Profile picture
, 11 tweets, 4 min read
My Authors
Read all threads
So the fine writeup of SIGRed (CVE-2020-1350) includes a brief discussion of a neat technique to make a Microsoft browser perform DNS lookups to arbitrary nameservers, which can then also be infected. /cc @EyalItkin & @omriher 1/9 research.checkpoint.com/2020/resolving…
Normally, you can't really do DNS lookups using the DNS protocol from browsers. Sure, the browser will resolve names for you, but it chooses how to do that. You can't direct the query anywhere, or do non-standard lookups. This is pretty good. 2/9
But what if you really really want to talk to a nameserver, for example to attack it? Browsers do speak HTTP, and do so very well. Some browsers, notably from Microsoft, are even prepared to send HTTP queries to the DNS port (53). 3/9
But, HTTP queries will typically confuse nameservers, as they look nothing like DNS queries. A DNS query over TCP always starts with a two byte length field. We don't really control the beginning of an HTTP request, it starts with GET or POST. Let's assume POST. 4/9
A nameserver will treat the first two bytes 'P' and 'O' as a length field. And this offers us an opening. After the POST come a lot of headers we can't control, but we can guess how long they will be. 'P' and 'O' correspond to a 20559 byte length field. 5/9
This means the nameserver will first read 20559 bytes as a DNS message, fail to parse the DNS message (because it is a bunch of HTTP).. and then read another two-byte length field for the next message. But by now we are in part of the HTTP session we fully control! 6/9
This is how the SIGRed writeup proposes to make browsers scan (local) networks for further nameservers to infect, even if they aren't configured as system resolvers. It is very clever. Most non-Microsoft browsers however are on to this trick and block HTTP attempts to port 53 7/9
But that doesn't matter since this attack is only going to work in enterprise environments that run the Microsoft nameservers. And many of those will also run Microsoft browsers! 8/9
So in this way, the SIGRed vulnerability can not only "worm" itself via the Microsoft DNS server, it can also use Javascript in Microsoft browsers to scan your network for DNS servers you might not even be aware of. SO UPDATE TODAY PLEASE! 9/9
Addendum to tweet 6: because we fully control the contents of the HTTP session from that point, this is where we can insert our special DNS query that will help infect the name server.
Update via @rsedmonds, turns out this "cross-protocol scripting" was well known back in 2001. But it still works today! /cc @SteveBellovin kb.cert.org/vuls/id/476267
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Bert Hubert 🇪🇺

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @PowerDNS_Bert see all

Profile picture
Bert Hubert 🇪🇺
@PowerDNS_Bert
Governments are pondering if apps can help them perform contact tracing for COVID-19 infected people. The "why" of this is explained very well here: 1/16
Some countries just track the location of everyone all the time and perform matching on a government server. This is a privacy nightmare. 2/16
www1.cbn.com/cbnnews/israel…
Can we do better? An international team has designed a protocol that allows tracing, while preserving privacy: DP-3T
/cc @marcelsalathe @mikarv 3/16
Read 16 tweets
Profile picture
Bert Hubert 🇪🇺
@PowerDNS_Bert
The discussion on if Huawei should power 5G networks misses the point. Most European service providers have long lost control over their networks. Banning Huawei will do nothing to change that. Instead, providers should focus on regaining technical skills
berthub.eu/articles/posts…
It is remarkable how the current debate would make one think that picking a specific vendor for 5G would suddenly change things. Instead, most service providers have already outsourced their operations to companies far away. /cc @shashj @cryptoron
This articles does not argue for simply picking Huawei for 5G. It does however argue that if we truly care about our privacy, about the availability of our communication systems even in times of conflict, and about our digital autonomy, much much more needs to be done.
Read 4 tweets
Profile picture
Bert Hubert 🇪🇺
@PowerDNS_Bert
Fellow geeks - if after all the Galileo outage stuff you feel the need to go down the wire and receive every GPS/Galileo/GLONASS/Baidu/whatever health message, I can recommend the "NAVILOCK 62524 GPS". It has a stonking chipset (u-blox 8) which delivers the goods. 1/5
There is a huge PDF with full details on how to get the chipset to emit what you need, find it here: u-blox.com/sites/default/… 2/5
To get you going, there is the free u-blox 'u-center' tool which, although Windows only, runs under Wine and it helps to get to know the chipset. The device itself is very Linux friendly. 3/5
Read 5 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!