Fuzzing Full-Resolvers Toshifumi Sakaguchi 2018/08/07 

• Motivation • What is Fuzzing • Fuzzing Tool • Authoritative Server Implementation • Fuzzing Tool Implementation • Fuzzing Targets • Result • Conclusion 2 Agenda 

Who am I? • Name: Toshifumi Sakaguchi • Twitter: @siskrn • GitHub: https://github.com/sischkg/ • Found Issues: – PowerDNS Security Advisory 2015-01(CVE-2015-1868 , CVE-2015- 5470) – A packet with malformed options can trigger an assertion failure in ISC BIND versions released prior to May 2013 and in packages derived from releases prior to that date.(CVE-2016-2848) – PowerDNS Security Advisory 2017-08(CVE-2017-15120) 3 

Motivation • I write PoC codes for published vulnerabilities. To exploit full-resolver, the malicious authoritative server, which replies crafted DNS messages, must be developed. • If authoritative server generates crafted DNS reply messages automaticaly, new vulnerabilties may be found. • To find new vulnerabilities, I decieded to develope a authoritative server for fuzzing. 4 

What is FUZZING. Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. from Wikipedia(https://en.wikipedia.org/wiki/Fuzzing) 5 

Fuzzing Tool Summary • Fuzzing tool acts as a authoritative server • Before sending reply messages to full-resolver, fuzzing tool crafts them. • Find abnormal termination bugs(assert failure/segmentation fault) • NOT find other bugs( cache poisoning... ) 6 full-resolver generate legimate reply message as a auth server craft mesage Fuzzing tool 

Features • DNSSEC（sign RR/ NSEC(|3) ) • Not Implement all features. – only one zone – following features does not implement • domainname compression → implemented • wildcard → implemented • NSEC3-optout • TSIG ... 7 

Crafting Replies Craft replies based on published (BIND etc) vulnerabilities. • Add/Modify/Delete RR – Add RR • CNAME/DNAME – CVE-2017-3137(https://kb.isc.org/article/AA-01466/0/) A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME • DNSSEC (DNSKEY/RRSIG/DS/NSEC/NSEC3) – Some vulnerablities affects only DNSSEC valdating Resolver – CVE-2017-15908(https://blog.trendmicro.com/trendlabs-security-intelligence/systemd- vulnerability-leads-to-denial-of-service-on-linux/) "systemd Vulnerability Leads to Denial of Service on Linux" • Meta RR(TSIG, TKEY...) – CVE-2016-9131(https://www.fortinet.com/blog/threat-research/analysis-of-isc-bind-tkey-query-response- handling-dos-cve-2016-9131.html) Analysis of ISC BIND TKEY Query Response Handling DoS (CVE-2016-9131) • Domainname Autogenerated from random numbers. 8 

Crafting Replies – Modify CLASS of RR • IN ⇒ CH/HS/NONE/ANY CVE-2015-8000(https://kb.isc.org/article/AA-01317) Responses with a malformed class attribute can trigger an assertion failure in db.c – TTL/TYPE/RDATA autogenerated from random number – OPT RR • Generate Payload size, extended RCODE from random numbers. CVE-2016-2848(https://kb.isc.org/article/AA-01317) A packet with malformed options can trigger an assertion .. • NSID, ECS, Cookie, TCP-KEEPALIVE • Atuogenerated OPTION-Code, OPTION-Data 9 

Crafting Replies • Signing RRSets – Append RRSIG • Sign RRSet which is genereated from fuzzing • Sign Meta RRSet(OPT, TSIG, TKEY) • Shuffle RRs – Suffule RRs in each sections • Modify DNS message(wire format) – Add / Replace / Delete Data 10 

DNS Client • Send crafed queries to full-resolver – QNAME Generate QNAME from zone data and random numbers. – QTYPE, QCLASS Generate QTYPE, QCLASS from random numbers. – OPT Generate payload size from random numbers. – Transport UDP, TCP 11 

Targets Full-resolvers • Full-resolver – BIND – Unbound – PowerDNS 3.x, 4.x – Knot Resolver • Proxy, Load Balancer – dnsmasq – dnsdist – coredns 12 

System 13 fuzz-server BIND PowerDNS Recursor 4 PowerDNS Recursor 3 Knot Resolver Unbound Unbound Unbound dnsmasq coredns dnsdist fuzz-client 

After Discovery bugs Find cause • search packet which crash full-resolver from captured packets • use debugger • explore source code. Send PoC code and reproducing steps to developpers. 14 

Results • PowerDNS Security Advisory 2017-08: Crafted CNAME answer can cause a denial of service – https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html • Knot Resolver: fix CVE-2018-1110: denial of service triggered by malformed DNS messages https://lists.nic.cz/pipermail/knot-resolver-announce/2018/000000.html – https://gitlab.labs.nic.cz/knot/knot-resolver/issues/334 – https://gitlab.labs.nic.cz/knot/knot-resolver/issues/335 • Knot-Resolver 2.3.0 crashes in module/stats. – https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.6.7/NEWS – https://gitlab.labs.nic.cz/knot/knot-resolver/issues/354 • knot-resolver 2.3.0 aborted with "kresd: libknot/packet/pkt.c:84: pkt_wire_alloc: Assertion `len >= KNOT_WIRE_HEADER_SIZE' failed." – https://gitlab.labs.nic.cz/knot/knot-resolver/issues/366 15