Cross-domain injections

The traditional design principle for Internet protocols indicates: "Be strict when sending and tolerant when receiving" [RFC1958], and DNS is no exception to this. The transparency of DNS in handling the DNS records, also standardised specifically for DNS [RFC3597], is one of the key features that made it such a popular platform facilitating a constantly increasing number of new applications. An application simply creates a new DNS record and can instantly start distributing it over DNS without requiring any changes to the DNS servers and platforms. Our Internet wide study confirms that more than 1.3M (96% of tested) open DNS resolvers are standard compliant and treat DNS records transparently.

In this work we show that this `transparency' introduces a severe vulnerability in the Internet: we demonstrate a new method to launch string injection attacks by encoding malicious payloads into DNS records. We show how to weaponise such DNS records to attack popular applications. For instance, we apply string injection to launch a new type of DNS cache poisoning attack, which we evaluated against a population of open resolvers and found 105K to be vulnerable. Such cache poisoning cannot be prevented with common setups of DNSSEC. Our attacks apply to internal as well as to public services, for instance, we reveal that all eduroam services are vulnerable to our injection attacks, allowing us to launch exploits ranging from unauthorised access to eduroam networks to resource starvation. Depending on the application, our attacks cause system crashes, data corruption and leakage, degradation of security, and can introduce remote code execution and arbitrary errors.

To find out the vulnerable implementations causing the cache-poisoning vulnerabilities in DNS resolvers, we explore the security of residential routers and find a range of critical vulnerabilities. Our evaluations show that 10 out of 35 popular routers are vulnerable to injections of fake records via misinterpretation of special characters. We also find that in 15 of the 35 routers the mechanisms, that are meant to prevent cache poisoning attacks, can be circumvented.

In our Internet-wide study with an advertisement network, we identified and analyzed 976 residential routers used by web clients, out of which more than 95% were found vulnerable to our attacks. Overall, vulnerable routers are prevalent and are distributed among 177 countries and 4830 networks.

To understand the core factors causing the vulnerabilities we perform black- and white-box analyses of the routers. We find that many problems can be attributed to incorrect assumptions on the protocols' behaviour and the Internet, misunderstanding of the standard recommendations, bugs, and simplified DNS software implementations.

We also set up a tool to enable everyone to evaluate the security of their routers here.

Publications

Philipp Jeitner and Haya Shulman

Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS [usenix.org] [arXiv.org]

30th USENIX Security Symposium (USENIX Security 21)

@inproceedings {272204,
    author = {Philipp Jeitner and Haya Shulman},
    title = {Injection Attacks Reloaded: Tunnelling Malicious Payloads over {DNS}},
    booktitle = {30th {USENIX} Security Symposium ({USENIX} Security 21)},
    year = {2021},
    isbn = {978-1-939133-24-3},
    pages = {3165--3182},
    url = {https://www.usenix.org/conference/usenixsecurity21/presentation/jeitner},
    publisher = {{USENIX} Association},
    month = aug,
}

Philipp Jeitner, Haya Shulman, Lucas Teichmann and Michael Waidner

XDRI Attacks - and - How to Enhance Resilience of Residential Routers [usenix.org] [arXiv.org]

31th USENIX Security Symposium (USENIX Security 22)

@inproceedings {97239,
    author = {Philipp Jeitner, Haya Shulman, Lucas Teichmann and Michael Waidner},
    title = {{XDRI} Attacks - and - How to Enhance Resilience of Residential Routers},
    booktitle = {31th {USENIX} Security Symposium ({USENIX} Security 22)},
    year = {2022}, 
    url = {https://www.usenix.org/conference/usenixsecurity22/presentation/jeitner},
    publisher = {{USENIX} Association},
    month = aug,
}
                    

Articles and Talks

• Philipp Jeitner: Resurrection of injection attacks. APNIC blog. Feb 2022. [blog.apnic.net]
• Philipp Jeitner: Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS. NANOG'83. Nov 2021. [youtube.com]

Vulnerabilities and patches

2021

• Java: Vulnerability in the Java SE product of Oracle Java SE [CVE-2021-2432] [advisory]
• OpenWRT: There is missing input validation of host names displayed in OpenWrt before 19.07.8 [CVE-2021-32019] [advisory]
• radsecproxy: Missing input validation in radsecproxy's `naptr-eduroam.sh` and `radsec-dynsrv.sh` scripts can lead to configuration injection via crafted radsec peer discovery DNS records [CVE-2021-32642] [advisory] [patch]
• libspf2: Stack buffer overflow in libspf2 versions below 1.2.11 [CVE-2021-20314] [advisory] [patch]
• dietlibc: __dns_decodename will now reject invalid incoming names [patch]
• golang: Go before 1.15.12 and 1.16.x before 1.16.5 allows injection [CVE-2021-33195] [patchnotes]
• NetBSD: Default to check-names for safety [patch]
• c-ares: Missing input validation on hostnames returned by DNS servers [CVE-2021-3672] [advisory] [patch]
• nodejs: Improper handling of untypical characters in domain names [CVE-2021-22931] [advisory]
• uclibc-ng: Incorrect handling of special characters in domain names in uclibc and uclibc-ng [CVE-2021-43523] [patch] [advisory]

2022

• Mercusys(R) MW305R: Fixed linear DNS TXID. Fixed firmware version MW305R(EU)_V2_1.1.2 Build 220628(English) [firmware]
• Zyxel(R) C3000Z: Zyxel security advisory for multiple dproxy-nexgen-related vulnerabilities in CPE [advisory]
• Huawei(R) 5G CPE Pro 2: [HWPSIRT-2022-82592] Patched Firmware version: H122-373 11.0.2.11(H329SP9C1217)¹
• AVM(R) Fritz!(R) Box 6660/7312/7520/7590: Patched Firmware version: FRITZ!OS 7.50¹
• Bintec RS353a: Patched Firmware version: 10.2.12.100 [download] [changelog]
• totd:
  • totd uses a static UDP source port [CVE-2022-34294] [advisory]
  • totd before 1.5.3 does not properly randomize mesg IDs [CVE-2022-34295] [old paper] [patch]
• dproxy-nexgen:
  • Cache poisoning by character misinterpretation [CVE-2022-33990] [advisory]
  • TXID forwarding [CVE-2022-33988] [advisory]
  • Static UDP port [CVE-2022-33989] [advisory]
  • Disabling of upstream DNSSEC protection [CVE-2022-33991] [advisory]
• dnrd:
  • Cache poisoning by character misinterpretation [CVE-2022-33993] [advisory]
  • Disabling of upstream DNSSEC protection [CVE-2022-33992] [advisory]

¹: Unverified information provided by vendor, might include future Firmware releases not publically available yet.

Additonal CVEs and patches will be listed here once they are published by the developer.