04.05.2016 00:02, Albert ARIBAUD пишет:
Hi Alexander,
Le Tue, 3 May 2016 22:56:45 +0500
"Alexander E. Patrakov" <patra...@gmail.com> a écrit:
03.05.2016 22:28, Albert ARIBAUD wrote:
Hi Alexander,
Le Tue, 3 May 2016 21:45:00 +0500
"Alexander E. Patrakov" <patra...@gmail.com> a écrit:
2016-05-03 20:37 GMT+05:00 Simon Kelley <si...@thekelleys.org.uk>:
I'm pretty sure that this is fixed in the current code.
It is indeed fixed in git! But distributions (including Ubuntu and
Arch) are still distributing a vulnerable version and are probably
unaware of it. Could you please apply for a CVE ID (if it doesn't
already exist) so that they fix their packages?
A CVE ID? For a crash caused by a specific local name record which
clashes with the public one? What's the vulnerability or exposure
here?
This is actually crashable by querying any CNAME that points to
localhost.localdomain, given that upstream is 8.8.8.8, because
localhost.localdomain nearly universally exists in /etc/hosts as ::1,
and 8.8.8.8 doesn't have an AAAA entry for it. So this is a security
issue.
I am still not seeing what the *security* issue is. How can this problem
be *exploited* in order to cause a DoS or compromise a host for
instance?
The only security issue here is a DoS.
There are systems like antispam filters that resolve e.g. domains found
in email messages. Also there are browsers that resolve names in order
to e.g. display iframes for ads. So it is possible for a third party
("hacker"), by sending an email to an email server or showing a bad ad
to the user, to cause his antispam client or browser to try to resolve a
domain of hacker's choice for an AAAA record. If this name happens to be
a CNAME that points to localhost.localdomain., then dnsmasq (which was
supposed to give the DNS answer to the antispam or the browser) gets
crashed.
Or just consider a dnsmasq shared between several users. One of them
tries to resolve an AAAA record for some name (which is actually a CNAME
pointing to localhost.localdomain.), and crashes dnsmasq, thus causing
irritation to other users until the admin restarts dnsmasq.
--
Alexander E. Patrakov
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
