisory with our own mitigations, so that the public can protect themselves in the absence of a patch. Please keep us updated regarding the status of this issue and feel free to contact us at any time:

Zero Day Initiative zdi-disclosures@trendmicro.com

The PGP key used for all ZDI vendor communications is available from:

http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

INFORMATION ABOUT THE ZDI

Established by TippingPoint and acquired by Trend Micro, the Zero Day Initiative (ZDI) neither re-sells vulnerability details nor exploit code. Instead, upon notifying the affected product vendor, the ZDI provides its Trend Micro TippingPoint customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available.

Please contact us for further details or refer to:

http://www.zerodayinitiative.com

DISCLOSURE POLICY

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

ATTACHMENTS

[redacted]