Fuzzing DNS Zone Parsers
8 days ago
- #Fuzzing
- #DNS
- #Security
- Frederic Cambus used AFL to fuzz DNS zone parsers, starting with statzone and then moving to other parsers like validns, BIND, NSD, and Knot.
- Fuzzing validns 0.8 quickly revealed NULL pointer dereferences in functions name2findable_name() and nsec_validate_pass2().
- NSD's nsd-checkzone was found to have two critical issues: an out-of-bounds read and a stack-based buffer overflow (CVE-2019-13207).
- The fuzzing process for NSD ran for over 16 days, resulting in 167 unique crashes, which were analyzed to identify valid issues.
- Both identified issues in NSD were fixed and slated for release in NSD 4.2.2.
- Fuzzing ldns with ldns-read-zone for 12 days only produced assertion-triggering crashes, not exploitable vulnerabilities.
- The author highlights the challenges of sorting through crashes to identify valid issues and the educational value of analyzing third-party code.