-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: ISC BIND Logic Error DNS Rebinding Protection Bypass Advisory ID: TKADV2020-001 Revision: 1.0 Release Date: 26-Apr-2020 Last Modified: 26-Apr-2020 Date Reported: 22-Jan-2020 Author: Tobias Klein (tk at trapkit.de) Affected Software: ISC BIND < 9.17.1, ISC BIND < 9.16.2, ISC BIND < 9.14.11, ISC BIND < 9.11.18 Vendor URL: https://www.isc.org/bind/ Time-to-fix: 85 days Solution Status: Fixed (patched releases of ISC BIND are available) CVE-ID: Internet Systems Consortium (ISC) chose not to assign a CVE-ID for this issue. ========================== Vulnerability Description: ========================== "deny-answer-aliases" is a feature of ISC BIND intended to help server operators protect end users against DNS rebinding attacks, a potential method of circumventing the security model used by client browsers. However, if BIND is configured as a forwarding DNS server, the DNS rebinding protection is ineffective. =================== Steps to Reproduce: =================== Operating System: Debian 10.2 1) Download a vulnerable version of BIND This example uses version 9.14.9 of ISC BIND, available at https://downloads.isc.org/isc/bind9/9.14.9/bind-9.14.9.tar.gz. 2) Build BIND $ tar zxvf bind-9.14.9.tar.gz; cd bind-9.14.9; ./configure; make; sudo make install 3) Prepare the configuration file $ sudo adduser --home /var/cache/bind/ --system --group bind $ sudo mkdir -m 775 /var/run/named; sudo chgrp bind /var/run/named $ sudo vim /etc/named.conf options { directory "/var/cache/bind"; recursion yes; querylog yes; forwarders { 8.8.8.8; }; forward only; deny-answer-aliases { "test.lan"; }; }; zone "test.lan" { type master; file "/etc/db.test.lan"; }; 4) Prepare the zone file $ sudo vim /etc/db.test.lan $TTL 86400 @ IN SOA test.lan. admin.test.lan. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 86400 ) ; Negative Cache TTL ; @ IN NS localhost. subdomain IN A 192.168.0.1 5) Run the server in the foreground $ sudo /usr/local/sbin/named -g -u bind -4 6) DNS rebinding An attacker, in response to a query for a domain name the attacker controls, returns an alias name (CNAME or DNAME) within the victims own domain. A naive web browser or script could then serve as an unintended proxy, allowing the attacker to get access to an internal node of the local network that couldn't be externally accessed otherwise. The domain rebind.it hosts a name server for testing software against DNS rebinding vulnerabilities. If the following domain is queried for the first time, the server will respond with the IP address 1.1.1.1 and returning the answer with a very low TTL. Subsequent queries to the same domain will then be answered with the CNAME record subdomain.test.lan. Note: The following dig commands query the BIND server (@127.0.0.1) prepared in steps 1 to 5. First query: $ dig @127.0.0.1 s-1.1.1.1-subdomain.test.lan-12345678-fs-e.d.rebind.it .. ;; ANSWER SECTION: s-1.1.1.1-subdomain.test.lan-12345678-fs-e.d.rebind.it. 0 IN A 1.1.1.1 .. Output of BIND: .. query: s-1.1.1.1-subdomain.test.lan-12345678-fs-e.d.rebind.it IN A +E(0)K (127.0.0.1) Second query: $ dig @127.0.0.1 s-1.1.1.1-subdomain.test.lan-12345678-fs-e.d.rebind.it .. ;; ANSWER SECTION: s-1.1.1.1-subdomain.test.lan-12345678-fs-e.d.rebind.it. 9 IN CNAME subdomain.test.lan. subdomain.test.lan. 86400 IN A 192.168.0.1 .. Output of BIND: .. query: s-1.1.1.1-subdomain.test.lan-12345678-fs-e.d.rebind.it IN A +E(0)K (127.0.0.1) As can be seen from the output above, vulnerable versions of BIND are not filtering out the second DNS response from rebind.it although it contains a CNAME record that matches the given namelist of the "deny-answer-aliases" option set in /etc/named.conf. Expected correct behavior: The second query should result in a SERVFAIL and the event should be logged as follows: .. CNAME target subdomain.test.lan denied for s-1.1.1.1-subdomain.test.lan-12345678-fs-e.d.rebind.it/IN ================== Technical Details: ================== Before the filters of the "deny-answer-aliases" option are applied, it is checked if the target name is a subdomain of the search domain. If so, the answer will be allowed (see the lines 6990 and 6991 below). bind-9.14.9/lib/dns/resolver.c: .. 6903 static bool 6904 is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, 6905 dns_rdataset_t *rdataset, bool *chainingp) 6906 { .. 6987 /* 6988 * If the target name is a subdomain of the search domain, allow it. 6989 */ 6990 if (dns_name_issubdomain(tname, &fctx->domain)) 6991 return (true); .. If BIND is configured as a forwarding DNS server (see the forwarders option in /etc/named.conf), then the search domain (&fctx->domain; see line 6990) will always match the root domain ("."). As a result, is_answertarget_allowed() will always return true and the filters will never be applied. ========= Solution: ========= If you are using "deny-answer-aliases", upgrade to the patched release most closely related to your current version of BIND (see also [REF1], [REF2] and [REF3]). ==================== Disclosure Timeline: ==================== 22-Jan-2020 - Initial vendor notification 24-Jan-2020 - Initial vendor response 21-Feb-2020 - Status update by ISC 15-Apr-2020 - Patched releases of BIND are available 26-Apr-2020 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [REF1] https://downloads.isc.org/isc/bind9/9.17.1/RELEASE-NOTES-bind-9.17.1.html [REF2] https://downloads.isc.org/isc/bind9/9.16.2/RELEASE-NOTES-bind-9.16.2.html [REF3] https://downloads.isc.org/isc/bind9/9.11.18/RELEASE-NOTES-bind-9.11.18.html [REF4] https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&utf8=%E2%9C%93&state=all&search=1574 URL for this advisory: https://www.trapkit.de/advisories/TKADV2020-001.txt URL for PGP signature key: https://www.trapkit.de/advisories/tk-advisories-signature-key.asc ================= Revision History: ================= Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Copyright 2020 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQQf8YTj2CneP4UWV66RfGBwAhuEQQUCXqW0QQAKCRCRfGBwAhuE QVkbAJsGMFq5QguS8aWQfM2DMiOGDqpO1wCeK1b9WjRnKqWYidmFg1Ie0NGGedg= =j61J -----END PGP SIGNATURE-----