Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS

by   Philipp Jeitner, et al.

The traditional design principle for Internet protocols indicates: "Be strict when sending and tolerant when receiving" [RFC1958], and DNS is no exception to this. The transparency of DNS in handling the DNS records, also standardised specifically for DNS [RFC3597], is one of the key features that made it such a popular platform facilitating a constantly increasing number of new applications. An application simply creates a new DNS record and can instantly start distributing it over DNS without requiring any changes to the DNS servers and platforms. Our Internet wide study confirms that more than 1.3M (96 tested) open DNS resolvers are standard compliant and treat DNS records transparently. In this work we show that this `transparency' introduces a severe vulnerability in the Internet: we demonstrate a new method to launch string injection attacks by encoding malicious payloads into DNS records. We show how to weaponise such DNS records to attack popular applications. For instance, we apply string injection to launch a new type of DNS cache poisoning attack, which we evaluated against a population of open resolvers and found 105K to be vulnerable. Such cache poisoning cannot be prevented with common setups of DNSSEC. Our attacks apply to internal as well as to public services, for instance, we reveal that all eduroam services are vulnerable to our injection attacks, allowing us to launch exploits ranging from unauthorised access to eduroam networks to resource starvation. Depending on the application, our attacks cause system crashes, data corruption and leakage, degradation of security, and can introduce remote code execution and arbitrary errors. In our evaluation of the attacks in the Internet we find that all the standard compliant open DNS resolvers we tested allow our injection attacks against applications and users on their networks.


page 1

page 2

page 3

page 4


The Master and Parasite Attack

We explore a new type of malicious script attacks: the persistent parasi...

The Race to the Vulnerable: Measuring the Log4j Shell Incident

The critical remote-code-execution (RCE) Log4Shell is a severe vulnerabi...

A Language for Modelling False Data Injection Attacks in Internet of Things

Internet of Things (IoT) is now omnipresent in all aspects of life and p...

XDRI Attacks - and - How to Enhance Resilience of Residential Routers

We explore the security of residential routers and find a range of criti...

Rewrite to Reinforce: Rewriting the Binary to Apply Countermeasures against Fault Injection

Fault injection attacks can cause errors in software for malicious purpo...

Exploiting ML algorithms for Efficient Detection and Prevention of JavaScript-XSS Attacks in Android Based Hybrid Applications

The development and analysis of mobile applications in term of security ...

Analysing Censorship Circumvention with VPNs via DNS Cache Snooping

Anecdotal evidence suggests an increasing number of people are turning t...

Please sign up or login with your details

Forgot password? Click here to reset