dnsmasq Out-of-Bounds Write Vulnerability in BOOTREPLY Processing Leading to Denial-of-Service

An out-of-bounds write vulnerability has been identified in dnsmasq versions prior to 2.92. When a server is configured with the '--dhcp-split-relay' option, a remote attacker can send a specially crafted BOOTREPLY packet that exploits this vulnerability. The flaw occurs in the DHCP processing, where the dnsmasq server incorrectly handles the OPTION_AGENT_ID, leading to memory corruption. This corruption causes the dnsmasq daemon to crash, creating a denial-of-service condition.

Impact

Exploitation of this vulnerability causes the dnsmasq daemon to crash, leading to a denial-of-service condition where DHCP and DNS services provided by dnsmasq are interrupted.

Reproduction

The vulnerability can be reproduced by sending a BOOTREPLY packet that includes the OPTION_AGENT_ID option, configured to take advantage of the buffer handling flaw. This can be done using a tool that allows the crafting of DHCP packets, such as Scapy or a similar network packet manipulation tool. The packet should be crafted to include the OPTION_AGENT_ID at the end of a 552-byte BOOTREPLY, ensuring that it overwrites one byte past the end of the receive buffer. This can be verified by observing the AddressSanitizer report indicating a memory corruption error.

Remediation

To address this vulnerability, remove the '--dhcp-split-relay' option from the dnsmasq configuration. After making this change, restart the dnsmasq service to apply the new configuration. Be aware that this may temporarily disrupt DHCP and DNS services.