On February 2024, a security flaw designated CVE-2024-24199 was publicly disclosed in smartdns, an open source local DNS server that helps speed up domain resolution and block ads. The security issue was traced back to commit 54b4dc, specifically in the file smartdns/src/dns.c. This vulnerability exposes systems running affected versions of smartdns to potential denial of service (DoS) and possibly remote code execution through a misaligned address dereference.

What Is a Misaligned Address Vulnerability?

In simple terms, a misaligned address vulnerability happens when the program accesses memory that isn’t properly aligned for the type of data being read or written. For example, a 4-byte integer should be read from an address divisible by 4. If not, this can cause crashes, unpredictable behavior, or even security holes—especially on architectures that strictly enforce alignment.

How Was It Found?

During routine security research, a contributor found that certain DNS packet parsing paths in dns.c didn't properly align their access to memory, leading to misaligned pointer dereferences. Specifically, inputs crafted to manipulate DNS packets could cause reads or writes at non-aligned addresses.

Let’s look at a simplified model based on the vulnerable commit

// Vulnerable function from dns.c (snippet, simplified for clarity)
uint16_t parse_response(uint8_t *packet, size_t length) {
    // Packet offset is incremented manually, risking misalignment
    uint16_t answer_count = *(uint16_t*)(packet + 6); // 6 is not necessarily aligned
    // ... rest of parsing logic ...
}

Above, the code directly casts an offset in the DNS packet (packet + 6) to a uint16_t* without checking if (packet + 6) is properly aligned in memory. On some hardware, this risks a crash or, worse, undefined behaviors.

Here's how an attacker might exploit the problem

1. Craft a Malicious DNS Packet: The attacker sends a specially crafted DNS packet that causes the vulnerable code to access misaligned memory.
2. Trigger the Vulnerable Parse: When smartdns processes the packet, it executes the parse with unaligned access.
3. Cause Crash or Code Execution: Depending on the CPU architecture, this can crash smartdns (DoS), or potentially open up memory corruption that can be exploited for arbitrary code execution.

Minimal Exploit Example

The risk is highest on ARM and MIPS devices, which are popular in routers using smartdns. To replicate a crash, send a DNS response designed with the right payload:

# Exploit using Scapy (Python)
from scapy.all import *

# Build a packet with a 6-byte header so answer_count access is misaligned
pkt = IP(dst="smartdns-server-ip")/UDP(sport=53, dport=smartdns_port)/Raw(load=b"\x00"*6 + b"\xff\xff")
send(pkt)

This will send a DNS packet with data such that packet + 6 is not even 2-byte aligned, triggering the vulnerability.

Mitigations

1. Upgrade smartdns: If you use smartdns, update to a version after commit 54b4dc where the vulnerability is patched.
2. Apply Official Patch: See this pull request for the patch. The main fix is using memcpy for unaligned reads:

This reads the bytes safely, avoiding misaligned pointer dereference.

3. Filter DNS Input: If immediate upgrade isn’t possible, filter out incoming DNS packets from untrusted sources at the firewall or network level.

References

- CVE Detail Page
- Original Commit 54b4dc
- Project smartdns
- Smartdns Security Issue Discussion
- Common C alignment problems

Conclusion

CVE-2024-24199 demonstrates how even small mistakes in pointer arithmetic can have significant impacts, especially on devices where every bit of performance matters. If you rely on smartdns—either on your home network or embedded device—make sure to update immediately, and keep an eye out for security advisories. Staying up to date is your best defense.

Got questions or found another bug? Join the smartdns GitHub discussions and help make open source safer for everyone.

Timeline

Published on: 06/06/2024 22:15:10 UTC
Last modified on: 10/29/2024 19:26:03 UTC