被运行 Linux、FreeBSD、OpenBSD、NetBSD 和 macOS 的设备广泛使用的软件包 Dnsmasq 发现了 7 个新漏洞，其中三个允许黑客远程代码执行漏洞，编号为 CVE-2017-14493 的漏洞允许攻击者绕过防御在设备上执行任意代码。Dnsmasq 提供了代码简化了联网设备使用 DNS 和动态主机配置协议通信，它包含在 Android 和大多数 Linux 发行版中，以及其它操作系统和路由器固件中。Dnsmasq 开发者已经释出了 v2.78 修复了这些漏洞。Android 只受到其中一个不严重的 bug 的影响，补丁已经随 10 月份的安全更新释出。开源固件项目 DD-WRT 也已经释出补丁修复了相关漏洞。

Our team has previously posted about DNS vulnerabilities and exploits. Lately, we’ve been busy reviewing the security of another DNS software package: Dnsmasq. We are writing this to disclose the issues we found and to publicize the patches in an effort to increase their uptake.[出自:jiwo.org]

Dnsmasq provides functionality for serving DNS, DHCP, router advertisements and network boot. This software is commonly installed in systems as varied as desktop Linux distributions (like Ubuntu), home routers, and IoT devices. Dnsmasq is widely used both on the open internet and internally in private networks.

We discovered seven distinct issues (listed below) over the course of our regular internal security assessments. Once we determined the severity of these issues, we worked to investigate their impact and exploitability and then produced internal proofs of concept for each of them. We also worked with the maintainer of Dnsmasq, Simon Kelley, to produce appropriate patches and mitigate the issue.

These patches have been upstreamed and are now committed to the project’s git repository. In addition to these patches we have also submitted another patch which will run Dnsmasq under seccomp-bpf to allow for additional sandboxing. This patch has been submitted to the DNSmasq project for review and we have also made it available here for those who wish to integrate it into an existing install (after testing, of course!). We believe the adoption of this patch will increase the security of DNSMasq installations.

We would like to thank Simon Kelley for his help in patching these bugs in the core Dnsmasq codebase. Users who have deployed the latest version of Dnsmasq (2.78) will be protected from the attacks discovered here. Android partners have received this patch as well and it will be included in Android's monthly security update for October. Kubernetes versions 1.5.8, 1.6.11, 1.7.7, and 1.8.0 have been released with a patched DNS pod. Other affected Google services have been updated.

During our review, the team found three potential remote code executions, one information leak, and three denial of service vulnerabilities affecting the latest version at the project git server as of September 5th 2017.

CVE	Impact	Vector	Notes	PoC
CVE-2017-14491	RCE	DNS	Heap based overflow (2 bytes). Before 2.76 and this commit overflow was unrestricted.	PoC, instructions and ASAN report
CVE-2017-14492	RCE	DHCP	Heap based overflow.	PoC, instructions and ASAN report
CVE-2017-14493	RCE	DHCP	Stack Based overflow.	PoC, instructions and ASAN report
CVE-2017-14494	Information Leak	DHCP	Can help bypass ASLR.	PoC and Instructions
CVE-2017-14495	OOM/DoS	DNS	Lack of free() here.	PoC and  instructions
CVE-2017-14496	DoS	DNS	Invalid boundary checks here. Integer underflow leading to a huge memcpy.	PoC, instructions and ASAN report
CVE-2017-13704	DoS	DNS	Bug collision with CVE-2017-13704

It is worth expanding on some of these:

• CVE-2017-14491 is a DNS-based vulnerability that affects both directly exposed and internal network setups. Although the latest git version only allows a 2-byte overflow, this could be exploited based on previous research. Before version 2.76 and this commit the overflow is unrestricted.