Samba DLZ: Assertion in bind 9.14.7 with authenticated updates
As reported to ISC Security Officer - copying here verbatim:
I'm honestly not sure if this is or isn't a security finding, but I'm thinking it better to err on the side of caution since it has a 100% reproduction rate and results in bind immediately crashing. My testing here has only found it in authenticated (TKEY GSSAPI) updates.
When an nsupdate request using GSSAPI authentication requests a 'DELETE PTR ANY' for a valid PTR address, as in the following example, 9.14.7 crashes with an assertion in dns_name_equal(). This becomes inconsistent when debugging is increased, resulting in either a SIGABRT or SIGSEGV but without named logging any messages. I believe the problem may be in bin/named/server.c and the "7.1.10.10.in-addr.arpa. 0 ANY PTR" update is failing to match "7.1.10.10.in-addr.arpa. 3600 IN PTR Galaxy-Note9.dragonnorth.pvt." resulting in the assertion.
Because it only appears to impact authenticated updates, I am unsure if whether or not this would warrant classification as a vulnerability. If this is not a security sensitive issue, please advise and I'll open a normal bug on the Gitlab. If it is a security sensitive issue, please let me know what other information (e.g. truss, ktrace, etc) would be helpful and the best means to provide it to you.
Thanks!
-Phillip R. Jaenke
--- begin nsupdate log ---
[root@stormcaller ~]# cat /tmp/42102.del.ptr
server 127.0.0.1
realm DRAGONNORTH.PVT
update delete 7.1.10.10.in-addr.arpa 3600 PTR
send
[root@stormcaller ~]# /usr/local/bin/nsupdate -g -v -D -L 10
/tmp/42102.del.ptr
setup_system()
10-Nov-2019 14:26:52.510 dns_requestmgr_create
10-Nov-2019 14:26:52.511 dns_requestmgr_create: 0x8012e8480
reset_system()
user_interaction()
do_next_command()
do_next_command()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
start_update()
10-Nov-2019 14:26:52.511 dns_request_createvia
10-Nov-2019 14:26:52.512 request_render
10-Nov-2019 14:26:52.512 requestmgr_attach: 0x8012e8480: eref 1 iref 1
10-Nov-2019 14:26:52.512 mgr_gethash
10-Nov-2019 14:26:52.512 req_send: request 0x8012f4480
10-Nov-2019 14:26:52.513 dns_request_createvia: request 0x8012f4480
10-Nov-2019 14:26:52.513 req_senddone: request 0x8012f4480
10-Nov-2019 14:26:52.513 req_response: request 0x8012f4480: success
10-Nov-2019 14:26:52.513 req_cancel: request 0x8012f4480
10-Nov-2019 14:26:52.513 req_sendevent: request 0x8012f4480
recvsoa()
About to create rcvmsg
10-Nov-2019 14:26:52.513 dns_request_getresponse: request 0x8012f4480
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49148
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;7.1.10.10.in-addr.arpa. IN SOA
;; AUTHORITY SECTION:
1.10.10.in-addr.arpa. 3600 IN SOA
stormcaller.dragonnorth.pvt. hostmaster.dragonnorth.pvt. 8 900 600 86400
3600
Found zone name: 1.10.10.in-addr.arpa
The master is: stormcaller.dragonnorth.pvt
start_gssrequest
send_gssrequest
10-Nov-2019 14:26:52.515 dns_request_createvia
10-Nov-2019 14:26:52.515 request_render
10-Nov-2019 14:26:52.515 requestmgr_attach: 0x8012e8480: eref 1 iref 2
10-Nov-2019 14:26:52.515 mgr_gethash
10-Nov-2019 14:26:52.515 dns_request_createvia: request 0x8012f4600
show_message()
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37826
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;1661385871.sig-stormcaller.dragonnorth.pvt. ANY TKEY
;; ADDITIONAL SECTION:
1661385871.sig-stormcaller.dragonnorth.pvt. 0 ANY TKEY gss-tsig.
1573414012 1573414012 3 NOERROR 1504 <REDACTED>
10-Nov-2019 14:26:52.516 dns_request_destroy: request 0x8012f4480
10-Nov-2019 14:26:52.516 req_destroy: request 0x8012f4480
10-Nov-2019 14:26:52.516 requestmgr_detach: 0x8012e8480: eref 1 iref 1
Out of recvsoa
10-Nov-2019 14:26:52.516 req_connected: request 0x8012f4600
10-Nov-2019 14:26:52.516 req_send: request 0x8012f4600
10-Nov-2019 14:26:52.517 req_senddone: request 0x8012f4600
10-Nov-2019 14:26:52.517 req_response: request 0x8012f4600: success
10-Nov-2019 14:26:52.517 req_cancel: request 0x8012f4600
10-Nov-2019 14:26:52.517 req_sendevent: request 0x8012f4600
recvgss()
recvgss creating rcvmsg
10-Nov-2019 14:26:52.517 dns_request_getresponse: request 0x8012f4600
show_message()
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37826
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;1661385871.sig-stormcaller.dragonnorth.pvt. ANY TKEY
;; ANSWER SECTION:
1661385871.sig-stormcaller.dragonnorth.pvt. 0 ANY TKEY gss-tsig.
1573414012 1573417612 3 NOERROR 182 <REDACTED>
;; TSIG PSEUDOSECTION:
1661385871.sig-stormcaller.dragonnorth.pvt. 0 ANY TSIG gss-tsig.
1573414012 300 28 <REDACTED> 37826 NOERROR 0
send_update()
Sending update to 127.0.0.1#53
10-Nov-2019 14:26:52.517 dns_request_createvia
10-Nov-2019 14:26:52.517 request_render
10-Nov-2019 14:26:52.517 requestmgr_attach: 0x8012e8480: eref 1 iref 2
10-Nov-2019 14:26:52.517 mgr_gethash
10-Nov-2019 14:26:52.517 dns_request_createvia: request 0x8012f4480
show_message()
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 25003
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
7.1.10.10.in-addr.arpa. 0 ANY PTR
;; TSIG PSEUDOSECTION:
1661385871.sig-stormcaller.dragonnorth.pvt. 0 ANY TSIG gss-tsig.
1573414012 300 28 <REDACTED> 25003 NOERROR 0
10-Nov-2019 14:26:52.518 dns_request_destroy: request 0x8012f4600
10-Nov-2019 14:26:52.518 req_destroy: request 0x8012f4600
10-Nov-2019 14:26:52.518 requestmgr_detach: 0x8012e8480: eref 1 iref 1
Out of recvgss
10-Nov-2019 14:26:52.518 req_connected: request 0x8012f4480
10-Nov-2019 14:26:52.518 req_send: request 0x8012f4480
10-Nov-2019 14:26:52.527 req_senddone: request 0x8012f4480
10-Nov-2019 14:26:52.527 dispatch 0x801334800 response 0x8012f7308
127.0.0.1#53: cancel: failsafe event 0x8012e6cf0 -> task 0x8012e1480
10-Nov-2019 14:26:52.527 req_response: request 0x8012f4480: unexpected error
10-Nov-2019 14:26:52.527 req_cancel: request 0x8012f4480
10-Nov-2019 14:26:52.527 req_sendevent: request 0x8012f4480
update_completed()
; Communication with 127.0.0.1#53 failed: unexpected error
10-Nov-2019 14:26:52.527 dns_request_destroy: request 0x8012f4480
10-Nov-2019 14:26:52.527 req_destroy: request 0x8012f4480
10-Nov-2019 14:26:52.527 requestmgr_detach: 0x8012e8480: eref 1 iref 0
done_update()
reset_system()
user_interaction()
cleanup()
Shutting down task manager
shutdown_program()
Shutting down request manager
10-Nov-2019 14:26:52.527 dns_requestmgr_shutdown: 0x8012e8480
10-Nov-2019 14:26:52.527 send_shutdown_events: 0x8012e8480
Destroy DST lib
Destroying request manager
10-Nov-2019 14:26:52.528 dns_requestmgr_detach: 0x8012e8480: eref 0 iref 0
10-Nov-2019 14:26:52.528 mgr_destroy
Freeing the dispatchers
Shutting down dispatch manager
Destroying event
Shutting down socket manager
Shutting down timer manager
Destroying name state
Removing log context
Destroying memory context
--- end nsupdate log ---
--- begin named log ---
10-Nov-2019 14:25:45.373 samba_dlz: starting transaction on zone
1.10.10.in-addr.arpa
10-Nov-2019 14:25:45.374 samba_dlz: allowing update of
signer=dns-STORMCALLER\@DRAGONNORTH.PVT name=7.1.10.10.in-addr.arpa
tcpaddr=127.0.0.1 type=PTR
key=1022678316.sig-stormcaller.dragonnorth.pvt/160/0
10-Nov-2019 14:25:45.374 client @0x8021b1600 127.0.0.1#47385/key
dns-STORMCALLER\@DRAGONNORTH.PVT: view interior: updating zone
'1.10.10.in-addr.arpa/NONE': deleting rrset at '7.1.10.10.in-addr.arpa' PTR
10-Nov-2019 14:25:45.375 name.c:661:
REQUIRE((__builtin_expect(!!((name1) != ((void *)0)), 1) &&
__builtin_expect(!!(((const isc__magic_t *)(name1))->magic == ((('D') <<
24 | ('N') << 16 | ('S') << 8 | ('n')))), 1))) failed, back trace
10-Nov-2019 14:25:45.376 #0 0x2f5df9 in assertion_failed()+0x59
10-Nov-2019 14:25:45.376 #1 0x66ead8 in isc_assertion_failed()+0x38
10-Nov-2019 14:25:45.376 #2 0x4572c1 in dns_name_equal()+0x91
10-Nov-2019 14:25:45.376 #3 0x803f8d02a in _fini()+0x8038c431e
10-Nov-2019 14:25:45.376 #4 0x803f8d298 in _fini()+0x8038c458c
10-Nov-2019 14:25:45.376 #5 0x359ba4 in dlopen_dlz_subrdataset()+0xf4
10-Nov-2019 14:25:45.376 #6 0x57cdaf in modrdataset()+0x34f
10-Nov-2019 14:25:45.376 #7 0x57a520 in subtractrdataset()+0xd0
10-Nov-2019 14:25:45.376 #8 0x3dfbaa in dns_db_subtractrdataset()+0x31a
10-Nov-2019 14:25:45.376 #9 0x3e40b8 in diff_apply()+0x758
10-Nov-2019 14:25:45.376 #10 0x3e395a in dns_diff_apply()+0x2a
10-Nov-2019 14:25:45.376 #11 0x3a389d in do_one_tuple()+0xfd
10-Nov-2019 14:25:45.376 #12 0x39e0e9 in update_one_rr()+0x89
10-Nov-2019 14:25:45.376 #13 0x3a3bb6 in delete_if_action()+0x86
10-Nov-2019 14:25:45.376 #14 0x39da54 in foreach_rr()+0x394
10-Nov-2019 14:25:45.376 #15 0x39e1dc in delete_if()+0xbc
10-Nov-2019 14:25:45.376 #16 0x39b29b in update_action()+0x30bb
10-Nov-2019 14:25:45.376 #17 0x6a7c77 in dispatch()+0xb67
10-Nov-2019 14:25:45.376 #18 0x6a3c81 in run()+0x41
10-Nov-2019 14:25:45.376 #19 0x8009b4736 in _fini()+0x8002eba2a
10-Nov-2019 14:25:45.376 exiting (due to assertion failure)
--- end named log ---
tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
tkey-domain "DRAGONNORTH.PVT";
minimal-responses yes;
[root@stormcaller ~]# named -V
BIND 9.14.7 (Stable Release) <id:d410de0>
running on FreeBSD amd64 12.1-RELEASE FreeBSD 12.1-RELEASE r354233 GENERIC
built by make with '--localstatedir=/var' '--disable-linux-caps'
'--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit'
'--with-dlopen=yes' '--with-openssl=/usr'
'--sysconfdir=/usr/local/etc/namedb' '--with-dlz-filesystem=yes'
'--with-dlz-postgres=yes' '--with-dlz-stub=yes' '--enable-dnstap'
'--disable-fixed-rrset' '--without-geoip2' '--with-gssapi=/usr/local'
'KRB5CONFIG=/usr/local/bin/krb5-config' '--with-libidn2=/usr/local'
'--with-libjson=/usr/local' '--disable-largefile'
'--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python'
'--disable-querytrace' 'STD_CDEFINES=-DDIG_SIGCHASE=1'
'--enable-tcp-fastopen' '--with-tuning=default' '--enable-symtable'
'--enable-developer' '--prefix=/usr/local' '--mandir=/usr/local/man'
'--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1'
'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-pipe
-DLIBICONV_PLUG -g -fstack-protector-strong -isystem /usr/local/include
-fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib
-Wl,-rpath,/usr/local/lib/heimdal:/usr/lib -fstack-protector-strong '
'LIBS=-L/usr/local/lib' 'CPPFLAGS=-I/usr/local/include -DLIBICONV_PLUG
-isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1
(tags/RELEASE_801/final 366581)
compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
compiled with libxml2 version: 2.9.9
linked to libxml2 version: 20909
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /usr/local/etc/namedb/named.conf
rndc configuration: /usr/local/etc/namedb/rndc.conf
DNSSEC root key: /usr/local/etc/namedb/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/pid
named lock file: /var/run/named/named.lock
[root@stormcaller ~]# samba -V
Version 4.10.10