TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets

Xiang Li, Wei Xu, Baojun Liu, Mingming Zhang, Zhou Li, Jia Zhang, Deliang Chang, Xiaofeng Zheng, Chuhan Wang, Jianjun Chen, Haixin Duan, Qi Li

May, 2024 DNS

Abstract

DNS can be compared to a game of chess in that its rules are simple, yet the possibilities it presents are endless. While the fundamental rules of DNS are straightforward, DNS implementations can be extremely complex. In this study, we intend to explore the complexities and vulnerabilities in DNS response pre-processing by systematically analyzing DNS RFCs and DNS software implementations. We present the discovery of three new types of logic vulnerabilities, leading to the proposal of three novel attacks, namely the TuDoor attack. These attacks involve the use of malformed DNS response packets to carry out DNS cache poisoning, denial-of-service, and resource consuming attacks. By performing comprehensive experiments, we demonstrate the attack’s feasibility and significant real-world impacts of TuDoor. In total, 24 mainstream DNS software, including BIND, PowerDNS, and Microsoft DNS, are affected by TuDoor. Attackers can instigate cache poisoning and denial-of-service attacks against vulnerable resolvers using a handful of crafted packets within 1 second or circumvent the query limit to deplete resolution resources (e.g., CPU). Besides, to determine the vulnerable resolver population in the wild, we collect and evaluate 16 popular Wi-Fi routers, 6 prevalent router OSes, 42 public DNS services, and around 1.8M open DNS resolvers. Our measurement results indicate that TuDoor could exploit 7 routers (OSes), 18 public DNS services, and 424,652 (23.1%) open DNS resolvers. Following the best practice of responsible disclosure, we have reported these vulnerabilities to all affected vendors, and 18 of them, including BIND, Chrome, Cloudflare, and Microsoft, have acknowledged our findings and discussed mitigation solutions with us. Furthermore, 33 CVE IDs are assigned to our discovered vulnerabilities, and we provide an online detection tool as one of the mitigation measures. Our research highlights the urgent need for standardization of DNS response pre-processing logic to enhance the security of DNS.

Type

Conference paper

Publication

In Proceedings of 2024 IEEE Symposium on Security and Privacy. San Francisco, California, May 20–23, 2024. (Acceptance rate: ??%, Acceptance rate in first cycle: ??%, Acceptance rate in second cycle: ??%, Acceptance rate in third cycle: ??%).
* Presented in OARC 42.
* Referenced by RFC 9520: Negative Caching of DNS Resolution Failures

Overview

This paper proposes the TuDoor Attack, by systematically exploring and exploiting logic vulnerabilities in DNS response pre-processing with malformed packets, leading to DNS cache poisoning (1s), denial-of-service, and resource consuming attacks.

TuDoor: https://tudoor.net/

CVE (33)

Microsoft: CVE-2023-32020
Knot: CVE-2023-26249
PowerDNS: CVE-2023-26437
Simple DNS Plus: CVE-2023-28453
Technitium: CVE-2023-28451
CoreDNS: CVE-2023-28452
Python DNS Lib: CVE-2023-29483
Golang DNS Lib: CVE-2023-29481
Node.js DNS Lib: CVE-2023-30578
c-ares: CVE-2023-32067 (CVE-2023-30579)
dnsjava: CVE-2023-29482
pdnsd: CVE-2023-30580
AdGuard Service: CVE-2023-41173
Technitium: CVE-2023-28457
CoreDNS: CVE-2023-30464
Acrylic DNS Proxy: CVE-2023-32771
Acrylic DNS Proxy: CVE-2023-32775
AdGuard Software: CVE-2023-32770
AdGuard Software: CVE-2023-32773
DNS Safety: CVE-2023-32772
DNS Safety: CVE-2023-32776
Dual DHCP DNS: CVE-2023-30632
NxFilter: CVE-2023-32769
NxFilter: CVE-2023-32769
YogaDNS: CVE-2023-32774
YogaDNS: CVE-2023-32777
Tenda AX2PRO: CVE-2023-31053
TOTOLINK: CVE-2023-31049
Nighthawk RAX70: CVE-2023-31055
SKYWORTH-wr9651x: CVE-2023-31052
MERCURY D191G: CVE-2023-31051
XIAOMI AX3000: CVE-2023-31050
ikuai8: CVE-2023-31054

Presentation

Presented in OARC 42
Referenced by RFC 9520: Negative Caching of DNS Resolution Failures

DNS DNS Security DNS Response DNS Cache Poisoning DoS Resource Consuming

Xiang Li

Ph.D. Candidate in Cyberspace Security (Tsinghua University)

Xiang Li is a 5th-year Ph.D. candidate at the Institute of Network Science and Cyberspace, Tsinghua University, advised by Professors Qi Li and Haixin Duan. His research interests include network security, protocol security, IPv6 security, DNS security, Internet measurement, network & protocol fuzzing, network vulnerability discovery & attack, and underground economy with 17 research papers. As the first author, he has published many research papers at all top-tier security conferences, including Oakland S&P, USENIX Security, CCS, NDSS, and Black Hat (Asia, USA, and Europe). He has obtained over 190 CVE/CNVD vulnerability numbers, more than $11,600 rewards, 306+ GitHub stars, multiple CERT reports, 60+ news coverage, and RFC acknowledgement. He got multiple prizes, such as 1st prize of IPv6 Technology Application Innovation Competition, 2nd prize of GeekCon 2023 DAF Contest, National Scholarship, Wang Dazhong Scholarship, and Tsinghua Outstanding Scholarship.