Cross-domain injections

The traditional design principle for Internet protocols indicates: "Be strict when sending and tolerant when receiving" [RFC1958], and DNS is no exception to this. The transparency of DNS in handling the DNS records, also standardised specifically for DNS [RFC3597], is one of the key features that made it such a popular platform facilitating a constantly increasing number of new applications. An application simply creates a new DNS record and can instantly start distributing it over DNS without requiring any changes to the DNS servers and platforms. Our Internet wide study confirms that more than 1.3M (96% of tested) open DNS resolvers are standard compliant and treat DNS records transparently.

In this work we show that this `transparency' introduces a severe vulnerability in the Internet: we demonstrate a new method to launch string injection attacks by encoding malicious payloads into DNS records. We show how to weaponise such DNS records to attack popular applications. For instance, we apply string injection to launch a new type of DNS cache poisoning attack, which we evaluated against a population of open resolvers and found 105K to be vulnerable. Such cache poisoning cannot be prevented with common setups of DNSSEC. Our attacks apply to internal as well as to public services, for instance, we reveal that all eduroam services are vulnerable to our injection attacks, allowing us to launch exploits ranging from unauthorised access to eduroam networks to resource starvation. Depending on the application, our attacks cause system crashes, data corruption and leakage, degradation of security, and can introduce remote code execution and arbitrary errors.

To find out the vulnerable implementations causing the cache-poisoning vulnerabilities in DNS resolvers, we explore the security of residential routers and find a range of critical vulnerabilities. Our evaluations show that 10 out of 35 popular routers are vulnerable to injections of fake records via misinterpretation of special characters. We also find that in 15 of the 35 routers the mechanisms, that are meant to prevent cache poisoning attacks, can be circumvented.

In our Internet-wide study with an advertisement network, we identified and analyzed 976 residential routers used by web clients, out of which more than 95% were found vulnerable to our attacks. Overall, vulnerable routers are prevalent and are distributed among 177 countries and 4830 networks.

To understand the core factors causing the vulnerabilities we perform black- and white-box analyses of the routers. We find that many problems can be attributed to incorrect assumptions on the protocols' behaviour and the Internet, misunderstanding of the standard recommendations, bugs, and simplified DNS software implementations.

We also set up a tool to enable everyone to evaluate the security of their routers here.

Publications

Philipp Jeitner and Haya Shulman

Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS [usenix.org] [arXiv.org]

30th USENIX Security Symposium (USENIX Security 21)

@inproceedings {272204,
    author = {Philipp Jeitner and Haya Shulman},
    title = {Injection Attacks Reloaded: Tunnelling Malicious Payloads over {DNS}},
    booktitle = {30th {USENIX} Security Symposium ({USENIX} Security 21)},
    year = {2021},
    isbn = {978-1-939133-24-3},
    pages = {3165--3182},
    url = {https://www.usenix.org/conference/usenixsecurity21/presentation/jeitner},
    publisher = {{USENIX} Association},
    month = aug,
}

Philipp Jeitner, Haya Shulman, Lucas Teichmann and Michael Waidner

XDRI Attacks - and - How to Enhance Resilience of Residential Routers [usenix.org] [arXiv.org]

31th USENIX Security Symposium (USENIX Security 22)

@inproceedings {97239,
    author = {Philipp Jeitner, Haya Shulman, Lucas Teichmann and Michael Waidner},
    title = {{XDRI} Attacks - and - How to Enhance Resilience of Residential Routers},
    booktitle = {31th {USENIX} Security Symposium ({USENIX} Security 22)},
    year = {2022}, 
    url = {https://www.usenix.org/conference/usenixsecurity22/presentation/jeitner},
    publisher = {{USENIX} Association},
    month = aug,
}
                    

Articles and Talks

  • Philipp Jeitner: Resurrection of injection attacks. APNIC blog. Feb 2022. [blog.apnic.net]
  • Philipp Jeitner: Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS. NANOG'83. Nov 2021. [youtube.com]

Vulnerabilities and patches

2021

2022

Additonal CVEs and patches will be listed here once they are published by the developer.