DNSSECImpl.verifySignature
compares strings incorrectly, allowing malicious zones to forge DNSSEC trust chain
#207
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
old-submission-method
Lines of code
https://github.com/code-423n4/2022-07-ens/blob/main/contracts/dnssec-oracle/DNSSECImpl.sol#L186-L190
Vulnerability details
Impact
DNSSEC allows parent zones to sign for its child zones. To check validity of a signature, RFC4034 3.1.7 requires the
Signer's Name
in any RRSIG RDATA to contain the zone of covered RRset. This requirement is reasonable since any child zone should be covered by its parent zone.ENS tries to implement the concept of name coverage in
DNSSECImpl.verifySignature
, but unfortuantely does it wrong, resulting in possibiliy of coverage between two unrelated domains. In the worst case, an attacker can utilize this bug to forge malicious trust chains and authenticate invalid domains.Proof of Concept
In
DNSSECImpl.verifySignature
, ENS tries to verify the name of RRSet zone (name
) is contained by Signer's Name (rrset.signerName
).In DNS, for a parent zone to contain another child zone, we generally require the child zone to be a subdomain of the parent. For instance,
example.eth.
in considered to coversub.example.eth.
, whilexample.eth.
should not be coverexample.eth.
.Unfortunately in the implementation shown above, both cases will path the check, and
ample.eth.
will be considered appropriate to sign forexample.eth.
. This is against the original design of DNS, and would result in breach of zone hierarchy.In practice, the requirement to exploit this is a bit more complex. Since names are stored as a sequence of packed labels,
example.eth.
should be stored as\x06example\x03eth\x00
, whilexample.eth.
is stored as\x05xample\x03eth\x00
. Thus to successfully pull off the attack ,we have to make sure that the packed signer's name is actually a substring of child zone.A simple (yet unrealistic) example can be like this
xample.eth.
can sign fore\x05xample.eth.
, since packed format of those two names are\x05xample\x03eth\x00
and\x07e\x05ample\x03eth\x00
.In general, it would require some effort for an attacker to find attackable zones, nevertheless, this should still be considered as a potential threat to the integrity of ENS.
Tools Used
None
Recommended Mitigation Steps
Check label by label instead of comparing the entire name.
To actually meet all requirements specified in RFC4034 and RFC4035, there are still a lot to do, but we will discuss that in a seperate issue for clarity.
The text was updated successfully, but these errors were encountered: