lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Oct 2014 14:04:03 +0200
From: Florian Weimer <>
To: Dirk-Willem van Gulik <>
Subject: Re: [FD] CVE-2014-3671: DNS Reverse Lookup as a vector for the Bash
	vulnerability (CVE-2014-6271

* Dirk-Willem van Gulik:

> Most other OS-es (e.g. RHEL6, Centos, FreeBSD 7 and up, seem 
> unaffected in their stock install as libc/libresolver and DNS use 
> different escaping mechanisms (octal v.s. decimal).

More precisely, anything based on the historic BIND stub resolver code
(which is a lot) will escape certain characters while converting from
wire format to the textual representation, including "(", *and* also
has a check (res_hnok) which refuses PTR records which do not follow
the rather strict syntactic requirements for host names.

Lack of quoting in a DNS API at this point means that essentially
arbitrary garbage can leak into many other places, so this could well
expose vulnerabilities on such systems which are not present

> A simple zone file; such as:
>      $TTL 10;
>      $ORIGIN
>      @     IN SOA (
>                     666        ; serial
>                     360 180 3600 1800 ; very short lifespan.
>                     )
>      IN          NS
>      *           PTR      "() { :;}; echo CVE-2014-6271, CVE-201407169, RDNS" 

I'm surprised DNS servers grok this, should be

* IN PTR \(\)\032\{\032:\;\}\;\032echo\032CVE-2014-6271\,\032CVE-201407169\,\032RDNS.

Or something similar.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists