raphting.dev

Fuzzing with a finding

I found a vulnerability in a popular DNS package for Go. The package offers a function to parse a DNS Zone file. It is possible that public endpoints use this function to parse user-generated Zone files.

Because I use this function in a project, I wanted to make sure that malformed Zone files will be handled correctly. I utilized the Go fuzzer to automate this testing. The code below found the string that can crash the parser. I shortened the actual zone file that I used for the seed corpus.

func FuzzZoneParser(f *testing.F) {
f.Add(`
$TTL 300
<--- SNIP --->
`)

	f.Fuzz(func(t *testing.T, zone string) {
		res := dns.NewZoneParser(bytes.NewReader([]byte(zone)), "", "")
		res.SetDefaultTTL(300)
		for {
			rr, hasNext := res.Next()

			if res.Err() != nil {
				return
			}

			if !hasNext {
				return
			}
		}
	})
}

After a short time, the fuzzer found a panic. When using the string NSID : in the Zone file, the parser will panic.

I consider this as security critical because users with bad intent could let a server software crash at will.

After finding this bug, I got in touch with the maintainer and verified that we don’t need to follow a private disclosure process. I opened a PR which fixes the panic. The PR is already merged.

By Raphael Sprenger