111
edits
Changes
Jump to navigation
Jump to search
Line 163:
Line 163: − +
Add DNSpresso write-up link
| IOS-NET uses a modified version of NicheStack which is affected by [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25928 CVE-2020-25928]. Unlike described by the CVE, the IOS-NET implementation has an additional check for DNS PTR answers, which ensures the data isn't copied past the end of the buffer.
| IOS-NET uses a modified version of NicheStack which is affected by [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25928 CVE-2020-25928]. Unlike described by the CVE, the IOS-NET implementation has an additional check for DNS PTR answers, which ensures the data isn't copied past the end of the buffer.
For additional PTR records pointing at the first answer name <code>dnc_set_answer</code> is still called without checking the response data length field though.
For additional PTR records pointing at the first answer name <code>dnc_set_answer</code> is still called without checking the response data length field though.
| Out-of-bounds heap write. Might be possible to exploit.
| Out-of-bounds heap write. Can lead to ROP, see [https://garyodernichts.blogspot.com/2023/10/exploiting-dns-response-parsing-on-wii-u.html this post].
| None
| None
| [[User:GaryOderNichts|GaryOderNichts]]
| [[User:GaryOderNichts|GaryOderNichts]]