CVE-2022-4904: Uncovering a Flaw in the c-ares Package that Leads to a Stack Overflow Vulnerability

In the c-ares package, a vulnerability was identified involving the ares_set_sortlist function. Due to missing checks on the validity of the input string, this flaw can potentially result in a stack overflow of arbitrary length. The implications of this flaw include denial of service and limited impact on confidentiality and integrity. In this post, we will discuss the details of the exploit, provide code snippets, and offer links to the original references.

Introduction

c-ares (https://c-ares.haxx.se/) is an asynchronous resolver library, providing efficient DNS lookups in a non-blocking way. It is widely utilized in various applications and tools, including the popular curl library. The vulnerability stems from the ares_set_sortlist function, which is responsible for setting sortlist information to a channel.

Vulnerability Details

A flaw was found in the c-ares package in the ares_set_sortlist function. This function is missing necessary checks on the validity of the input string, which leaves room for a potential stack overflow of arbitrary length. This can result in a denial of service or limited impact on confidentiality and integrity.

The issue originates from the following piece of code in the c-ares source file

int ares_set_sortlist(ares_channel channel, const char *sort_list)
{
  struct apattern *sortitems;
  char p[32];
  const char *q;

  ...

  for (numpats = ; (q = strpbrk(sort_list, ",/")) != NULL; numpats++)
  {
    strncpy(p, sort_list, q - sort_list);
    p[q - sort_list] = '\';
    sort_list = q + 1;
    ...
  }

  ...
}

The problem arises when the function copies a substring of the input sort_list into a buffer p without any verification of its length. Since p has a fixed size of 32 characters, a malicious input with a length greater than 32 characters can cause a stack buffer overflow.

Exploit Scenario

In a scenario where an attacker can control the input string to the ares_set_sortlist function, they can exploit this vulnerability to crash the application or potentially execute arbitrary code. By providing an input string with a length greater than 32 characters, the attacker can trigger a buffer overflow that could overwrite the memory and lead to a denial of service or compromise system confidentiality and integrity, depending on the context and use of c-ares in the target application.

Mitigation

The simplest fix for this vulnerability is to add a check on the size of the input string in the ares_set_sortlist function before copying the substring into the p buffer. It could be achieved by altering the code snippet mentioned above to:

for (numpats = ; (q = strpbrk(sort_list, ",/")) != NULL; numpats++)
{
  if (q - sort_list > sizeof(p) - 1) // Check if input string length exceeds buffer size
    return ARES_EBADSTR;

  strncpy(p, sort_list, q - sort_list);
  p[q - sort_list] = '\';
  sort_list = q + 1;
  ...
}

This fix ensures that the ares_set_sortlist function will not overflow the p buffer and eliminates the risk of arbitrary length stack overflow.

Original References

The original CVE report can be found at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4904.

The c-ares project website is located at https://c-ares.haxx.se/.

Curl, one of the popular libraries utilizing c-ares, has information available at https://curl.se/.

Conclusion

In summary, a stack overflow vulnerability was discovered in the c-ares package due to missing checks on the validity of the input string in the ares_set_sortlist function. By addressing this issue and implementing the necessary checks, developers can mitigate the risk of denial of service or limited impact on confidentiality and integrity in applications that utilize the c-ares library.

Timeline

Published on: 03/06/2023 23:15:00 UTC
Last modified on: 03/14/2023 14:03:00 UTC