Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <4c698fc4-3a1f-e42a-9147-9948cbc247f4@sit.fraunhofer.de>
Date: Sat, 13 Aug 2022 16:58:57 -0700
From: "Philipp Jeitner (SIT)" <philipp.jeitner@....fraunhofer.de>
To: <oss-security@...ts.openwall.com>
Subject: Multiple DNS Cache poisoning vulnerabilities in dnrd DNS forwarder
 (CVE-2022-33993, CVE-2022-33992)

We hereby disclose the discovery of multiple DNS Cache poisoning 
vulnerabilities in the dnrd DNS forwarder. dnrd is a caching DNS 
forwarder/proxy which is unmaintained since about 2007, yet it is still 
used in some residential router firmwares. Because the project is 
unmaintained, there are no patches available for the described issues.

Our findings are published in our 2022 paper "XDRI Attacks - and - How 
to Enhance Resilience of Residential Routers" in August 2022.

Discovery/Credits
-----------------

Philipp Jeitner, Lucas Teichmann and Haya Shulman
Fraunhofer SIT

References
----------

  - dnrd: http://dnrd.sourceforge.net/
  - paper website: https://xdi-attack.net/
  - paper presentation: 
https://www.usenix.org/conference/usenixsecurity22/presentation/jeitner



CVE-2022-33993: Misinterpretation of special characters in domain names 
leading to cache-poisoning
--------------------------------------------------------------------------------------------------

Misinterpretation of special domain name characters in dnrd leads to 
cache-poisoning as domain names and their associated IP addresses are 
cached in their misinterpreted form.

## Summary

Attacker can poison the DNS cache of the vulnerable router/forwarder by 
triggering queries to attacker controlled domain names whose queries 
and/or answers contain special characters (zero-byte or period sign). 
These characters are misinterpreted by the vulnerable router/forwarder 
so that the attacker can provide addresses for domain names he does not own.

## Impact

Attackers who control a script or web-site which is loaded on a client 
of the vulnerable router/forwarder can hijack connections by poisoning 
the DNS cache.

## Steps to reproduce

To reproduce, connect a computer to the router and follow the Steps at 
https://xdi-attack.net/manual.html or use our downloadable test-tool at 
https://xdi-attack.net/test.html (NOT the online test).

## Detailed description and publication timeline

A detailed description of this attack is included in our 2021 USENIX 
security paper "Injection Attacks Reloaded: Tunnelling Malicious 
Payloads over DNS", see Section 3.2. We conducted further research and 
found that these attacks apply to various router models.



CVE-2022-33992: Disabling of DNSSEC protection provided by upstream 
resolvers
-----------------------------------------------------------------------------

dnrd forwards and caches DNS queries with checking disabled (CD) bit set 
to 1 which leads to disabling of DNSSEC protection provided by upstream 
resolvers.

## Summary

The router/forwarder forwards DNS queries with the checking disabled 
(CD) bit set to 1 to upstream resolvers and caches the responses 
provided by the upstream resolver. The cached answers are then sent to 
other clients even when they do set the checking disabled (CD) bit to 0.

## Impact

Attackers which can send DNS queries directly to the vulnerable 
router/forwarder can disable DNSSEC protection on the upstream resolver 
by sending queries with the checking disabled (CD) bit set to 1. When 
the attacker is able to inject DNS responses via another method (e.g. 
MitM attacks, BGP hijacking), this allows attacker to hijack connections 
from clients of the vulnerable router/forwarder, as DNSSEC protection is 
not guaranteed anymore.

## Steps to reproduce

Connect a computer to the vulnerable router/forwarder and trigger the 
following DNS queries via `dig`:

     $ dig sigfail.verteiltesysteme.net +cdflag @router/forwarder-ip
     (should always return 134.91.78.139)

     $ dig sigfail.verteiltesysteme.net +short @router/forwarder-ip
     (returns 134.91.78.139 if vulnerable, should return nothing)

Note: you can replace `sigfail.verteiltesysteme.net` with any other 
domain with broken DNSSEC, such as `www.dnssec-failed.org`, only the 
addresses will be different.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.