Full Disclosure mailing list archives
Re: CVE-2014-3671: DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.)
From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 14 Oct 2014 14:04:03 +0200
* Dirk-Willem van Gulik:
Most other OS-es (e.g. RHEL6, Centos, FreeBSD 7 and up, seem unaffected in their stock install as libc/libresolver and DNS use different escaping mechanisms (octal v.s. decimal).
More precisely, anything based on the historic BIND stub resolver code (which is a lot) will escape certain characters while converting from wire format to the textual representation, including "(", *and* also has a check (res_hnok) which refuses PTR records which do not follow the rather strict syntactic requirements for host names. Lack of quoting in a DNS API at this point means that essentially arbitrary garbage can leak into many other places, so this could well expose vulnerabilities on such systems which are not present elsewhere.
A simple zone file; such as: $TTL 10; $ORIGIN in-addr.arpa. @ IN SOA ns.boem.wleiden.net dirkx.webweaving.org ( 666 ; serial 360 180 3600 1800 ; very short lifespan. ) IN NS 127.0.0.1 * PTR "() { :;}; echo CVE-2014-6271, CVE-201407169, RDNS"
I'm surprised DNS servers grok this, should be * IN PTR \(\)\032\{\032:\;\}\;\032echo\032CVE-2014-6271\,\032CVE-201407169\,\032RDNS. Or something similar. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2014-3671: DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.) Dirk-Willem van Gulik (Oct 13)
- <Possible follow-ups>
- Re: CVE-2014-3671: DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.) Florian Weimer (Oct 14)
- Re: CVE-2014-3671: DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.) Dirk-Willem van Gulik (Oct 14)