In my quick look at the Google security blog I wasn't sure whether "remote" meant "from the outside internet" or "from another machine on the local network". For example, the DHCP bugs are surely only going to be exploitable by local machines, right? Do DNS bugs require that the attacker is controlling replies to DNS requests that I make? That would be tricky if my dnsmasq is forwarding to my ISPs DNS, for example.
Dnsmasq and the seven flaws: Patch these nasty remote-control holes
Google security engineers have spotted not one, not two, but seven serious flaws in Dnsmasq, a fairly widely used DNS forwarder and DHCP server. This open-source program is present in a lot of home routers and certain Internet of Things gadgets, and included in desktop Linux distributions such as Ubuntu and Debian. According …
COMMENTS
-
-
Monday 2nd October 2017 20:51 GMT Voland's right hand
It can be from the outside Internet
Their POC code requires both a query and a sequence of answers. You can run the POC only from inside. I could not be arsed at this time of the day to decipher the actual hex contents of the query(ies), it may be possible to create them as a side effect of running normal web code f.e. javascript.
The mitigating factors are that you have to guess what is it. Arm (dnsmasq if memory serves me right is used in wireless tethering on Android), MIPS32 (most routers), x86 (a few firewalls and an occasional internet device here and there), etc. You get one chance to try as the result is a crashed dnsmasq.
Personally, I would not risk it. I had only one instance in use outside lab work (my mom's house) and even that just got disabled and replaced by a proper adult bind + isc dhcp server combination running on the razzie which controls the cctv.
-
Monday 2nd October 2017 22:12 GMT Wensleydale Cheese
Re: It can be from the outside Internet
"Personally, I would not risk it. I had only one instance in use outside lab work (my mom's house) and even that just got disabled and replaced by a proper adult bind + isc dhcp server combination running on the razzie which controls the cctv."
Noted and thanks. I've been trying dnsmasq out on a Raspberry Pi, but find the documentation somewhere between hard work and impenetrable.
I've used bind and isc dhcp server before and will probably be more comfortable with those.
-
-
-
-
Tuesday 3rd October 2017 06:26 GMT Anonymous Coward
An interesting issue for routers
Since dnsmasq services aren't exposed to the internet remote exploits to routers (whether commercial or open source) using it aren't a concern. The only way to exploit your router is for an attack to get code to run inside your network - via some type of browser based exploit, perhaps. But to what end? Once your router reboots, the malware will disappear - the malware can't rewrite individual binaries it would have to upload new firmware with all new binaries if it wanted to become a permanent resident on your router.
Configuring your router to reboot daily might be a good idea, to eliminate the chance of becoming part of some long lived botnet sending out spam or whatever an army of low performance devices is used for by black hats these days.
-
Tuesday 3rd October 2017 08:36 GMT Outer mongolian custard monster from outer space (honest)
One someone can get remote code execution on your local devices, its game over. Its trivial to generate say a reverse shell tcp connection as part of that payload, and have it traverse a nat gateway, even wrap it up to look like normal web traffic or pick a common port (and since this is a dns attack, I'd be telling it to use 53 outbound since to forward it has to have that open). If the payload isnt large enough to support a full binary, its easy to generate a staged payload and boot strap in a larger component, or instruct the device to download the payload proper via its own means (wget, curl etc if installed).
A lot of people may say "oh they only have my router/print server/nas box, its ok", but no, what they have then is a really good foothold inside your permiter defences and a great point to further attack/enumerate your privileged lan.
As for how to make this a full remote exploit, it might take some creativity because on the surface you only answer queries from the local subnet to start with, but what if someone sends your client machines a email with urls, or they are redirected to a sequence of domains by a infected page or advert? will your local subnet dnsmasq server not get asked for those domains to be looked up if they look like domain names?
Patching the stuff I can thats affected as quick as I can here. You pays your money and takes your choice.
-
Saturday 3rd March 2018 00:48 GMT DMen1k
Hello.I have just ran a network scan with Avast,on my Win7 PC.It states my WDMC h/d & BT Smart Hub Router's Firmware (it states,it was updated 17th of Jan) needs updating & is vunerable.Could you please point me in the right direction,of finding out how to install a patch, to remedy this if possible.
Thanx