Feb 8 – 9, 2024 Workshop
Embassy Suites Charlotte Uptown
US/Eastern timezone

TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets

Feb 9, 2024, 10:05 AM
25m
Salon A/B (Embassy Suites Charlotte Uptown)

Salon A/B

Embassy Suites Charlotte Uptown

401 East Martin Luther King Jr Blvd Charlotte NC 28202 United States
In-Person Standard Presentation OARC 42 Day 2

Speaker

Qifan Zhang (University of California, Irvine)

Description

DNS can be compared to a game of chess in that its rules are simple, yet the possibilities it presents are endless. While the fundamental rules of DNS are straightforward, DNS implementations can be extremely complex. In this study, we intend to explore the complexities and vulnerabilities in DNS response pre-processing by systematically analyzing DNS RFCs and DNS software implementations. We present the discovery of three new types of logic vulnerabilities, leading to the proposal of three novel attacks, namely the TuDoor attack. These attacks involve the use of malformed DNS response packets to carry out DNS cache poisoning, denial-of-service, and resource consuming attacks. By performing comprehensive experiments, we demonstrate the attack’s feasibility and significant real-world impacts of TuDoor. In total, 24 mainstream DNS software, including BIND, PowerDNS, and Microsoft DNS, are affected by TuDoor. Attackers can instigate cache poisoning and denial-of-service attacks against vulnerable resolvers using a handful of crafted packets within 1 second or circumvent the query limit to deplete resolution resources (e.g., CPU). Besides, to determine the vulnerable resolver population in the wild, we collect and evaluate 16 popular Wi-Fi routers, 6 prevalent router OSes, 42 public DNS services, and around 1.8M open DNS resolvers. Our measurement results indicate that TuDoor could exploit 7 routers (OSes), 18 public DNS services, and 424,652 (23.1%) open DNS resolvers. Following the best practice of responsible disclosure, we have reported these vulnerabilities to all affected vendors, and 18 of them, including BIND, Chrome, Cloudflare, and Microsoft, have acknowledged our findings and discussed mitigation solutions with us. Furthermore, 33 CVE IDs are assigned to our discovered vulnerabilities, and we provide an online detection tool as one of the mitigation measures. Our research highlights the urgent need for standardization of DNS response pre-processing logic to enhance the security of DNS.

Primary authors

Xiang Li (Tsinghua University) Mr Wei Xu (Tsinghua University) Prof. Baojun Liu (Tsinghua University) Dr Mingming Zhang (Zhongguancun Laboratory) Prof. Zhou Li (University of California, Irvine) Dr Jia Zhang (Tsinghua University) Dr Deliang Chang (QI-ANXIN Technology Research Institute) Mr Xiaofeng Zheng (Tsinghua University) Mr Chuhan Wang (Tsinghua University) Prof. Jianjun Chen (Tsinghua University) Prof. Haixin Duan (Tsinghua University) Prof. Qi Li (Tsinghua University)

Presentation materials