CVE-2024-24194 - Understanding the robdns NULL Pointer Dereference (commit d76d2e6) Vulnerability

---

Introduction

A recent security vulnerability—CVE-2024-24194—was discovered in robdns, an open-source DNS server. The flaw affects commit d76d2e6, and it can be triggered by a NULL pointer dereference in the server's configuration parser, specifically in the item->tokens component at /src/conf-parse.c. This post explains how it happens, who is impacted, and how to protect your systems. We’ll break down the issue in simple terms, offer example code, and link to important references.

What is robdns?

robdns is a lightweight, high-speed DNS server written in C. It's often used by admins who need a simple yet fast DNS solution but, like all software, it can have vulnerabilities—especially in parts that handle external input, like configuration files.

What is CVE-2024-24194?

This CVE describes a NULL pointer dereference bug. That's when the software tries to use memory at address NULL (or zero), which almost always leads to a crash. An attacker with access to robdns configuration files can exploit this flaw to cause a denial-of-service (DoS): basically, making the DNS server go down or restart repeatedly.

Vulnerable Code Context

The buggy code lies in the function for parsing configuration items. Here’s a simplified snippet from /src/conf-parse.c (see original commit):

void parse_config_item(item_t *item) {
    // ...
    for (int i = ; i < item->num_tokens; ++i) {
        printf("Token: %s\n", item->tokens[i]);
        // ...
    }
}

If item->tokens hasn't been initialized (is NULL), dereferencing it like item->tokens[i] will crash the program.

How is it Exploited?

An attacker can create a malformed configuration file that, when loaded by robdns, causes item->tokens to stay as NULL. When the parser tries to iterate over the tokens, it crashes.

Suppose robdns expects config items like

zone example.com {
    file "db.example.com";
}

But an attacker provides an empty or malformed block

zone {}

If the parser doesn't create tokens for this input, then item->tokens remains NULL.

`sh

git clone https://github.com/robdns/robdns

`sh

./robdns -c bad.conf

Main CVE Entry:

CVE-2024-24194 at MITRE

Original Commit:

robdns commit d76d2e6

File with Vulnerability:

conf-parse.c code

}

}

Conclusion

CVE-2024-24194 is a classic but serious bug: a NULL pointer dereference in the robdns config parser. It can take your DNS server offline just with a single bad config line. Always keep your servers updated, review configs for errors, and follow secure coding practices!

If you use robdns, check your version and apply patches as soon as possible.

Timeline

Published on: 06/06/2024 22:15:10 UTC
Last modified on: 08/23/2024 19:35:08 UTC