From: Petr Špaček Date: Fri, 11 Jul 2025 16:37:57 +0000 (+0200) Subject: Test that positive answer cannot overwrite sibling NS RRs X-Git-Tag: v9.21.17~14^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=26eed16d619f9957d0d252ceda06a2b4ea67b6d4;p=thirdparty%2Fbind9.git Test that positive answer cannot overwrite sibling NS RRs Before the fixes for CVE-2025-40778, a positive answer was allowed to overwrite sibling NS RRs. The answer had to be a positive AA=1 answer with a fake NS along with it. This combination of conditions avoided the code path with "unrelated " detection logic. If it were some other answer, named from the main branch would detect the attempt and log: DNS format error from 10.53.0.1#16386 resolving trigger/A for : unrelated NS victim in trigger authority section In short, the attacker tries to spoof at least one answer that has the following form: opcode QUERY rcode NOERROR flags QR AA ;QUESTION trigger$RANDOM. IN A ;ANSWER trigger$RANDOM. 3600 IN A 10.53.0.3 ;AUTHORITY victim. 3600 IN NS ns.attacker. ;ADDITIONAL ns.attacker. 3600 IN A 10.53.0.3 This attack was originally reported as "test case 1c". Co-authored-by: Michał Kępień --- diff --git a/bin/tests/system/bailiwick/ans1/ans.py b/bin/tests/system/bailiwick/ans1/ans.py index be072a39e16..f0b152ac3d7 100644 --- a/bin/tests/system/bailiwick/ans1/ans.py +++ b/bin/tests/system/bailiwick/ans1/ans.py @@ -29,6 +29,37 @@ ATTACKER_IP = "10.53.0.3" TTL = 3600 +class SiblingNsSpoofer(ResponseSpoofer, mode="sibling-ns"): + + qname = "trigger." + + async def get_responses( + self, qctx: QueryContext + ) -> AsyncGenerator[ResponseAction, None]: + response = qctx.prepare_new_response(with_zone_data=False) + + txt_rrset = dns.rrset.from_text( + qctx.qname, + TTL, + qctx.qclass, + dns.rdatatype.TXT, + '"spoofed answer with extra NS"', + ) + response.answer.append(txt_rrset) + + ns_rrset = dns.rrset.from_text( + "victim.", TTL, qctx.qclass, dns.rdatatype.NS, "ns.attacker." + ) + response.authority.append(ns_rrset) + + a_rrset = dns.rrset.from_text( + "ns.attacker.", TTL, qctx.qclass, dns.rdatatype.A, ATTACKER_IP + ) + response.additional.append(a_rrset) + + yield DnsResponseSend(response, authoritative=True) + + def main() -> None: spoofing_server().run() diff --git a/bin/tests/system/bailiwick/tests_bailiwick.py b/bin/tests/system/bailiwick/tests_bailiwick.py index 79ee8a4364c..b068180265c 100644 --- a/bin/tests/system/bailiwick/tests_bailiwick.py +++ b/bin/tests/system/bailiwick/tests_bailiwick.py @@ -77,3 +77,11 @@ def check_domain_hijack(ns4: NamedInstance) -> None: "TXT", '"correct answer from the domain under attack"', ) + + +def test_bailiwick_sibling_ns_referral(servers: Dict[str, NamedInstance]) -> None: + set_spoofing_mode(ans1="sibling-ns", ans2="none") + + ns4 = servers["ns4"] + send_trigger_query(ns4, "trigger.") + check_domain_hijack(ns4)