[dns-operations] Wormable RCE in MS Windows DNS Server CVE-2020-1350

Paul Vixie paul at redbarn.org
Thu Jul 23 02:35:30 UTC 2020


On Thursday, 23 July 2020 01:21:04 UTC Brian Somers wrote:
> ...
> 
> So, a resolver that drops or decompresses compressed SIG RRs should
> protect windows, assuming windows doesn’t just go ahead and ask the
> authority directly.
> 
> ...
> 
> In short, resolvers should disallow compressed RRSIG signers (and may not),
> should decompress SIG signers before regurgitating them to a client, and
> should probably never actually serve them in the first place unless maybe as
> part of an ANY response (I would argue that a response that contains all
> SIGs for all types for a given name is not useful to anybody).  If the
> uncompressed SIG overflows the response data to more than 64k, SERVFAIL
> should be returned to the client.
> 
> Well, that’s how I see it anyway...

in this case the SIG is not being used for validation by the full resolver, 
and its RDATA should be treated there as opaque. which means the stub should 
see a garbage RDATA (the 0xc0 bits in the signer name should be interpreted as 
ASCII not a label type, or else, interpreted as introducing a 14-bit pointer 
into a message that no longer exists, producing either a range error, or ASCII 
garbage.)

i think we have to be conservative in what we decompress, and correct in what 
we choose (not) to compress. CVE-2020-1350 shows either two or three bugs: one 
in the initiator, one in the forwarder, and possibly one in the authority.

-- 
Paul





More information about the dns-operations mailing list