My Authors
Read all threads
So the fine writeup of SIGRed (CVE-2020-1350) includes a brief discussion of a neat technique to make a Microsoft browser perform DNS lookups to arbitrary nameservers, which can then also be infected. /cc @EyalItkin & @omriher 1/9 research.checkpoint.com/2020/resolving…
Normally, you can't really do DNS lookups using the DNS protocol from browsers. Sure, the browser will resolve names for you, but it chooses how to do that. You can't direct the query anywhere, or do non-standard lookups. This is pretty good. 2/9
But what if you really really want to talk to a nameserver, for example to attack it? Browsers do speak HTTP, and do so very well. Some browsers, notably from Microsoft, are even prepared to send HTTP queries to the DNS port (53). 3/9
But, HTTP queries will typically confuse nameservers, as they look nothing like DNS queries. A DNS query over TCP always starts with a two byte length field. We don't really control the beginning of an HTTP request, it starts with GET or POST. Let's assume POST. 4/9
A nameserver will treat the first two bytes 'P' and 'O' as a length field. And this offers us an opening. After the POST come a lot of headers we can't control, but we can guess how long they will be. 'P' and 'O' correspond to a 20559 byte length field. 5/9
This means the nameserver will first read 20559 bytes as a DNS message, fail to parse the DNS message (because it is a bunch of HTTP).. and then read another two-byte length field for the next message. But by now we are in part of the HTTP session we fully control! 6/9
This is how the SIGRed writeup proposes to make browsers scan (local) networks for further nameservers to infect, even if they aren't configured as system resolvers. It is very clever. Most non-Microsoft browsers however are on to this trick and block HTTP attempts to port 53 7/9
But that doesn't matter since this attack is only going to work in enterprise environments that run the Microsoft nameservers. And many of those will also run Microsoft browsers! 8/9
So in this way, the SIGRed vulnerability can not only "worm" itself via the Microsoft DNS server, it can also use Javascript in Microsoft browsers to scan your network for DNS servers you might not even be aware of. SO UPDATE TODAY PLEASE! 9/9
Addendum to tweet 6: because we fully control the contents of the HTTP session from that point, this is where we can insert our special DNS query that will help infect the name server.
Update via @rsedmonds, turns out this "cross-protocol scripting" was well known back in 2001. But it still works today! /cc @SteveBellovin kb.cert.org/vuls/id/476267
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Bert Hubert 🇪🇺

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!