王琦與李翔與王楚涵_圖門攻擊系統地探索和利用DNS響應預處理中的邏輯漏洞和畸形數據包.pdf

《王琦與李翔與王楚涵_圖門攻擊系統地探索和利用DNS響應預處理中的邏輯漏洞和畸形數據包.pdf》由會員分享，可在線閱讀，更多相關《王琦與李翔與王楚涵_圖門攻擊系統地探索和利用DNS響應預處理中的邏輯漏洞和畸形數據包.pdf（41頁珍藏版）》請在三個皮匠報告上搜索。

1、#BHUSA BlackHatEventsTuDoor Attack:Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed PacketsSpeaker(s):Qi Wang,Tsinghua UniversityContributor(s):Xiang Li,Nankai University&Chuhan Wang,Tsinghua University#BHUSA BlackHatEventsAttack Impact2Pois

2、oning vulnerable resolvers cache within just one second.Our TuDoor attack could poisonarbitrary domains,e.g.,.com .#BHUSA BlackHatEventsDomain Name System(DNS)3DNS Overviewq Translating domain names to IP addressesq Entry point of many Internet activitiesq Domain names are widely 93.184.216.34DNSWeb

3、CDNEmailCertificateCited from BlackHatEventsDomain Name System(DNS)4Hierarchical Name Spaceq Authoritative zones:root,TLD,SLD DNS recordsq Domain delegation Domain registrationMultiple Resolver Rolesq Client,forwarder,recursive,authoritativeq CachingIterative Resolution Processq Client-server stylen

4、etcomexampleDNSclientForw-arderRecursiveresolverAuthoritative serversRootTLDSLD.DNS namespaceDelegateDelegateQuery Referral to SLD NSQuery Referral to TLD NS123456Query Authoritative answer78910QueryQueryResponse#BHUSA BlackHatEventsnetcomexampleDomain Name System(DNS)5DNS Resolution Processq Primar

5、ily over UDPq Iterative and recursiveq CachingDNSclientForw-arderRecursiveresolverAuthoritative serversRootTLDSLD.DNS namespaceDelegateDelegateQuery Referral to SLD NSQuery Referral to TLD NS123456Query Authoritative answer78910QueryQueryR A?(empty)(empty)(empty)SP=50000QDANAUARDP=53TXID= A? A 1.1.1

6、.1(empty)(empty)SP=53QDANAUARDP=50000TXID=1001QueryResponseSource portTXID6 5 5 3 66 5 5 3 632 bits space#BHUSA BlackHatEventsTakeaway6Attackers have long been trying to manipulate its response for hijacking via cache poisoning attacks.Since DNS is the cornerstone of the Internet,enabling multiple c

7、ritical services and applications,#BHUSA BlackHatEventsQuestion7Since DNS is primarily over UDP,attackers want to inject forged answers into resolvers cache.What is DNS cache poisoning?#BHUSA BlackHatEventsDNS Cache Poisoning8Targetq Injecting forged answers into resolvers cacheTaxonomyq On-path,off

8、-pathTechniqueq Cat-and-mouse game1997KashpureffAttack2002BirthdayAttack2008KaminskyAttack2013FragmentationAttack2020Attack onForwardersSADDNSAttack20202021Attack viaEscapedCharsSADDNS v2A93.184.216.34DNSWebCDNEmailCertificateHacked2022Attack viaEscapedChars v22023MaginotDNSAttack#BHUSA BlackHatEven

9、tsDNS Cache Poisoning(1/5)9Kashpureff Attack(on-path,1997)q Method:returning forged responses from the authoritativeq Result:resolver accepting all records in the responseq Cause:lacking data verification(bailiwick rules)Evil client“”AuthoritativeServerISP resolverUnsuspectingserverCacheStep1:Recurs

10、ive query 2:Iterative query 3:Response including RRStep 4:Recursive query 5:BogusResponse#BHUSA BlackHatEventsDNS Bailiwick Rules10Mitigating the Kashpureff Attackq The credibility checking when storing cache entriesq Checking for“in bailiwick”in response data:answer records must be from the same do

11、main as the requested name$dig ;ANSWER SECTION:.86400 IN A 93.184.216.34;AUTHORITY SECTION:.86400 IN NS .;ADDITIONAL SECTION:.86400 IN A 1.2.3.4In-bailiwickCan be trustedOutOut-ofof-bailiwickbailiwickShould be removedShould be removedBailiwick#BHUSA BlackHatEventsTakeaway11DNS cache poisoning on rec

12、ursives from the on-path seems impossible to conduct from 1997.After the Kashpureff attack,bailiwick checking is integrated into the resolvers implementation,#BHUSA BlackHatEventsDNS Cache Poisoning(2/5)12Kaminsky Attack(Off-path,2008)q Method:injecting forged responses with the“birthday paradox”q R

13、esult:resolver accepting glue records in the responseq Cause:lacking source port randomization(TXID only 16 bits)Evil client“”AuthoritativeServerISP resolverUnsuspectingserverCacheStep 1:Recursive query 2:TXID=1001:Iterative query 4:ResponseTXQID=1000TXID=1001TXID= A?(empty) NS A 6.6.6.6TXID=XXXXQDA

14、NAUARStep 3:R A?(empty) NS A 1.1.1.1TXID=1001QDANAUARIf TXID matching,success!If TXID not matching,start the attack again with another #BHUSA BlackHatEventsDNS Source Port/TXID Randomization13Mitigating the Kaminsky Attackq Increasing the query guessing entropyq 16-bit source port x 16-bit TXID=32-b

15、it spaceq Hard to brute-forceSource portTXID6 5 5 3 66 5 5 3 6#BHUSA BlackHatEventsTakeaway14DNS cache poisoning on resolvers from the off-path became difficult to conduct from 2008.After the Kaminsky attack,source port randomization is integrated into the resolvers implementation,#BHUSA BlackHatEve

16、ntsDNS Cache Poisoning(3/5)15Fragmentation-based Attack(Off-path,2013)q Method:injecting forged responses by exploiting the 2nd fragment without checkingq Result:resolver accepting records in the resembled responseq Cause:accepting small-sized packets&predictable IPID(16-bits)Fragment 1:Validation f

17、ieldsFragment 2:No validation fieldsSource portTXIDIPIDNeed to guarantee Need to guarantee IPID same for f1&f2IPID same for f1&f2#BHUSA BlackHatEventsDNS Cache Poisoning(3/5)16Fragmentation-based Attack(Off-path,2013)q Method:injecting forged responses by exploiting the 2nd fragment without checking

18、q Result:resolver accepting records in the resembled responseq Cause:accepting small-sized packets&predictable IPID(16-bits)Step 0:Spoofed 2ndfragment(No UDP and DNS headers)AttackerRecursiveresolverAuthoritativeserver2 2ndndSpoofed fragment cachedStep 1:DNS queryStep 2:DNS query2 2ndnd1 1ststStep 3

19、:Fragmentedresponse1 1stst2 2ndndForced fragmentationDefragmented with spoofed 2ndfragmentRogue response cachedby recursive resolverFragment 1:Validation fieldsFragment 2:No validation fieldsNeed to guarantee Need to guarantee IPID same for f1&f2IPID same for f1&f2#BHUSA BlackHatEventsIPID Randomiza

20、tion!Restricting Frag.?17Mitigating the Fragmentation-based Attackq IPID randomizationo The fragmentation-based Attack needs to guess the IPIDo Randomized IPID could prevent the 2nd fragment from being acceptedq Restricting fragmentationo The root cause is fragmentation,no fragmentation or restricti

21、ng it could be one mitigationo For example,reducing the packet size,falling back to TCP,restricting the frag_number/timeoutq Other methodso Adding new validation fields,such as applying 0 x20 encoding to each RRs#BHUSA BlackHatEventsTakeaway18DNS cache poisoning exploiting fragmentation became diffi

22、cult to conduct from 2013.After the fragmentation-based attack,IPID randomization and fragmentation restriction are widely applied in the OS kernel,#BHUSA BlackHatEventsDNS Cache Poisoning(3/5)19Fragmentation-based Attack on Forwarders(Off-path,2020)q From our NISL lab,published at USENIX Security 2

23、020q New method:although it is not easy to trigger fragmentation for a normal response,we can increase the packet size with our own controlled domainIncreasing the packet size with the CNAME chain#BHUSA BlackHatEventsDNS Cache Poisoning(4/5)20SADDNS Attack(Off-path,2020)q Method:inferring the source

24、 port using Linux kernels side-channelq Result:guessing the source port in a short time,resolver accepting fake recordsq Cause:Linux kernels global ICMP rate-limit leaking the port-use A?sp=x,dp=53,id=0.MutingAttackerRecursiveresolverAuthoritativeServer() A? A v.c.t.mdp=0,1,2,x4.Port Scanid=0,1,2, A

25、 a.t.k.r,sp=53,dp=xC A a.t.k.rsp=source portdp=dest portv.c.t.m=legal IPa.t.k.r=malicious IPNo counterleftOne counterleftFound#BHUSA BlackHatEventsPatching the Linux Kernel21Mitigating the SADDNS Attackq ICMP global rate-limit counter randomizationo Implemented by Linux kernelq Reducing domain resol

26、ution timeouto SADDNS needs a long timeout to infer the source porto Prevent the authoritative server from being muted easilyq General methodso 0 x20,DNSSECgit.kernel.org#BHUSA BlackHatEventsQuestion22No.MaginotDNS breaks this guarantee with a new powerful cache poisoning vulnerability.26 years late

27、r,does bailiwick checking work as desired after fixing the Kashpureff attack?#BHUSA BlackHatEventsDNS Cache Poisoning(5/5)23MaginotDNS Attack(On-/Off-path,2023)q From our NISL lab,published at USENIX Security 2023q New attack surface:exploiting the bailiwick checking vulnerability to inject fake res

28、ponse into the forwarders cache shared with the recursive(victim)Query domainsQfu:Forward to upstreamConditional DNS server(CDNS)ZF:Forwarding DNS zonesGlobal DNS cacheAttacker DNS clientQuery Q for domain dattackAttackers server that provides data for dattackUpstreamDNS serverQueryQfd:Forward to at

29、tackers serverForged response Rattackthat matches Qfdor QfuExploit bailiwick vulnerabilityZR:RecursiveDNS zonesMatchcom.NS ns1.rogue-tld-ns.orgns1.rogue-tld-ns.org(Rogue authoritative server NSattack)Ordinary DNS client Q domains in ZR1233456All future All future queries hijackedqueries hijacked#BHU

30、SA BlackHatEventsPatching the Resolver Implementation24Mitigating the MaginotDNS Attackq Aligning the bailiwick checking logic between fwders&recurso The logic implementation of forwarders is flawedo Adding bailiwick checking for the forwarderBINDKnotPowerDNSUnbound#BHUSA BlackHatEventsReal-world Im

31、pact25Industryq Presented at Black Hat USA 2023Government/Universityq An Austria government CERT daily reportq A Sweden government CERT weekly newsq A Bournemouth University(BU)CERT news60+News Coverageq E.g.,BleepingComputerAPNIC Blog數字寰宇大家講堂數字寰宇大家講堂公開課公開課#BHUSA BlackHatEventsQuestion26We found tha

32、t the DNS response processing logic has never been studied thoroughly.Why is the new DNS cache poisoning attack still possible after researchers and vendors did lots of work?#BHUSA BlackHatEventsTakeaway27What we did in this paper.And we found,It is necessary to provide a systematic analysis of the

33、DNS response processing logic and expose all potential threats.#BHUSA BlackHatEventsHistory Not Over Yet281997KashpureffAttack2002BirthdayAttack2008KaminskyAttack2013FragmentationAttack2020Attack onForwardersSADDNSAttack20202021Attack viaEscapedCharsSADDNS v2Attack20212022Attack viaEscapedChars v220

34、23MaginotDNSAttack2024TuDoorAttack(Fastest)#BHUSA BlackHatEventsTuDoor Attack29What is the TuDoor attackq Proposed by our NISL lab,published at IEEE S&P 2024q A new set of powerful DNS-related attackso DNS cache poisoning,DoS,and resource consumingq Among them,TuDoor can poison vulnerable resolvers

35、within 1sNameq Exploiting vulnerabilities of DNS response processing logicq A very covert response door like 突門突門in the Great Wallq Called the TuDoor attack#BHUSA BlackHatEventsTuDoor Attack30TuDoor in the DNS WallVulnerabilities in DNS Response Processing Logicq Covert side-channel exploited by att

36、ackersRecursiveResolverAttackerNormal DNS ResolutionAuthoritativeServerAttackers need to attempt many timeswith a low success rate.AttackerTuDoor Attackers just need to attack oncewith a success rate of 100%using side-channels.Normal DNS ResolutionRecursiveResolverAuthoritativeServer#BHUSA BlackHatE

37、ventsAttack Overview of TuDoor31Attack Targetq Resolvers,including stub resolver,DNS forwarders,and recursive resolversThreat Modelq Identifying the target resolverq Triggering different vulnerabilitiesq Conducting the attackDNSForwarderStubResolverRecursiveResolverAuthoritativeNameserverApplication

38、ResponseResponseQueryResponseCacheCacheCacheAttackerInjecting malformed packets earlier than legal responses(from off-/on-path)InitiatingDNS queriesNormal ResolutionAttack ProcedureTriggering vulnerabilitiesQueryQueryThree Target Resolvers#BHUSA BlackHatEventsAnalysis of DNS Response Processing32Sys

39、tematic Analysisq 28 DNS software Constructing processing stateso 8 recursive resolvers,10 DNS forwarders,6 stub resolvers,4 DNS programming librariesTXIDMatchingReceivingResponses1UnmatchedFour-tuple2IPPacketIPPacketOther Responses(ICMP)3UDP/TCPPacket4DNSPayload5DNSHeaderQR=0(Query)or Other DNS Hea

40、der Errors6QDSectionQD Section Format Error789AN/NS/ARSectionParsedDataProcessingParsed DataAN/NS/AR Section Format Error131210ReceivingClosedTerminatingResolution11ReachingQuery LimitNot ReachingQuery LimitSendingQueries0ReceivingTimeoutCheckingUDP/TCP LayerNull UDP/TCP PayloadUDP/TCP Payload 12BUn

41、matched TXIDCheckingFour-tupleProcessingICMP PacketCheckingDNS LayerCheckingDNS HeaderParsingQD SectionParsing AN,NS,AR SectionCheckingTXIDCheckingQuery LimitGreen Arrows:Safe State TransitionsRed Arrows:Vul.State TransitionsDark Arrows:Normal OperationsBlue Marks:Crucial States#BHUSA BlackHatEvents

42、Vulnerable State Transitions33DNS Response Pre-processing Implementationsq Part softwareq Red lineso Vulnerable#BHUSA BlackHatEventsVulnerable State Transitions34DNS Response Pre-processing ImplementationsMicrosoft DNS(MS DNS)q If receiving new DNS query packets(QR=0)when waiting for responsesq MS D

43、NS will accept this new query and start new resolution for any domains5DNSHeaderQR=0Query12SendingQueriesProcessingHeader#BHUSA BlackHatEventsVulnerable DNS Software3524/28 Softwareq Vulnerable to cache poisoning,DoS,resource consumingRoleSoftwareCacheDoSResourcePoisoningConsumingRecur-siveBINDNoVul

44、VulUnboundNoNoVulKnotNoNoVulPowerDNSNoVulNoMicrosoftVulNoNoSimple DNS+NoVulNoTechnitiumVulVulNoForw-arderCoreDNSVulVulNopdnsdNoVulNoAcrylic DNSVulVulNoAdGuardVulVulNoDNS SafetyVulVulNoRoleSoftwareCacheDoSResourcePoisoningConsumingForw-arderDual DHCPVulNoNoNxFilterVulVulNoYogaDNSVulVulNoStubLinuxNoVu

45、lNoWindowsNoVulNoMacOSNoVulNoIOSNoVulNoChromeOSNoVulNoLibraryPythonNoVulNoGolangNoVulNoJavaScriptNoVulNoJavaNoVulNo#BHUSA BlackHatEventsVulnerable Public DNS Services361/42 Public Resolverq Vulnerable to cache poisoning17/42 Public Resolverq Vulnerable to DoS114DNSBaidu DNSDNSlify DNSOpenNIC DNSQuad

46、101Strongarm DNS#BHUSA BlackHatEventsAttack Steps of TuDoor37Three Attacksq Cache Poisoningq DoSq Resource ConsumingAttack stepsq Example:cache poisoningq One new side-channel vulnerabilityq Exposing the source porto Attackers just need to send 65,535 pktsq Attack time:avg.425mso 200 1,000 times fas

47、ter than prior attacksGuessing TXID(!#$!-!#$!#)Probing source port(%&(!-%&(!#)(!)#!: A$%&?TargetRecursive Resolver(!$)1(!%)#$&: A./!0$&?2NS of cached4(&: A./!0$&7 AuthoritativeNameserver(!()#$,:123$& A$%&#-?4!#$!$Sending source port 123$&5%&(!$4$: A$%&8!#$!$Attackstarted#BHUSA BlackHatEventsVulnerab

48、le Open Resolvers38Internet Scanningq Designed probing policiesq Using XMap(Open-sourced tool)q 423k(23.1%)out of 1.8M vulnerable TypeResolver number and percentageCollectedAlive on 03/10/20231,837,442(100.0%)Software identifiedMicrosoft DNS205,984(11.2%)BIND54,813(3.0%)Unbound12,765(0.7%)PowerDNS R

49、ecursor12,750(0.7%)Knot Resolver45(0.0%)CoreDNS8(0.0%)TypeResolver number and percentageVulnerableCache poisoning205,984(11.2%)DoS216,317(11.8%)Resource consuming67,623(3.7%)TuDoor423,652(23.1%)#BHUSA BlackHatEventsDiscussion&Mitigation39Vulnerability Disclosureq Confirmed and fixed by all affected

50、software:BIND9,Knot,&Microsoftq 33 CVE-ids published&Bounty awarded by MicrosoftRoot Causeq Poor DNS response pre-processing implementationsq Failing to considering corner casesMitigation Solutionq Resolvers should await a time window for promising normal responseq Ignoring queries sent to non-53 po

51、rtsDetection&Online Tool:#BHUSA BlackHatEventsBlack Hat Sound Bytes40The DNS RFCs and specifications are not clear to provide a deterministic definition for each operation,hence leaving a large attack window for ambiguous implementations.o We should check the RFCs essential specifications.The DNS im

52、plementations are not consistent across software,even for identical client queries.o This inconsistency is likely to conceal possible risks,which should be thoroughly researched and evaluated.The original DNS mechanism is insufficient to defend against several types of attacks.o To improve it,we should propose new patches or redesign some structures.#BHUSA BlackHatEvents41ToolPaperWrap-up41Thanks for listening!Any question?Xiang Li,Nankai University