黑帽大会2024(美国)

摘要

DNS can be compared to a game of chess in that its rules are simple, yet the possibilities it presents are endless. While the fundamental rules of DNS are straightforward, DNS implementations can be extremely complex. In this study, we intend to explore the complexities and vulnerabilities in DNS response pre-processing by systematically analyzing DNS RFCs and DNS software implementations. We present the discovery of three new types of logic vulnerabilities, leading to the proposal of three novel attacks, namely the TuDoor attack. These attacks involve the use of malformed DNS response packets to carry out DNS cache poisoning, denial-of-service, and resource consuming attacks. By performing comprehensive experiments, we demonstrate the attack’s feasibility and significant real-world impacts of TuDoor. In total, 24 mainstream DNS software, including BIND, PowerDNS, and Microsoft DNS, are affected by TuDoor. Attackers can instigate cache poisoning and denial-of-service attacks against vulnerable resolvers using a handful of crafted packets within 1 second or circumvent the query limit to deplete resolution resources (e.g., CPU). Besides, to determine the vulnerable resolver population in the wild, we collect and evaluate 16 popular Wi-Fi routers, 6 prevalent router OSes, 42 public DNS services, and around 1.8M open DNS resolvers. Our measurement results indicate that TuDoor could exploit 7 routers (OSes), 18 public DNS services, and 424,652 (23.1%) open DNS resolvers. Following the best practice of responsible disclosure, we have reported these vulnerabilities to all affected vendors, and 18 of them, including BIND, Chrome, Cloudflare, and Microsoft, have acknowledged our findings and discussed mitigation solutions with us. Furthermore, 33 CVE IDs are assigned to our discovered vulnerabilities, and we provide an online detection tool as one of the mitigation measures. Our research highlights the urgent need for standardization of DNS response pre-processing logic to enhance the security of DNS.

日期
8月 7, 2024 12:00 AM — 8月 7, 2023 11:59 PM
位置
MANDALAY BAY CONVENTION CENTER
3950 Las Vegas Blvd. South, Las Vegas, 89119

在黑帽大会2024(美国)上, 汪琦学弟分享了我的研究工作:“TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets”。

李想
李想
南开大学副教授

李想,南开大学副教授,南开大学CTF战队指导老师、ACM会员、CCF会员、中国通讯学会会员、顶会IMC 2025 PC、AsiaCCS 2025 PC。研究方向为网络与协议安全、Web安全、漏洞挖掘等,已发表论文18篇(含一作6篇:在网络安全四大顶会均有发表、通讯1篇、二作3篇),第一发明人授权专利1项及实质审查中5项(共11项),在Black Hat多次分享,获得200+CVE等漏洞编号,370+GitHub stars。研究获得多个政府及大学CERT安全公告、100+媒体报道,并被纳入RFC标准文档。其也获得了多项奖项荣誉,如2024年度ACM SIGSAC中国优博奖、2024年度黑客奥斯卡Pwnie提名奖、IPv6创新大赛一等奖、GeekCon国际安全极客大赛亚军及非凡黑客荣誉称号、王大中奖学金、博士研究生国家奖学金、清华优秀奖学金、优秀博士毕业生等。