upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-10 02:00:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Test that unsolicited NS in positive answer cannot overwrite current NS

Browse source 
Before the fixes for CVE-2025-40778, an unsolicited in-bailiwick NS
record was accepted from a (spoofed) answer, enabling a single spoofed A
query/response to redirect traffic for a whole delegation.

In short, the attacker tries to spoof at least one answer that has the
following form:

    rcode NOERROR
    flags QR AA
    ;QUESTION
    trigger$RANDOM.victim. IN TXT
    ;ANSWER
    trigger$RANDOM.victim. 3600 IN TXT "spoofed answer with extra NS"
    ;AUTHORITY
    victim. 3600 IN NS ns.attacker.
    ;ADDITIONAL

This attack was originally reported as "test case 1".

Co-authored-by: Michał Kępień <michal@isc.org>
This commit is contained in:
Petr Špaček 2025-07-23 17:25:18 +02:00 committed by Michał Kępień
parent 26eed16d61
commit 658d2e9f8e
No known key found for this signature in database
2 changed files with 35 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
bin/tests/system/bailiwick/ans2/ans.py
View file

@ -29,6 +29,32 @@ ATTACKER_IP = "10.53.0.3"
TTL = 3600
class UnsolicitedNsSpoofer(ResponseSpoofer, mode="unsolicited-ns"):
qname = "trigger.victim."
async def get_responses(
self, qctx: QueryContext
) -> AsyncGenerator[ResponseAction, None]:
response = qctx.prepare_new_response(with_zone_data=False)
txt_rrset = dns.rrset.from_text(
qctx.qname,
TTL,
qctx.qclass,
dns.rdatatype.TXT,
'"spoofed answer with extra NS"',
)
response.answer.append(txt_rrset)
ns_rrset = dns.rrset.from_text(
"victim.", TTL, qctx.qclass, dns.rdatatype.NS, "ns.attacker."
)
response.authority.append(ns_rrset)
yield DnsResponseSend(response, authoritative=True)
def main() -> None:
spoofing_server().run()

9
bin/tests/system/bailiwick/tests_bailiwick.py
View file

@ -85,3 +85,12 @@ def test_bailiwick_sibling_ns_referral(servers: Dict[str, NamedInstance]) -> Non
ns4 = servers["ns4"]
send_trigger_query(ns4, "trigger.")
check_domain_hijack(ns4)
def test_bailiwick_unsolicited_authority(servers: Dict[str, NamedInstance]) -> None:
set_spoofing_mode(ans1="none", ans2="unsolicited-ns")
ns4 = servers["ns4"]
prime_cache(ns4)
send_trigger_query(ns4, "trigger.victim.")
check_domain_hijack(ns4)