Nintendo 3DS DNS Client Resolver Predictable TXID
Posted on 13 April 2017
Nintendo: 3DS DNS Client Resolver Library Uses Predictable TXID I bought a New Nintendo 3DS XL (US) with firmware 11.2.0-35U, and I've noticed that that DNS client resolved on the 3DS uses a simple incrementing TXID for lookups. This does not provide enough entropy to prevent remote attackers from spoofing responses. (For example, see MS08-020 when this happened to Microsoft, although theirs was just not very random, yours is just incrementing so it's even worse). Note: this can also work behind NAT, because that just session matches and UDP has no ISN to verify. <a href="https://blogs.technet.microsoft.com/srd/2008/04/09/ms08-020-how-predictable-is-the-dns-transaction-id/" title="" class="" rel="nofollow">https://blogs.technet.microsoft.com/srd/2008/04/09/ms08-020-how-predictable-is-the-dns-transaction-id/</a> In general, you need an unpredictable src port (16 bits) and dns txid (16 bits) to prevent a remote attacker from spoofing responses. An example attack scenario would be someone using the browser to visit attacker.com. User visits attacker.com Attacker forces a lookup to asdad839qd.attacker.com via <img src> or whatever. Now attacker can guess your resolver, etc. Attacker create an <iframe> to nintendo.com Attacker spoofs dns responses saying nintendo.com is an address he controls. Attacker can now send javascript and read document.cookie, etc. That's just an example, I don't know if you also download any software or anything else without authentication. If you do, then those can obviously be spoofed and the impact is worse. Reproduce: Run tcpdump on some egress point on your network. Open the browser and lookup blahblahtest1.com, blahblahtest2.com, etc. Notice the requests are easy to guess. I had to send this via HackerOne, as Nintendo are not easy to contact. <a href="https://hackerone.com/nintendo" title="" class="" rel="nofollow">https://hackerone.com/nintendo</a> This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: taviso
