I released v1.20210812.0 of dnstt. This is a security release that fixes an injection vulnerability in the dnstt-server log file.
- dnstt-20210812.zip (sig, key)
The dnstt-server log message
NXDOMAIN: not authoritative for %s contains a potentially attacker-controlled name. Because DNS labels may contain any byte value, the log message allowed an attacker to write arbitrary bytes to the dnstt-server log, with a variety of possible effects:
- A label containing a newline character (\x0a) could break the format of the log, or inject false log lines.
- Log output to a terminal could contain terminal escape sequences which could, for example, change the color of text, or have even worse effects with older terminal emulators.
- DNS names with a label that contained the dot character (\x2e) would be logged in an ambiguous way, with the intra-label dot appearing as a label separator.
DNS names are now logged using backslash hex escapes for unusual bytes. This vulnerability was called to mind by the USENIX Security 2021 research paper “Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS” by Jeitner and Shulman.