TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets

Explore a 26-minute Black Hat conference talk that delves into the systematic exploration and exploitation of logic vulnerabilities in DNS response pre-processing. Learn about the TuDoor attack, which reveals three new types of logic vulnerabilities in DNS implementations. The presenters demonstrate how malformed DNS response packets can be used for DNS cache poisoning (completing in less than 1 second), denial-of-service, and resource consumption attacks. The research shows that 24 mainstream DNS software implementations, including BIND, PowerDNS, and Microsoft DNS, are vulnerable to these attacks. The speakers share their findings from testing 16 Wi-Fi routers, 6 router operating systems, 42 public DNS services, and approximately 1.8 million open DNS resolvers, revealing that TuDoor could exploit 7 routers/OSes, 18 public DNS services, and 424,652 open DNS resolvers. The talk covers the responsible disclosure process, resulting in 33 CVE IDs and acknowledgments from major vendors like BIND, Chrome, Cloudflare, and Microsoft. Visit tudoor.net for comprehensive details and the full CVE list. Presented by Qi Wang (PhD Student, Tsinghua University), Xiang Li (Associate Professor, Nankai University), and Chuhan Wang (PhD Candidate, Tsinghua University).