Chikwata chevaongorori kubva kuYunivhesiti yeCalifornia, Riverside yakaburitsa mutsva weiyo SAD DNS kurwisa (CVE-2021-20322) inoshanda kunyangwe dziviriro yakawedzerwa gore rapfuura kuvharira CVE-2020-25705 kusagadzikana. Iyo nzira nyowani inowanzofanana nekusagadzikana kwegore rapfuura uye inosiyana chete mukushandiswa kwemhando yakasiyana yemapaketi eICMP kutarisa anoshanda UDP ports. Kurwiswa kwakarongwa kunobvumira kutsiviwa kwedata rekunyepedzera muDNS server cache, iyo inogona kushandiswa kutsiva IP kero yenzvimbo inopokana mune cache uye inodzosera zvikumbiro kudura kune server yeanorwisa.
Iyo yakarongwa nzira inoshanda chete muLinux network stack nekuda kwekubatana kwayo kune zvinokatyamadza zveICMP packet processing mechanism muLinux, iyo inoshanda sesosi yekudonha kwedata iyo inorerutsa kutsunga kweiyo UDP port nhamba inoshandiswa neseva kutumira imwe. chikumbiro chekunze. Shanduko dzinovharira kuburitswa kweruzivo dzakagamuchirwa muLinux kernel pakupera kwaNyamavhuvhu (iyo gadziriso yakaverengerwa mukernel 5.15 naSeptember inogadziridza kumapazi eLTS ekernel). Iyo gadziriso inowira pasi pakuchinja kushandisa iyo SipHash hashing algorithm mune network caches panzvimbo yeJenkins Hash. Mamiriro ekugadzirisa kusagadzikana mukugovera anogona kuongororwa pamapeji aya: Debian, RHEL, Fedora, SUSE, Ubuntu.
Sekureva kwevaongorori vakaona dambudziko, vangangoita makumi matatu nesere muzana yevagadzirise vakavhurika pamanetiweki vari panjodzi, kusanganisira yakakurumbira DNS masevhisi akadai seOpenDNS uye Quad38 (9). Kana iri server software, kurwiswa kunogona kuitwa nekushandisa mapakeji akadai BIND, Unbound uye dnsmasq pane Linux server. Dambudziko harisi kuoneka paDNS maseva anoshanda paWindows neBSD masisitimu. Kuti ubudirire kuita kurwisa, zvinodikanwa kushandisa IP spoofing, i.e. zvinodikanwa kuti ISP yeanorwisa isavhare mapaketi ane fake source IP kero.
Sechiyeuchidzo, iyo SAD DNS kurwisa inodarika dziviriro yakawedzerwa kumaseva eDNS kuvharira yakasarudzika DNS cache chepfu nzira yakatsanangurwa muna 2008 naDan Kaminsky. Kaminsky's method inoshandura hudiki hudiki hweiyo DNS query ID ndima, inongori mabits gumi nematanhatu. Kusarudza iyo chaiyo DNS transaction identifier inodiwa kune zita remuenzi spoofing, zvakakwana kutumira zvingangoita zviuru zvinomwe zvikumbiro uye kutevedzera zviuru zana nemakumi mana emhinduro dzenhema. Kurwiswa kwacho kunosvika pakutumira huwandu hukuru hwemapaketi ane IP yekunyepedzera inosunga uye ine akasiyana DNS transaction identifiers kune DNS solver. Kudzivirira caching yemhinduro yekutanga, yega yega dummy mhinduro ine zvishoma yakagadziridzwa zita rezita (16.example.com, 7000.example.com, 140.example.com, nezvimwewo).
Kudzivirira kubva kurudzi urwu rwekurwiswa, vagadziri veDNS server vakaisa kugovera kwakangoerekana kwaitwa nhamba dzenzvimbo yetiweki zviteshi kunotumirwa zvikumbiro zvekugadzirisa, izvo zvakatsiva kusakura kwakakura kweiyo identifier. Mushure mekuita dziviriro yekutumira mhinduro yekunyepedzera, pamusoro pekusarudza 16-bit identifier, zvakazofanira kusarudza imwe ye64 zviuru zviteshi, izvo zvakawedzera huwandu hwesarudzo dzesarudzo ku2 ^ 32.
Iyo SAD DNS nzira inobvumidza iwe kurerutsa zvakanyanya kutsunga kweiyo network port nhamba uye kuderedza kurwiswa kune yekare Kaminsky nzira. Anorwisa anogona kuona kupinda kune asina kushandiswa uye anoshanda UDP madoko nekutora mukana weyakaburitswa ruzivo nezve chiitiko chetiweki ports paunenge uchigadzira ICMP mhinduro mapaketi. Iyo nzira inotibvumira kuderedza nhamba yezvisarudzo zvekutsvaga ne 4 mirairo yehukuru - 2 ^ 16 + 2 ^ 16 panzvimbo ye 2^ 32 (131_072 pane 4_294_967_296). Kuburitswa kweruzivo rwunokutendera kuti uone nekukurumidza kuona inoshanda UDP madoko inokonzerwa nekukanganisika mukodhi yekugadzirisa ICMP mapaketi ane zvikumbiro zvekutsemuka (ICMP Fragmentation Inodiwa mureza) kana redirection (ICMP Redirect mureza). Kutumira mapaketi akadaro kunoshandura mamiriro e cache mune network stack, izvo zvinoita kuti zvikwanise kusarudza, zvichienderana nemhinduro ye server, iyo UDP port inoshanda uye iyo isiri.
Attack Scenario: Kana DNS solver ikayedza kugadzirisa zita rezita, inotumira mubvunzo weUDP kuDNS server inoshandira iyo domain. Panguva iyo mugadziri akamirira mhinduro, anorwisa anogona kukurumidza kuona kwainobva chiteshi nhamba yakashandiswa kutumira chikumbiro uye kutumira mhinduro yekunyepa kwairi, achitevedzera iyo DNS server inoshandira iyo domain ichishandisa IP kero spoofing. Iyo DNS solver inochengetedza iyo data yakatumirwa mumhinduro yenhema uye kwenguva yakati ichadzosa IP kero yakatsiviwa neanorwisa kune zvimwe zvese zvikumbiro zveDNS zvezita rezita.
Source: opennet.ru