kyak changed the topic of #qi-hardware to: Copyleft hardware - http://qi-hardware.com | hardware hackers join here to discuss Ben NanoNote, atben/atusb 802.15.4 wireless, anelok and other community driven hw projects | public logging at http://en.qi-hardware.com/irclogs and http://irclog.whitequark.org/qi-hardware
jwhitmore has quit [Ping timeout: 248 seconds]
archang has joined #qi-hardware
archang has quit [Ping timeout: 265 seconds]
archang has joined #qi-hardware
DocScrutinizer05 has quit [Disconnected by services]
DocScrutinizer05 has joined #qi-hardware
tumdedum has joined #qi-hardware
sandeepkr has quit [Ping timeout: 265 seconds]
zrafa has quit [Ping timeout: 252 seconds]
pcercuei has joined #qi-hardware
sb0 has quit [Quit: Leaving]
pcercuei has quit [Remote host closed the connection]
FDCX has quit [Remote host closed the connection]
jwhitmore has joined #qi-hardware
sb0 has joined #qi-hardware
sandeepkr has joined #qi-hardware
rjeffries has quit [Ping timeout: 248 seconds]
archang has quit [Ping timeout: 250 seconds]
fengling has quit [Ping timeout: 272 seconds]
FDCX has joined #qi-hardware
pcercuei has joined #qi-hardware
jwhitmore has quit [Ping timeout: 272 seconds]
jwhitmore has joined #qi-hardware
<DocScrutinizer05> is this a severe security threat or just a funny sidenote?
<wpwrak> nicely detailed report. sounds at if it might be nasty. i like this section: "Mitigations that don't work" :)
<kyak> disturbing thing is that this flaw has been there since 2008
<kyak> i wonder if the attacked person would know about the attack (for example, his dns lookup utility would segfault or what?)
<kyak> if it's just a nice way to execute code remotely from DNS server, who knows how many times this has already been exploited
pcercuei has quit [Quit: leaving]
<wpwrak> the more eyes of "whitehats" that are looking at things, the more likely the fixed will be around by the time the blackhats get wind of their opportunity
<DocScrutinizer05> kyak: (2008) indeed
<kyak> sure, sure, but such reports only make me more suspicious and paranoid :)
<DocScrutinizer05> (who knows how many times) indeed 2
<DocScrutinizer05> anyway pretty 'recent' https://bugzilla.suse.com/show_bug.cgi?id=961721#c16
<DocScrutinizer05> not even on security sites yet
<kyak> people react fast
<DocScrutinizer05> I think it worked the other way round: they went CVE-public after the code got tested and available
<DocScrutinizer05> prior to that it looked like https://www.suse.com/security/cve/CVE-2015-7547.html
<DocScrutinizer05> >> Description ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.<<
<kyak> ah yeah, makes sense
<kyak> btw, the PoC dns server indeed crashes not only the test client, but any other application that attempts dns resolving (it segfaults)
<kyak> where there is a segfault, there is an opportunity for remote code execution, if i understand correctly
<larsc> not always
<larsc> time to reboot all the machines though
<kyak> this is how fast you updated? :)
<larsc> to slow?
<larsc> everything exploited already?
<kyak> you still have a chance, if you reboot now!
<larsc> already rebooted a few hours ago when the announcement came out
<DocScrutinizer05> how does reboot help? you need updates first, no?
sandeepkr has quit [Ping timeout: 264 seconds]
<DocScrutinizer05> kyak: is there a *public* PoC server?
<DocScrutinizer05> kyak: anyway yes, when you suffered an exploit of this vuln, your app prolly would _not_ segfault
pcercuei has joined #qi-hardware
<DocScrutinizer05> as a rule of thumb when it segfaults the process terminates and can't do further malicious stuff, so exploits will try to keep the process alive
<kyak> DocScrutinizer05: don't know if there is a public PoC server, i ran the code from github url above
<DocScrutinizer05> :nod:
<DocScrutinizer05> would be funny to have an IP ready
<DocScrutinizer05> of course you can run a LAN-local rogue server on your company's LAN ;-) BOFH leisure fun
<DocScrutinizer05> kyak: do yiu still have the thing working? could you test for me how much output a "host -a ct.de" produces before the process segfaults? does it show the DNS server IP before it gies south?
<DocScrutinizer05> would be a lame prank if the user could tell from stdout remanants that there's sth odd with the DNS server IP used
<DocScrutinizer05> sure you could handle this inside routes on router....
<kyak> here is what it says:
<kyak> $ host -a ct.de 192.168.1.2
<kyak> Trying "ct.de"
<kyak> Trying "ct.de"
<kyak> ;; Warning: Message parser reports malformed message packet.
<kyak> ;; Question section mismatch: got ./NS/CLASS25460
<kyak> so it actually doesn't segfault.. However, another application that uses getaddrinfo, segfaults
<DocScrutinizer05> hehe
alexst has joined #qi-hardware
<DocScrutinizer05> now how would we make shodan search for DNS servers that publish rogue packets?
<kyak> when quering the DNS server in TCP mode, funny thing happens
<kyak> it spits out the 2985 bytes packet in terminal
<DocScrutinizer05> wow
<kyak> dig +tcp @89.169.53.112 google.com
<kyak> i exposed the dns server for a while :)
<DocScrutinizer05> that's already sort of an exploit, since you could add esc sequences and other funny stuff
<DocScrutinizer05> :-D
<DocScrutinizer05> LOL
<DocScrutinizer05> many thanks
<kyak> this works for dig and nslookup, but host seems to handle this problem more gracefully
<DocScrutinizer05> yep
<kyak> if you have dig, you can try that
<DocScrutinizer05> did
<DocScrutinizer05> fun
<kyak> i'll shut it down now :)
<DocScrutinizer05> what would actually segfault?
<DocScrutinizer05> oooooo!
<kyak> this is a simple app written in TCL that segfaults
<DocScrutinizer05> I guess it also depends on whether my app actually is supposed to use IPv6 aka AAAA, no?
<kyak> you only need python2 to play around with the PoC dns server, so.. :)
<DocScrutinizer05> I know
<DocScrutinizer05> via internet it feels so much more 'real' ;-)
<kyak> they mentioned in the report that disabling ipv6 won't help
<DocScrutinizer05> ah
alexst has quit [Ping timeout: 252 seconds]
alexst has joined #qi-hardware
<DocScrutinizer05> allegedly a >>apt update && apt upgrade<< is due already
<DocScrutinizer05> I can't comment, RPM here
jwhitmore has quit [Ping timeout: 276 seconds]
larsc has quit [Remote host closed the connection]
lars__ has joined #qi-hardware
lars__ is now known as larsc
Luke-Jr has joined #qi-hardware
sandeepkr has joined #qi-hardware
pcercuei has quit [Quit: dodo]
sandeepkr_ has joined #qi-hardware
sandeepkr has quit [Ping timeout: 265 seconds]
sandeepkr__ has joined #qi-hardware
sandeepkr__ has quit [Remote host closed the connection]
sandeepkr_ has quit [Ping timeout: 260 seconds]
enyc_ has joined #qi-hardware
dos11 has joined #qi-hardware
newcup has quit [*.net *.split]
enyc has quit [*.net *.split]
dos1 has quit [*.net *.split]
alexst has quit [Quit: leaving]