Nintendo 3DS DNS Client Resolver Predictable TXID

The Nintendo 3DS DNS client resolver library uses a predictable (incremented) TXID allowing for the spoofing of responses.


MD5 | 1a36d85c0eeb7997eb6742ffbdb2d91c

 Nintendo: 3DS DNS Client Resolver Library Uses Predictable TXID 




I bought a New Nintendo 3DS XL (US) with firmware 11.2.0-35U, and I've noticed that that DNS client resolved on the 3DS uses a simple incrementing TXID for lookups. This does not provide enough entropy to prevent remote attackers from spoofing responses. (For example, see MS08-020 when this happened to Microsoft, although theirs was just not very random, yours is just incrementing so it's even worse). Note: this can also work behind NAT, because that just session matches and UDP has no ISN to verify.

<a href="https://blogs.technet.microsoft.com/srd/2008/04/09/ms08-020-how-predictable-is-the-dns-transaction-id/" title="" class="" rel="nofollow">https://blogs.technet.microsoft.com/srd/2008/04/09/ms08-020-how-predictable-is-the-dns-transaction-id/</a>

In general, you need an unpredictable src port (16 bits) and dns txid (16 bits) to prevent a remote attacker from spoofing responses.

An example attack scenario would be someone using the browser to visit attacker.com.

User visits attacker.com
Attacker forces a lookup to asdad839qd.attacker.com via <img src> or whatever.
Now attacker can guess your resolver, etc.
Attacker create an <iframe> to nintendo.com
Attacker spoofs dns responses saying nintendo.com is an address he controls.
Attacker can now send javascript and read document.cookie, etc.
That's just an example, I don't know if you also download any software or anything else without authentication.

If you do, then those can obviously be spoofed and the impact is worse.

Reproduce:

Run tcpdump on some egress point on your network.
Open the browser and lookup blahblahtest1.com, blahblahtest2.com, etc.
Notice the requests are easy to guess.

I had to send this via HackerOne, as Nintendo are not easy to contact.

<a href="https://hackerone.com/nintendo" title="" class="" rel="nofollow">https://hackerone.com/nintendo</a>

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: taviso


Related Posts

Comments