How I was to dnsmasq using afl-fuzz almost save the Internet-vulnerability warning-the black bar safety net

ID MYHACK58:62201569089
Type myhack58
Reporter xiaix
Modified 2015-11-17T00:00:00


If you know me, then you should know that I like DNS. Although I'm not totally sure this is exactly how it happened, but I doubt Ed Skoudis is the instigator. Anyway, if a project can be evaluated dnsmasq and some of the Internet infrastructure in the critical section, then this project is very interesting. Now, by some new method the use of fuzzing, I found a almost can be completely exploitable. Although I have started to write exp, but I did not finish it. I think this vulnerability is certainly can be utilized, if you have the time want to know about vulnerability is how to use, then it is worth you continuing to look down. This link is threatened by the Dnsmasq version, I will talk about later I work. At the same time you can download my branch of the project,which is also a vulnerable version of me from the official branch down, the only difference is that it contains some fuzzing of the code and the debug output. dnsmasq Don't know dnsmasq friends see here, dnsmasq is a to allow you to simultaneously run a variety of different network protocols(such as: DNS, DHCP, DHCP6 and TFTP, etc. Protocol)and the design of a service. Here we only focus on DNS because I tested other protocols and found no what problem, when it comes to fuzzing, the lack of evidence does not equate to evidence of absence. dnsmasq is almost by Simon Kelley a author independently completed, and prior to that dnsmasq is hardly found loopholes, this is perhaps a good thing(the author of the code to write the perfect),maybe is a bad thing(not of concern):) Such as theory of how, the author or impressive, below I have compiled a timeline 2015.5.12 found vulnerabilities 2015.5.14 the bug report to the author 2015.5.14 author submitting a candidate patch 2015.5.15 patch it is submitted This vulnerability repair speed greatly beyond my imagination. DNS important part This vulnerability exists in the NDS domain name parsing code, so the following is worth spending some time to carefully explain under the DNS Protocol. Of course if you are already familiar with the DNS packet structure and the domain name resolution process, then you can skip this Chapter. Please note that I will only explain this vulnerability relates to the DNS Protocol part, which means that I won't speak of the full DNS Protocol. If you want to know the complete DNS Protocol, it is recommended that you view the RFCs(rfc1035)or view the Wikipedia. I recommend everyone to learn at their own hand to construct a DNS request packet to the DNS server, because this is a worthy skill, but also only need to remember 1 6 bit.:) The DNS for its core to say is actually very simple. One client wants to view a host name, he sends to the server contains a DNS request inquiry packet, typically using the UDP port number to 5 3, but may also use TCP Protocol, then the magical thing happened, the server according to the cache or a recursive query to the results returned to the client a contains zero or more DNS resolution result to the response packet. The DNS packet structure in DNS packet structure) The DNS packet of the composition results are as follows: (int16)ID number(trn_id) (int16)identifier(include QR[query/appropriate], the Opcode, RD[desired recursion], RA[support recursive]and some other I forgot) (int16)question count(qdcount) (int16)answer count(ancount) (int16)authorization count(nscount) (int16)additional count(arcount) (variable)inquiry(questions) (variable)response(answers) (variable)authorization(authorities) (variable)additional(additionals) (The translators to the accompanying drawings as follows) ! The back four sections-inquiry response, authorization, and additional-are collectively referred to as“resource records(resource records) of”. Different types of resource records have different attributes, but we don't have to tangle this is a General Problem Record format is as follows: (variable) name(most important part) (int16) type(A/AAAA/CNAME, etc.) (int16) classification(for the public network address is always 0x0001) NDS name DNS names) The inquiry and the response packet typically contains a domain name(domain name). A domain name is usually of the following form: But in the resource record in the packet, each field of the former are marked with their length to zero to identify the end of: \x04this\x02is\x01a\x04name\x0cskullseclabs\x03org\x00 Wherein each field maximum length is 6 3(0x3f)bytes. If the field is 0×4 0, 0×8 0, 0xc0 and some other value, then they have a special meaning(we'll meet). Inquiry and response(Questions and answers) When we want to the DNS server sends a DNS query, the DNS inquiry packet of the structure is generally as follows: (Head) question count = 1 question 1: ANY record for And the response packet structure is usually as follows: (Head) question count = 1 answer count = 1 1 question 1: ANY record for ""? answer 1: "" has a TXT record of "oh hai NSA" answer 2: "" has a MX record for "". answer 3: "" has a a record for "" ... (The above from a real recording) If your math correctly, you should be found."" accounted for 1 to 8 bytes, while we get 1 1 a response result, which means that we wasted 1 8*1 1 nearly 2 0 0 bytes. In the past, 2 0 0 Byte is not a decimal, now, when we deal with tens of thousands of inquiries when requested 2 0 0 Byte still somewhat large. The record pointer(Record pointers) Remember it says that the DNS name for each field in the initial value not more than 6 3(0x3f), then the special value? Our attention to the lower 0xc0 this value. 0xc0 represents“the next bit is a pointer, relative to the packet start position of an offset at a has a name” Usually you'll see the following: 1 2 bit of the head(trn_id + flags + counts) question 1: ANY record for "" answer 1: \xc0\x0c has a TXT record of "oh hai NSA" answer 2: \xc0\x0c ... "\xc0"indicates that the following is a pointer,"\x0c"means with respect to the packet start location 0x0c(1 of 2)bits, the note is from the head portion after the start date. Similarly, you can also use it as a domain name as part of your response may be"\x03www\xc0\x0c", also can become""(assuming this is a string from 1 2 bit the starting) it. Either the client or server end are very common a DNS resolution problem is how to deal with the infinite loop attack(infinite loop attack). General attack packet results are as follows: 1 2 bit head

[1] [2] [3] [4] [5] [6] [7] next