From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dave@taht.net>
Received: from mail.taht.net (mail.taht.net [176.58.107.8])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by lists.bufferbloat.net (Postfix) with ESMTPS id 31BAB3B29E
 for <cerowrt-devel@lists.bufferbloat.net>;
 Tue, 18 Sep 2018 13:30:09 -0400 (EDT)
Received: from nemesis (unknown [172.58.38.172])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.taht.net (Postfix) with ESMTPSA id 2D35E220ED
 for <cerowrt-devel@lists.bufferbloat.net>;
 Tue, 18 Sep 2018 17:30:06 +0000 (UTC)
From: Dave Taht <dave@taht.net>
To: cerowrt-devel@lists.bufferbloat.net
Cc: 
References: <9f31e843-b8a2-5cbb-8fc8-94b35eb13061@thekelleys.org.uk>
Date: Tue, 18 Sep 2018 10:30:03 -0700
In-Reply-To: <9f31e843-b8a2-5cbb-8fc8-94b35eb13061@thekelleys.org.uk> (Simon
 Kelley's message of "Sat, 8 Sep 2018 18:17:51 +0100")
Message-ID: <87h8imsoh0.fsf@nemesis.taht.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [Cerowrt-devel] [Dnsmasq-discuss] CERT Vulnerability VU#598349
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
 <cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
 <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
 <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Tue, 18 Sep 2018 17:30:09 -0000


As best as I recall, cerowrt enabled wpad for itself and thus
was immune to this bug.

Still... do upgrade off of cerowrt if you haven't already?

Simon Kelley <simon@thekelleys.org.uk> writes:

> https://www.kb.cert.org/vuls/id/598349
>
> The essence of this is that an attacker can get a DHCP lease whilst
> claiming the name "wpad" and thus insert the name wpad.example.com in
> the local DNS pointing the attacker's machine. The presence of that A
> record allows control of the proxy settings of any browser in the network.
>
> It's already possible to mitigate this: adding
>
> 0.0.0.0 wpad wpad.example.com
> :: wpad.wpad.example.com
>
> to /etc/hosts will generate harmless A and AAAA records which override
> those that may be created by DHCP leases.
>
>
> The currently unreleased 2.80 version of dnsmasq adds the
> dhcp-name-match option, which allows
>
> dhcp-name-match=set:wpad-ignore,wpad
> dhcp-ignore-names=tag:wpad-ignore
>
> Which stops the attack at source.
>
>
> The question is, should the above configuration be "baked in" to the code?
>
>
>
> Cheers,
>
> Simon.
>
>
>
>
>
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss