[CVE-2021-25220] Add tests for forwarder cache poisoning scenarios [v9_16]submit/tizen/20230227.082123

See merge request isc-projects/bind9!6106

https://kb.isc.org/v1/docs/cve-2021-25220

Change-Id: Id7d2ddf2c9a1aed1e78dbbabccf4dec17ffe59c0

8 files changed, 165 insertions, 4 deletions

diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh
index 46a8a87c..70f9a0e3 100644
--- a/bin/tests/system/forward/clean.sh
+++ b/bin/tests/system/forward/clean.sh
@@ -10,9 +10,11 @@
 #
 # Clean up after forward tests.
 #
+rm -f ./ans11/query.log
 rm -f ./dig.out.*
 rm -f ./*/named.conf
 rm -f ./*/named.memstats
 rm -f ./*/named.run ./*/named.run.prev
+rm -f ./*/named_dump.db
 rm -f ./ns*/named.lock
 rm -f ./ns*/managed-keys.bind*
diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in
index 282e76bb..b195ec93 100644
--- a/bin/tests/system/forward/ns1/named.conf.in
+++ b/bin/tests/system/forward/ns1/named.conf.in
@@ -60,3 +60,23 @@ zone "sld.tld" {
 zone "example6" {
 	type forward;
 };
+
+zone "diditwork.net" {
+	type primary;
+	file "diditwork.net.db";
+};
+
+zone "spoofed.net" {
+	type primary;
+	file "spoofed.net.db";
+};
+
+zone "sub.local.net" {
+	type primary;
+	file "sub.local.net.db";
+};
+
+zone "net.example.lll" {
+	type master;
+	file "net.example.lll";
+};
diff --git a/bin/tests/system/forward/ns2/tld.db b/bin/tests/system/forward/ns2/tld.db
index 61b6569b..819210dc 100644
--- a/bin/tests/system/forward/ns2/tld.db
+++ b/bin/tests/system/forward/ns2/tld.db
@@ -10,3 +10,9 @@ $TTL 300	; 5 minutes
 ns			A	10.53.0.2
 sld			NS	ns.sld
 ns.sld			A	10.53.0.1
+local			NS	ns.local
+ns.local		A	10.53.0.9
+sibling			NS	ns.sibling
+ns.sibling		A	10.53.0.4
+sibling			NS	ns.sub.local
+ns.sub.local		A	10.53.0.10
diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in
index fee76b41..92cbd8b3 100644
--- a/bin/tests/system/forward/ns4/named.conf.in
+++ b/bin/tests/system/forward/ns4/named.conf.in
@@ -60,3 +60,8 @@ zone "malicious." {
 	type master;
 	file "malicious.db";
 };
+
+zone "sibling.tld" {
+	type primary;
+	file "sibling.tld.db";
+};
diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in
index 531ff59e..f752eae8 100644
--- a/bin/tests/system/forward/ns8/named.conf.in
+++ b/bin/tests/system/forward/ns8/named.conf.in
@@ -26,3 +26,8 @@ zone "." {
 	type hint;
 	file "root.db";
 };
+
+zone "sub.local.tld" {
+	type primary;
+	file "sub.local.tld.db";
+};
diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh
index 285ecc9d..b89cb300 100644
--- a/bin/tests/system/forward/setup.sh
+++ b/bin/tests/system/forward/setup.sh
@@ -20,3 +20,5 @@ copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns7/named.conf.in ns7/named.conf
 copy_setports ns8/named.conf.in ns8/named.conf
+copy_setports ns9/named1.conf.in ns9/named.conf
+copy_setports ns10/named.conf.in ns10/named.conf
diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
index fc3822cf..4361ab25 100644
--- a/bin/tests/system/forward/tests.sh
+++ b/bin/tests/system/forward/tests.sh
@@ -229,6 +229,127 @@ grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+#
+# Check various spoofed response scenarios. The same tests will be
+# run twice, with "forward first" and "forward only" configurations.
+#
+run_spooftests () {
+    n=$((n+1))
+    echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
+    ret=0
+    # prime
+    dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
+    # check 'net' is not poisoned.
+    dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
+    grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1
+    # check 'sub.local.net' is not poisoned.
+    dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
+    grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
+    ret=0
+    # prime
+    dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
+    # check that net2/DNAME is not cached
+    dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
+    grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1
+    grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
+    n=$((n+1))
+    echo_i "checking spoofed response scenario 3 - extra answer ($n)"
+    ret=0
+    # prime
+    dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1
+    # check extra net3 records are not cached
+    rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i
+    for try in 1 2 3 4 5; do
+        lines=$(grep "net3" ns9/named_dump.db | wc -l)
+        if [ ${lines} -eq 0 ]; then
+                sleep 1
+                continue
+        fi
+        [ ${lines} -eq 1 ] || ret=1
+        grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1
+        grep -q '^local.net3' ns9/named_dump.db && ret=1
+    done
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+}
+
+echo_i "checking spoofed response scenarios with forward first zones"
+run_spooftests
+
+copy_setports ns9/named2.conf.in ns9/named.conf
+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 1
+
+echo_i "rechecking spoofed response scenarios with forward only zones"
+run_spooftests
+
+#
+# This scenario expects the spoofed response to succeed. The tests are
+# similar to the ones above, but not identical.
+#
+echo_i "rechecking spoofed response scenarios with 'forward only' set globally"
+copy_setports ns9/named3.conf.in ns9/named.conf
+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 1
+
+n=$((n+1))
+echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)"
+ret=0
+# prime
+dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1
+# check 'net' is poisoned.
+dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1
+grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1
+# check 'sub.local.net' is poisoned.
+dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1
+grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)"
+ret=0
+# prime
+dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1
+# check that net2/DNAME is cached
+dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1
+grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1
+grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+#
+# This test doesn't use any forwarder clauses but is here because it
+# is similar to forwarders, as the set of servers that can populate
+# the namespace is defined by the zone content.
+#
+echo_i "rechecking spoofed response scenarios glue below local zone"
+copy_setports ns9/named4.conf.in ns9/named.conf
+rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i
+rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i
+sleep 1
+
+n=$((n+1))
+echo_i "checking sibling glue below zone ($n)"
+ret=0
+# prime
+dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1
+# check for glue A record for sub.local.tld is not used
+dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1
+grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1
+grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
 
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh
index 41b0182f..cd6377d7 100755
--- a/bin/tests/system/ifconfig.sh
+++ b/bin/tests/system/ifconfig.sh
@@ -12,10 +12,10 @@
 #
 # Set up interface aliases for bind9 system tests.
 #
-# IPv4: 10.53.0.{1..10}				RFC 1918
+# IPv4: 10.53.0.{1..11}				RFC 1918
 #       10.53.1.{1..2}
 #       10.53.2.{1..2}
-# IPv6: fd92:7065:b8e:ffff::{1..10}		ULA
+# IPv6: fd92:7065:b8e:ffff::{1..11}		ULA
 #       fd92:7065:b8e:99ff::{1..2}
 #       fd92:7065:b8e:ff::{1..2}
 #
@@ -65,7 +65,7 @@ case "$1" in
 		  2) ipv6="00" ;;
 		  *) ipv6="" ;;
 		esac
-		for ns in 1 2 3 4 5 6 7 8 9 10
+		for ns in 1 2 3 4 5 6 7 8 9 10 11
 		do
 			[ $i -gt 0 -a $ns -gt 2 ] && break
 			int=`expr $i \* 10 + $ns`
@@ -165,7 +165,7 @@ case "$1" in
 		  2) ipv6="00" ;;
 		  *) ipv6="" ;;
 		esac
-		for ns in 10 9 8 7 6 5 4 3 2 1
+		for ns in 11 10 9 8 7 6 5 4 3 2 1
 		do
 			[ $i -gt 0 -a $ns -gt 2 ] && continue
 			int=`expr $i \* 10 + $ns - 1`