Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

Toto, I don't think we're in Kansas anymore. -- Judy Garland, "Wizard of Oz"


rocksolid / Security / remote code exec in dnsmasq

SubjectAuthor
* remote code exec in dnsmasqAnonymous
`* Re: remote code exec in dnsmasqMarc SCHAEFER
 `* Re: remote code exec in dnsmasqAnonUser
  +* Re: remote code exec in dnsmasqGuest
  |`- Re: remote code exec in dnsmasqMarc SCHAEFER
  `- Re: remote code exec in dnsmasqMarc SCHAEFER

1
Subject: remote code exec in dnsmasq
From: Anonymous
Newsgroups: rocksolid.shared.security
Organization: def2
Date: Wed, 20 Jan 2021 13:30 UTC
Path: i2pn2.org!i2pn.org!rocksolid2!.POSTED.novabbs-internal!not-for-mail
From: pos...@anon.com (Anonymous)
Newsgroups: rocksolid.shared.security
Subject: remote code exec in dnsmasq
Date: Wed, 20 Jan 2021 05:30:11 -0800
Organization: def2
Message-ID: <opsec.767.1iv4v3@anon.com>
Content-Type: text/plain; charset=UTF-8
Injection-Info: novabbs.org; posting-account="def2"; posting-host="novabbs-internal:10.136.143.187";
logging-data="32622"; mail-complaints-to="usenet@novabbs.org"
View all headers
https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq_Technical-Whitepaper.pdf

CVE-2020-25681: Heap-based buffer overflow with arbitrary overwrite

Thank fuck I am on tor and don't rely on DNS.

--
Posted on def2


Subject: Re: remote code exec in dnsmasq
From: Marc SCHAEFER
Newsgroups: rocksolid.shared.security
Organization: Posted through ALPHANET https://news.alphanet.ch/
Date: Wed, 20 Jan 2021 15:00 UTC
References: 1
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!3.eu.feeder.erje.net!feeder.erje.net!news.alphanet.ch!alphanet.ch!.POSTED.localhost!news.alphanet.ch!not-for-mail
From: schae...@alphanet.ch (Marc SCHAEFER)
Newsgroups: rocksolid.shared.security
Subject: Re: remote code exec in dnsmasq
Date: Wed, 20 Jan 2021 16:00:21 +0100 (CET)
Organization: Posted through ALPHANET (https://news.alphanet.ch/)
Lines: 4
Message-ID: <ru9gi5$el1$1@shakotay.alphanet.ch>
References: <opsec.767.1iv4v3@anon.com>
Injection-Info: shakotay.alphanet.ch; posting-host="localhost:127.0.0.1";
logging-data="15010"; mail-complaints-to="usenet@alphanet.ch"
User-Agent: tin/2.4.3-20181224 ("Glen Mhor") (UNIX) (Linux/4.19.0-13-amd64 (x86_64))
View all headers
Anonymous <poster@anon.com> wrote:
Thank fuck I am on tor and don't rely on DNS.

However, your IP router might well run dnsmasq.


Subject: Re: remote code exec in dnsmasq
From: AnonUser
Newsgroups: rocksolid.shared.security
Organization: RetroBBS
Date: Wed, 20 Jan 2021 18:47 UTC
References: 1
Path: i2pn2.org!rocksolid3!.POSTED.localhost!not-for-mail
From: anonu...@rocksolidbbs.com.remove-32i-this (AnonUser)
Newsgroups: rocksolid.shared.security
Subject: Re: remote code exec in dnsmasq
Date: Wed, 20 Jan 2021 18:47:38 +0000
Organization: RetroBBS
Message-ID: <a5c363938980657088f898e6d9482201$1@retrobbs.i2p>
References: <ru9gi5$el1$1@shakotay.alphanet.ch>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: rocksolidbbs.com; posting-host="localhost:127.0.0.1";
logging-data="28205"; mail-complaints-to="usenet@rocksolidbbs.com"
User-Agent: Rocksolid Light (news.novabbs.com/getrslight)
To: Marc SCHAEFER
X-Comment-To: Marc SCHAEFER
In-Reply-To: <ru9gi5$el1$1@shakotay.alphanet.ch>
X-FTN-PID: Synchronet 3.17a-Linux Dec 29 2018 GCC 6.3.0
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on rocksolidbbs.com
X-Rslight-Site: $2y$10$tWHVdNSWjfmEmMThFnknsOqusFZuzTxR3Zzm5F1bdBUnop3PLcV.W
X-Gateway: rocksolidbbs.com [Synchronet 3.17a-Linux NewsLink 1.110]
View all headers
  To: Marc SCHAEFER
Is there a way to check which dns server software is being used? I mean other than having full login access to whatever it runs.
--
Posted on RetroBBS
retrobbs.i2p



Subject: Re: remote code exec in dnsmasq
From: Guest
Newsgroups: rocksolid.shared.security
Organization: Dancing elephants
Date: Wed, 20 Jan 2021 18:25 UTC
References: 1
Path: i2pn2.org!i2pn.org!rocksolid2!def5!.POSTED.bogusentry!not-for-mail
From: gue...@retrobbs.rocksolidbbs.com (Guest)
Newsgroups: rocksolid.shared.security
Subject: Re: remote code exec in dnsmasq
Date: Wed, 20 Jan 2021 13:25:22 -0500
Organization: Dancing elephants
Lines: 11
Message-ID: <rua126$cic$1@def5.org>
References: <a5c363938980657088f898e6d9482201$1@retrobbs.i2p>
Reply-To: Guest <guest@retrobbs.rocksolidbbs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 20 Jan 2021 19:41:58 -0000 (UTC)
Injection-Info: def5.org; posting-host="bogusentry:192.168.1.189";
logging-data="12876"; mail-complaints-to="usenet@def5.org"
User-Agent: FUDforum 3.0.7
X-FUDforum: 6666cd76f96956469e7be39d750cc7d9 <529338>
View all headers
However, your IP router might well run dnsmasq.

Yes, that is true. I consider my router to be compromised anyway, and don't trust it. I don't see though how this would compromise my tor setup. The authority tor nodes are hardcoded into tor (with their ip addresses), and everything after should be safe I think. I could be wrong of course.

There was some way to use dns to deanomize tor users, but it worked differently (see : https://nakedsecurity.sophos.com/2016/10/05/unmasking-tor-users-with-dns/ )

Is there a way to check which dns server software is being used? I mean other than having full login access to whatever it runs.

If you can find out the system of your router, it should be easy to verify.

Or you run the attack against your own router (bit more effort).

--
Posted on def3


Subject: Re: remote code exec in dnsmasq
From: Marc SCHAEFER
Newsgroups: rocksolid.shared.security
Organization: Posted through ALPHANET https://news.alphanet.ch/
Date: Thu, 21 Jan 2021 07:38 UTC
References: 1 2
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.uzoreto.com!news.alphanet.ch!alphanet.ch!.POSTED.localhost!news.alphanet.ch!not-for-mail
From: schae...@alphanet.ch (Marc SCHAEFER)
Newsgroups: rocksolid.shared.security
Subject: Re: remote code exec in dnsmasq
Date: Thu, 21 Jan 2021 08:38:26 +0100 (CET)
Organization: Posted through ALPHANET (https://news.alphanet.ch/)
Lines: 5
Message-ID: <rubb1i$vbi$1@shakotay.alphanet.ch>
References: <ru9gi5$el1$1@shakotay.alphanet.ch> <a5c363938980657088f898e6d9482201$1@retrobbs.i2p>
Injection-Info: shakotay.alphanet.ch; posting-host="localhost:127.0.0.1";
logging-data="32115"; mail-complaints-to="usenet@alphanet.ch"
User-Agent: tin/2.4.3-20181224 ("Glen Mhor") (UNIX) (Linux/4.19.0-13-amd64 (x86_64))
View all headers
AnonUser <anonuser@rocksolidbbs.com.remove-32i-this> wrote:
Is there a way to check which dns server software is being used? I mean other than having full login access to whatever it runs.

I would assume that if it has a Linux or BSD OS, and it has a DNS
functionnality, it is dnsmasq.


Subject: Re: remote code exec in dnsmasq
From: Marc SCHAEFER
Newsgroups: rocksolid.shared.security
Organization: Posted through ALPHANET https://news.alphanet.ch/
Date: Thu, 21 Jan 2021 07:40 UTC
References: 1 2
Path: i2pn2.org!i2pn.org!news.samoylyk.net!news.alphanet.ch!alphanet.ch!.POSTED.localhost!news.alphanet.ch!not-for-mail
From: schae...@alphanet.ch (Marc SCHAEFER)
Newsgroups: rocksolid.shared.security
Subject: Re: remote code exec in dnsmasq
Date: Thu, 21 Jan 2021 08:40:04 +0100 (CET)
Organization: Posted through ALPHANET (https://news.alphanet.ch/)
Lines: 12
Message-ID: <rubb4k$vmp$1@shakotay.alphanet.ch>
References: <a5c363938980657088f898e6d9482201$1@retrobbs.i2p> <rua126$cic$1@def5.org>
Injection-Info: shakotay.alphanet.ch; posting-host="localhost:127.0.0.1";
logging-data="32474"; mail-complaints-to="usenet@alphanet.ch"
User-Agent: tin/2.4.3-20181224 ("Glen Mhor") (UNIX) (Linux/4.19.0-13-amd64 (x86_64))
View all headers
Guest <guest@retrobbs.rocksolidbbs.com> wrote:
Yes, that is true. I consider my router to be compromised anyway, and don't trust it.

If you have a firewall behind your router, protecting the router from
accessing your internal network, then you are presumably safe, if using
tor only.

Else, the router could use vulnerabilities in your OS software
(including any printer, webcam, etc) or in one of your applications or
configuration.

:)


1
rocksolid light 0.7.2
clearneti2ptor