Vulnerability Patterns - Emptiness
As in Nada, Nothing. When I wrote the title, it sounded silly that something as simple as this would be a pattern, but the number of NULL-pointer DoS’ that this creates is pretty amazing. It’s a very effective pattern that is about removing mandatory elements/fields from a protocol and sending them off to /dev/null.
The CUPS Empty UDP Datagram DoS Vulnerability is one example of this pattern. Last time it happened to me was when I was using a non-blocking UDP socket and tried reading a packet using recvfrom with MSG_PEEK. recvfrom returns zero if someone sends an empty UDP packet which is exactly what happened. An nmap with -sU would put this program into an infinite loop.
The Cyrus SASL advisory that we released last year is another example of the Emptiness pattern. While authenticating with an LDAP server using DIGEST-MD5 authentication, there are a bunch of name=value pairs that are exchanged. The server sends the realm, the nonce and a bunch of other things. The client then has to copy some of these things back in it’s response along with the credentials. Well, we have a mutated object called Name Value pair that does all kinds of crazy things to the <name> <delimiter> <value> structure without regard to which protocol it’s being used in. One of the mutations (as simple and harmless as it sounds) removes the name completely such that instead of sending realm=fubar, we end up sending =fubar. This triggered the NULL-pointer DoS. Given the nature of LDAP (especially now that it’s being used all the more in the NAC context) and the fact that SASL library is used in other places, the severity was critical enough that it made it interesting to release the advisory.
The third example of the Emptiness pattern was when we were attacking a firewall using SNMP/ASN.1 mutations. One of the suites that we were using kept running till the end and the firewall seemed to be holding up. And then there was a reload. The UDP packet that caused the reboot contained the following bytes: 0×30 0×00; For those that don’t grok ASN.1, 0×30 is an ASN.1 Sequence and the 0×00 is the length of what follows, which well, is nothing.