View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005968 | unreal | ircd | public | 2021-08-10 16:42 | 2021-10-03 10:56 |
| Reporter | syzop | Assigned To | syzop | ||
| Priority | normal | Severity | minor | Reproducibility | N/A |
| Status | resolved | Resolution | fixed | ||
| Product Version | 5.2.1.1 | ||||
| Fixed in Version | 5.2.2 | ||||
| Summary | 0005968: new c-ares version | ||||
| Description | c-ares has released 1.17.2 due to a security advisory https://c-ares.haxx.se/adv_20210810.html | ||||
| Additional Information | An example domain which has a cname including a zero byte: ``` $ adig cnamezero.test2.xdi-attack.net Answers: cnamezero.test2.xdi-attack.net. 0 CNAME victim.test2.xdi-attack.net\000.test2.xdi-attack.net. victim.test2.xdi-attack.net\000.test2.xdi-attack.net. 0 A 141.12.174.88 ``` When resolved via a vulnerable implementation, the CNAME alias and name of the A record will seem to be victim.test2.xdi-attack.net instead of victim.test2.xdi-attack.net\000.test2.xdi-attack.net, a totally different domain. This is a clear error in zero-byte handling and can potentially lead to DNS-cache injections in case an application implements a cache based on the library. | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
I have tried to reproduce this issue in UnrealIRCd with spoofing with \000 both in PTR and in CNAME records. With spoofing in PTR, eg test.microsoft.com\000cnamezero2.testnet. then it behaves just like PTR to test.microsoft.com and thus the reverse DNS will fail to resolve to the ip (test.microsoft.com obviously does not point to me) No risk. With spoofing in CNAME, so PTR somevalidname and then somevalidname CNAME test.microsoft.com\000dev2.testnet. test.microsoft.com^@cnamezero2.testnet A 192.168.etc.. Then it will "succeed" but the displayed host is taken from the first query (PTR) so the hostname on IRC ends up being "somevalidname". I remember fixing something like that ages ago, and making it use the first name instead of the second ;) So no risk either. So seemingly just a regular c-ares update for us with no security fixes / hurry for us. Oh yeah, it does fix some OpenBSD issue and I think i saw someone complain about failing to compile on OpenBSD before, could be fixed now... |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2021-08-10 16:42 | syzop | New Issue | |
| 2021-08-10 16:45 | syzop | Note Added: 0022107 | |
| 2021-08-10 16:45 | syzop | Status | new => acknowledged |
| 2021-08-10 16:46 | syzop | Note Edited: 0022107 | |
| 2021-10-03 10:56 | syzop | Assigned To | => syzop |
| 2021-10-03 10:56 | syzop | Status | acknowledged => resolved |
| 2021-10-03 10:56 | syzop | Resolution | open => fixed |
| 2021-10-03 10:56 | syzop | Fixed in Version | => 5.2.2 |
| 2021-10-03 10:56 | syzop | View Status | private => public |
