Rocksolid Light

Welcome to Rocksolid Light

mail  files  register  newsreader  groups  login

Message-ID:  

Yes I have a Machintosh, please don't scream at me. -- Larry Blumette on linux-kernel


computers / Security / remote code exec in dnsmasq

SubjectAuthor
* remote code exec in dnsmasqAnonymous
`* remote code exec in dnsmasqMarc SCHAEFER
 `* remote code exec in dnsmasqAnonUser
  +* remote code exec in dnsmasqGuest
  |`- remote code exec in dnsmasqMarc SCHAEFER
  `- remote code exec in dnsmasqMarc SCHAEFER

1
remote code exec in dnsmasq

<opsec.767.1iv4v3@anon.com>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=193&group=rocksolid.shared.security#193

 copy link   Newsgroups: rocksolid.shared.security
Path: i2pn2.org!i2pn.org!rocksolid2!.POSTED.novabbs-internal!not-for-mail
From: poster@anon.com (Anonymous)
Newsgroups: rocksolid.shared.security
Subject: remote code exec in dnsmasq
Date: Wed, 20 Jan 2021 05:30:11 -0800
Organization: def2
Message-ID: <opsec.767.1iv4v3@anon.com>
Content-Type: text/plain; charset=UTF-8
Injection-Info: novabbs.org; posting-account="def2"; posting-host="novabbs-internal:10.136.143.187";
logging-data="32622"; mail-complaints-to="usenet@novabbs.org"
 by: Anonymous - Wed, 20 Jan 2021 13:30 UTC

https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq_Technical-Whitepaper.pdf

CVE-2020-25681: Heap-based buffer overflow with arbitrary overwrite

Thank fuck I am on tor and don't rely on DNS.

--
Posted on def2

Re: remote code exec in dnsmasq

<ru9gi5$el1$1@shakotay.alphanet.ch>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=194&group=rocksolid.shared.security#194

 copy link   Newsgroups: rocksolid.shared.security
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!3.eu.feeder.erje.net!feeder.erje.net!news.alphanet.ch!alphanet.ch!.POSTED.localhost!news.alphanet.ch!not-for-mail
From: schaefer@alphanet.ch (Marc SCHAEFER)
Newsgroups: rocksolid.shared.security
Subject: Re: remote code exec in dnsmasq
Date: Wed, 20 Jan 2021 16:00:21 +0100 (CET)
Organization: Posted through ALPHANET (https://news.alphanet.ch/)
Lines: 4
Message-ID: <ru9gi5$el1$1@shakotay.alphanet.ch>
References: <opsec.767.1iv4v3@anon.com>
Injection-Info: shakotay.alphanet.ch; posting-host="localhost:127.0.0.1";
logging-data="15010"; mail-complaints-to="usenet@alphanet.ch"
User-Agent: tin/2.4.3-20181224 ("Glen Mhor") (UNIX) (Linux/4.19.0-13-amd64 (x86_64))
 by: Marc SCHAEFER - Wed, 20 Jan 2021 15:00 UTC

Anonymous <poster@anon.com> wrote:
> Thank fuck I am on tor and don't rely on DNS.

However, your IP router might well run dnsmasq.

Re: remote code exec in dnsmasq

<a5c363938980657088f898e6d9482201$1@retrobbs.i2p>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=195&group=rocksolid.shared.security#195

 copy link   Newsgroups: rocksolid.shared.security
Path: i2pn2.org!rocksolid3!.POSTED.localhost!not-for-mail
From: anonuser@rocksolidbbs.com.remove-32i-this (AnonUser)
Newsgroups: rocksolid.shared.security
Subject: Re: remote code exec in dnsmasq
Date: Wed, 20 Jan 2021 18:47:38 +0000
Organization: RetroBBS
Message-ID: <a5c363938980657088f898e6d9482201$1@retrobbs.i2p>
References: <ru9gi5$el1$1@shakotay.alphanet.ch>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: rocksolidbbs.com; posting-host="localhost:127.0.0.1";
logging-data="28205"; mail-complaints-to="usenet@rocksolidbbs.com"
User-Agent: Rocksolid Light (news.novabbs.com/getrslight)
To: Marc SCHAEFER
X-Comment-To: Marc SCHAEFER
In-Reply-To: <ru9gi5$el1$1@shakotay.alphanet.ch>
X-FTN-PID: Synchronet 3.17a-Linux Dec 29 2018 GCC 6.3.0
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on rocksolidbbs.com
X-Rslight-Site: $2y$10$tWHVdNSWjfmEmMThFnknsOqusFZuzTxR3Zzm5F1bdBUnop3PLcV.W
X-Gateway: rocksolidbbs.com [Synchronet 3.17a-Linux NewsLink 1.110]
 by: AnonUser - Wed, 20 Jan 2021 18:47 UTC

To: Marc SCHAEFER
Is there a way to check which dns server software is being used? I mean other than having full login access to whatever it runs.
--
Posted on RetroBBS
retrobbs.i2p

Re: remote code exec in dnsmasq

<rua126$cic$1@def5.org>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=196&group=rocksolid.shared.security#196

 copy link   Newsgroups: rocksolid.shared.security
Path: i2pn2.org!i2pn.org!rocksolid2!def5!.POSTED.bogusentry!not-for-mail
From: guest@retrobbs.rocksolidbbs.com (Guest)
Newsgroups: rocksolid.shared.security
Subject: Re: remote code exec in dnsmasq
Date: Wed, 20 Jan 2021 13:25:22 -0500
Organization: Dancing elephants
Lines: 11
Message-ID: <rua126$cic$1@def5.org>
References: <a5c363938980657088f898e6d9482201$1@retrobbs.i2p>
Reply-To: Guest <guest@retrobbs.rocksolidbbs.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 20 Jan 2021 19:41:58 -0000 (UTC)
Injection-Info: def5.org; posting-host="bogusentry:192.168.1.189";
logging-data="12876"; mail-complaints-to="usenet@def5.org"
User-Agent: FUDforum 3.0.7
X-FUDforum: 6666cd76f96956469e7be39d750cc7d9 <529338>
 by: Guest - Wed, 20 Jan 2021 18:25 UTC

>However, your IP router might well run dnsmasq.

Yes, that is true. I consider my router to be compromised anyway, and don't trust it.
I don't see though how this would compromise my tor setup. The authority tor nodes are hardcoded into tor (with their ip addresses), and everything after should be safe I think. I could be wrong of course.

There was some way to use dns to deanomize tor users, but it worked differently (see : https://nakedsecurity.sophos.com/2016/10/05/unmasking-tor-users-with-dns/ )

>Is there a way to check which dns server software is being used? I mean other than having full login access to whatever it runs.

If you can find out the system of your router, it should be easy to verify.

Or you run the attack against your own router (bit more effort).

--
Posted on def3

Re: remote code exec in dnsmasq

<rubb1i$vbi$1@shakotay.alphanet.ch>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=197&group=rocksolid.shared.security#197

 copy link   Newsgroups: rocksolid.shared.security
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news.uzoreto.com!news.alphanet.ch!alphanet.ch!.POSTED.localhost!news.alphanet.ch!not-for-mail
From: schaefer@alphanet.ch (Marc SCHAEFER)
Newsgroups: rocksolid.shared.security
Subject: Re: remote code exec in dnsmasq
Date: Thu, 21 Jan 2021 08:38:26 +0100 (CET)
Organization: Posted through ALPHANET (https://news.alphanet.ch/)
Lines: 5
Message-ID: <rubb1i$vbi$1@shakotay.alphanet.ch>
References: <ru9gi5$el1$1@shakotay.alphanet.ch> <a5c363938980657088f898e6d9482201$1@retrobbs.i2p>
Injection-Info: shakotay.alphanet.ch; posting-host="localhost:127.0.0.1";
logging-data="32115"; mail-complaints-to="usenet@alphanet.ch"
User-Agent: tin/2.4.3-20181224 ("Glen Mhor") (UNIX) (Linux/4.19.0-13-amd64 (x86_64))
 by: Marc SCHAEFER - Thu, 21 Jan 2021 07:38 UTC

AnonUser <anonuser@rocksolidbbs.com.remove-32i-this> wrote:
> Is there a way to check which dns server software is being used? I mean other than having full login access to whatever it runs.

I would assume that if it has a Linux or BSD OS, and it has a DNS
functionnality, it is dnsmasq.

Re: remote code exec in dnsmasq

<rubb4k$vmp$1@shakotay.alphanet.ch>

 copy mid

https://news.novabbs.org/computers/article-flat.php?id=198&group=rocksolid.shared.security#198

 copy link   Newsgroups: rocksolid.shared.security
Path: i2pn2.org!i2pn.org!news.samoylyk.net!news.alphanet.ch!alphanet.ch!.POSTED.localhost!news.alphanet.ch!not-for-mail
From: schaefer@alphanet.ch (Marc SCHAEFER)
Newsgroups: rocksolid.shared.security
Subject: Re: remote code exec in dnsmasq
Date: Thu, 21 Jan 2021 08:40:04 +0100 (CET)
Organization: Posted through ALPHANET (https://news.alphanet.ch/)
Lines: 12
Message-ID: <rubb4k$vmp$1@shakotay.alphanet.ch>
References: <a5c363938980657088f898e6d9482201$1@retrobbs.i2p> <rua126$cic$1@def5.org>
Injection-Info: shakotay.alphanet.ch; posting-host="localhost:127.0.0.1";
logging-data="32474"; mail-complaints-to="usenet@alphanet.ch"
User-Agent: tin/2.4.3-20181224 ("Glen Mhor") (UNIX) (Linux/4.19.0-13-amd64 (x86_64))
 by: Marc SCHAEFER - Thu, 21 Jan 2021 07:40 UTC

Guest <guest@retrobbs.rocksolidbbs.com> wrote:
> Yes, that is true. I consider my router to be compromised anyway, and don't trust it.

If you have a firewall behind your router, protecting the router from
accessing your internal network, then you are presumably safe, if using
tor only.

Else, the router could use vulnerabilities in your OS software
(including any printer, webcam, etc) or in one of your applications or
configuration.

:)

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor