Fuzzing Full-Resolver ( JANOG interim 42.5 )

Transcript

1. Fuzzing DNS Full-Resolver JANOG 42.5 Interim Meeting 2018/10/19 Toshifumi Sakaguchi

2. Who am I ? Toshifumi Sakaguchi • Twitter: @siskrn •

   GitHub: https://github.com/sischkg/ • Past Presentation, Lightening Talks => https://dnsops.jp/ • Reported security iesses. – PowerDNS Advisory 2015-1 – CVE-2016-2848(A packet with malformed options can trigger an assertion failure in ISC BIND versions released prior to May 2013 and in packages derived from releases prior to that date) 2

3. Summary 1. What is Fuzzing ? 2. Fuzzer for DNS

   full-resolver. 3. Fuzzer implementation. 4. Targets softwares. 5. Found Issues. Update from DNS Summer Day 2018(2018/06/27) • Wildcard. • Cache poisoning. • knot-resolver(<Ver 2.6.7) issue. 3

4. What is Fuzzing ? Fuzzing or fuzz testing is an

   automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. ... Wikipedia: https://en.wikipedia.org/wiki/Fuzzing 4

5. Fuzzing Outline • Fuzzer generates valid responses as a authoritative

   server, then modifies them to invalid responses. • Modify response by random numbers. • Found invalid response which crashes(assertion/segfault) full-resolvers. • Challenge cache poisoning by invalid RRs. 5 Target Full- Resolver Generate response as Authoritative Server Modify Authoritative Server DNS Client

6. Authoritative Server • DNSSEC（Sign RRSets/NSEC/NSEC3) • Not Perfect – Only

   one zone. – Not implements following features. • NSEC3 Opt-out • TSIG ... 6

7. Fuzzing (crafting) Features based on past (BIND) issues. • Append

   RRs – CLASS, TYPE, TTL, RDATA are generated randomly. • Modify CLASS of RRs – IN → CH/HS/ANY/NONE • Delete RR • OPT RR – Version, Payload Size, Options are generated randomly. • Modify RCODE • Sing RRSets. • Suffule RRs in each sections. • Modify DNS message. – Append, Replace, Delete bytes. 7

8. Client • Generate Query. – Generate QNAME from zone data.

   – QCLASS, QTYPE are selected randomly. – OPT • Version, Payload Size, Options are generated randomly. • Send Queries. – Send generated queries continually. • Check Full-Resolver status. – Crash ? – Resolve name ? 8

9. Example 9

10. Example 10

11. Target Softwares • Full-Resolvers – BIND 9.12.x, 9.7.x(CentOS 6.x RPM)

    – Unbound – PowerDNS Recursor 4.1.x – Knot Resolver • Forwarding / Load balancing – dnsmasq – dnsdist – coredns 11

12. Found Issues • PowerDNS Security Advisory 2017-08: Crafted CNAME answer

    can cause a denial of service – https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html • Knot Resolver: fix CVE-2018-1110: denial of service triggered by malformed DNS messages ( 2 issues) https://lists.nic.cz/pipermail/knot-resolver-announce/2018/000000.html – https://gitlab.labs.nic.cz/knot/knot-resolver/issues/334 – https://gitlab.labs.nic.cz/knot/knot-resolver/issues/335 • Knot-Resolver 2.3.0 crashes in module/stats. libknot(knot-dns < 2.6.7) knot_dname_to_str memory overflow – https://gitlab.labs.nic.cz/knot/knot-dns/raw/v2.6.7/NEWS – https://gitlab.labs.nic.cz/knot/knot-resolver/issues/354 12

13. Found new Issues • knot-resolver 2.3.0 aborted with "kresd: libknot/packet/pkt.c:84:

    pkt_wire_alloc: Assertion `len >= KNOT_WIRE_HEADER_SIZE' failed." – https://gitlab.labs.nic.cz/knot/knot-resolver/issues/366 – enabled DNSSEC Validation. – knotd is crashed by small ( < DNS HEADER SIZE ) response in iterative mode. – fixed in 2.4.0 – In ChangeLog: "minimal libknot version is now 2.6.7 to pull in latest fixes (#366 (closed))" • included in "knot_dname_to_str memory overflow" 13