CVE-2005-0037

Step 1: Malicious Packet Creation: An attacker crafts a DNS packet. This packet includes a compressed DNS label with a label length byte. The label length byte contains an offset value that points to an invalid or out-of-bounds location within the packet, designed to trigger an infinite loop.

Step 2: Packet Transmission: The attacker sends the crafted DNS packet to a vulnerable DNRD server.

Step 3: Packet Reception and Parsing: The DNRD server receives the malicious DNS packet and begins to parse it.

Step 4: Label Decompression and Infinite Loop: When the server encounters the compressed label, it attempts to decompress it using the provided offset. Due to the invalid offset, the decompression process enters an infinite loop, repeatedly attempting to read from the incorrect memory location.

Step 5: Resource Exhaustion and DoS: The infinite loop consumes CPU resources, preventing the server from processing legitimate DNS requests. This leads to a denial-of-service condition, making the DNS server unavailable.

The vulnerability lies within DNRD's DNS packet parsing logic, specifically in how it handles compressed DNS labels. The code fails to properly validate the offset value within a compressed label. A malicious actor can craft a DNS packet containing a compressed label with an offset that points to an invalid or out-of-bounds location within the packet. When the server attempts to resolve the label, it enters an infinite loop as it repeatedly tries to dereference the invalid offset, consuming CPU resources and leading to a DoS condition. The root cause is a lack of bounds checking on the offset value used during label decompression, leading to an uncontrolled read operation.