Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CVE-2017-12995/Check for DNS compression pointers that don't point ba…
…ckwards. This is what BIND 9.11.0-P2 does; it not only detects pointers that loop, as "point backwards" means "point before anything we've processed so far, including what we're processing right now", so the pointer can't point to itself (as that's what we're processing right now). This fixes an infinite loop discovered by Forcepoint's security researchers Otto Airamo & Antti Levomäki. Add a test using the capture file supplied by the reporter(s). Also, add some infinite-pointer-loop captures. More checks should be done. We might, for example, want to make sure the upper 2 bits of the label length/pointer byte are 00 or 11, and that if we encounter a pointer and jump backwards to what we think is a label the label ends before the beginning of the last label we processed, to make sure the pointer doesn't point backwards into the *middle* of a label, and also make sure the entire name is <= 255 bytes long.
- Loading branch information
1 parent
866c602
commit 3a76fd7
Showing
10 changed files
with
33 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
IP 10.0.0.1.1024 > 146.84.28.88.53: 60777 Type49159 (Class 49168)? <BAD PTR>[|domain] |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
IP 10.0.0.1.1024 > 146.84.28.88.53: 18992 Type49164 (Class 49168)? <BAD PTR>[|domain] |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
IP 10.0.0.1.1024 > 146.84.28.88.53: 65483 Type49164 (Class 49164)? thisleetostringwillcrashyourlittlenameserverforsurehahahahahah.<BAD PTR>[|domain] |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
be:af:ca:ce:ff:ff > de:ad:be:ef:00:01, ethertype IPv4 (0x0800), length 63207: (tos 0x0, ttl 128, id 36039, offset 0, flags [none], proto UDP (17), length 63193) | ||
156.118.17.235.53 > 156.118.27.229.500: [udp sum ok] 51584 zoneRef NoChange*|$ [64259q] q: Type507 (Class 769)? M-{.^AM-{^C.M-{.^AM-{^C.M-{.^AM-{^C.M-{.^AM-{^C.M-{.^AM-{ .M-{^C^A.<BAD PTR>[|domain] |
Binary file not shown.
3a76fd7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RFC 1035 has an implicit requirement for "backwards pointers" in §4.1.4 (my emphasis)
Arguably, a compression pointer also cannot contain a value of less than 12, since that then points into the message header and not to a "name".