Dnstt v1.20210812.0 (security)

I released v1.20210812.0 of dnstt. This is a security release that fixes an injection vulnerability in the dnstt-server log file.

The dnstt-server log message NXDOMAIN: not authoritative for %s contains a potentially attacker-controlled name. Because DNS labels may contain any byte value, the log message allowed an attacker to write arbitrary bytes to the dnstt-server log, with a variety of possible effects:

  • A label containing a newline character (\x0a) could break the format of the log, or inject false log lines.
  • Log output to a terminal could contain terminal escape sequences which could, for example, change the color of text, or have even worse effects with older terminal emulators.
  • DNS names with a label that contained the dot character (\x2e) would be logged in an ambiguous way, with the intra-label dot appearing as a label separator.

DNS names are now logged using backslash hex escapes for unusual bytes. This vulnerability was called to mind by the USENIX Security 2021 research paper “Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS” by Jeitner and Shulman.