Dual DHCP DNS Server 7.01 remote DoS

# Date: 29.04.2013
# Author: otr
# Software Link: http://sourceforge.net/projects/dhcp-dns-server/
# Version: 7.01
# Tested on: Windows
# CVE: To be assigned
# CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:U/RC:C/CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND
# CVSS-B: 7.8
# CVSS-T: 7.8

# Type: DoS
# Vendor: achaldhir

# STATUS: final

Timeline:

2013-04-19 Flaw Discovered
2013-04-20 Vendor contacted

Summary:

A buffer overflow in Dual DHCP DNS Server 7.01 allows remote attackers to cause
a denial of serice (application crash) via the DNS query name field.

The vulnerable code is located in the scanlog() function:

    MYWORD scanloc(data5 *req)
    {
        if (!req->query[0])
            return 0;

        strcpy(req->cname, req->query);
        strcpy(req->mapname, req->query);

as well as in the proTCP function:

    void procTCP(data5 *req)
    /*...*/
        strcpy(req->cname, req->query);
        strcpy(req->mapname, req->query);

Also the "fQu(char *query, dnsPacket *mess, char *raw)" function does not check
for the absolute length of the hostname

A query DNS name that uses multiple "." operations in order to circumvent input
filtering allows an attacker to cause an overflow of the global req->cname
variable which in turn causes the req->query variable to be overwritten. The
overwrite of thr req->query variable particulare elimnates the '\0' character
from the source string of the strcpy() function. This results in a cyclic copy
of the source buffer until a write operation to the next read-only memory page
causes an access violation.

Fix:

Validate the length of the query input string in order to avoid an overflow.