CVE-2020-25686

LOW

dnsmasq < 2.83 - DNS Cache Poisoning via Birthday Attack

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-25686. PoCs published by knqyf263.

AI-analyzed exploit summary This repository contains a proof-of-concept exploit for DNS cache poisoning in dnsmasq (CVE-2020-25686). The exploit leverages DNS spoofing to poison the cache, redirecting queries for a target domain to an attacker-controlled IP.

Description

A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. This flaw allows an off-path attacker on the network to substantially reduce the number of attempts that it would have to perform to forge a reply and have it accepted by dnsmasq. This issue is mentioned in the "Birthday Attacks" section of RFC5452. If chained with CVE-2020-25684, the attack complexity of a successful attack is reduced. The highest threat from this vulnerability is to data integrity.

Exploits (1)

nomisec WORKING POC 100 stars

by knqyf263 · poc

https://github.com/knqyf263/dnspooq

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for DNS cache poisoning in dnsmasq (CVE-2020-25686). The exploit leverages DNS spoofing to poison the cache, redirecting queries for a target domain to an attacker-controlled IP.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Moderate

Reliability

Racy

Target: dnsmasq (versions affected by CVE-2020-25686)

No auth needed

Prerequisites: Network access to the target DNS server · Ability to send spoofed DNS responses

MITRE ATT&CK