Cesanta Mongoose DNS Spoofing Vulnerability Due to Predictable Transaction IDs

A vulnerability in Cesanta Mongoose versions through 7.20 allows for DNS spoofing attacks by exploiting predictable transaction IDs in the DNS request handling. The issue arises in the 'mg_sendnsreq' function within the 'src/dns.c' file, where transaction IDs are generated using a sequential counter that resets to 1 when the request list is empty. This flaw creates a constant transaction ID of 1 for all non-overlapping DNS queries, enabling attackers to reliably spoof DNS responses without prior traffic observation. The vulnerability can be exploited remotely by sending UDP packets with a spoofed source IP, bypassing DNS authentication and gaining control over hostname resolution. This could lead to man-in-the-middle attacks, credential theft, or redirection to malicious servers.

Impact

The vulnerability reduces the effective entropy of DNS transaction IDs from 16 bits to zero, allowing attackers to spoof DNS responses with complete reliability. This manipulation can be used to intercept and redirect traffic intended for legitimate servers, potentially leading to the theft of credentials or sensitive information. In the context of Mongoose's built-in TCP/IP stack, the vulnerability is exacerbated by predictable TCP sequence numbers, further facilitating attacks on established connections.

Reproduction

The vulnerability can be reproduced by sending a spoofed DNS response with a transaction ID of 1 and a malicious IP address to a Mongoose application that is actively resolving DNS queries. This can be done using the provided proof-of-concept scripts, which automate the process of spoofing the DNS response and demonstrating the successful interception of the DNS query.