| commit | 2eb03bb7464940dd8bf26e4e3aa21b21feb897fb | |
| author | David Fifield <david@bamsoftware.com> | |
| Thu, 12 Aug 2021 19:02:31 +0000 (12 13:02 -0600) | ||
| committer | David Fifield <david@bamsoftware.com> | |
| Thu, 12 Aug 2021 19:20:41 +0000 (12 13:20 -0600) | ||
| tree | d33f1bd7758a202b45a376fcc8ff36bdc13fc375 | treesnapshot (tar.gz zip) |
| parent | 46acde28bc49acd68f700ace67f713fc514bbfcb | commitdiff |
Escape DNS names that appear in logs.
The dnstt-server log line "NXDOMAIN: not authoritative for %s" copied
bytes directly from an attacker-controlled DNS name to the log. Because
DNS labels may contain any byte values, this made possible various
injection attacks, for example:
* A label containing a newline byte could break the format of a log
file, or be used to inject false log lines.
* If the log output were going to a terminal (as it does by default), a
DNS name could affect the terminal by including escape sequences.
* A DNS label containing the dot character (\x2e) could give a
misleading impression of the contents of a query; for example the
names ["a" "example" "com"] and ["a\x2eexample" "com"] would both be
logged as "a.example.com".
The former ambiguity with the dot character might have confused the name
compressor in messageBuilder.WriteName, but I do not think any of
dnstt's uses of messageBuilder could have been affected.
The Name.String method now does backslash hex escaping of unusual bytes
in labels.
This vulnerability was called to mind by "Injection Attacks Reloaded:
Tunnelling Malicious Payloads over DNS" by Jeitner and Shulman. See
particularly Section 3.2 for \x2e injection.
https://www.usenix.org/conference/usenixsecurity21/presentation/jeitner
The dnstt-server log line "NXDOMAIN: not authoritative for %s" copied
bytes directly from an attacker-controlled DNS name to the log. Because
DNS labels may contain any byte values, this made possible various
injection attacks, for example:
* A label containing a newline byte could break the format of a log
file, or be used to inject false log lines.
* If the log output were going to a terminal (as it does by default), a
DNS name could affect the terminal by including escape sequences.
* A DNS label containing the dot character (\x2e) could give a
misleading impression of the contents of a query; for example the
names ["a" "example" "com"] and ["a\x2eexample" "com"] would both be
logged as "a.example.com".
The former ambiguity with the dot character might have confused the name
compressor in messageBuilder.WriteName, but I do not think any of
dnstt's uses of messageBuilder could have been affected.
The Name.String method now does backslash hex escaping of unusual bytes
in labels.
This vulnerability was called to mind by "Injection Attacks Reloaded:
Tunnelling Malicious Payloads over DNS" by Jeitner and Shulman. See
particularly Section 3.2 for \x2e injection.
https://www.usenix.org/conference/usenixsecurity21/presentation/jeitner
| dns/dns.go | diffblobblamehistory | |
| dns/dns_test.go | diffblobblamehistory | |
| dnstt-server/main.go | diffblobblamehistory |