search

dyne / dnscrypt-proxy

DNSCrypt-Proxy repository, frankly maintained for what it does (no new features planned)
Other
167 stars 57 forks source link

Vulnerability in the `ldns_blocking` plugin. #5

Open jedisct1 opened 6 years ago

jedisct1 commented 6 years ago

Bad news, there is a vulnerability in the ldns_blocking plugin.

An IPv4 address present in the set of IPs to blocked will be blocked for an A query.

However, IPv4 addresses can also be encoded as IPv6 addresses. For example ::ffff:216.58.201.142 is equivalent to 216.58.201.142.

With an AAAA record containing such an IPv4-in-IPv6 address, the ldns_blocking plugin will not spot the IPv4 address and let the query go through.

CUrl is an example of a client that will connect to the IPv4 address even though it was obtained from an AAAA record, and I guess many HTTP clients and browsers will behave the same way. A malicious website can thus bypass IP-based DNS filters.

jedisct1 commented 6 years ago

A quick and ugly way to address this could just be to skip a ::ffff: prefix from answer_str before calling fpst_str_starts_with_existing_key().

I don't think anything else starting with ::ffff: would be routed, but checking that there is at least a dot somewhere after that prefix cannot hurt.

A cleaner way would be to call ldns_rdf2native_sockaddr_storage() and then IN6_IS_ADDR_V4MAPPED() on an IPv6 result.

jaromil commented 6 years ago

Well spotted. This likely also affects our plugin in dowse, or at least its worth checking.