BIND 9.5.0-P2 - 'Randomized Ports' Remote DNS Cache Poisoning

Successfully poisoned the latest BIND with fully randomized ports!

Exploit required to send more than 130 thousand of requests for the fake records like 
131737-4795-15081.blah.com to be able to match port and ID and insert poisoned entry 
for the poisoned_dns.blah.com.

# dig @localhost www.blah.com +norecurse

; <<>> DiG 9.5.0-P2 <<>> @localhost www.blah.com +norecurse
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6950
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.blah.com.                  IN      A

;; AUTHORITY SECTION:
www.blah.com.           73557   IN      NS      poisoned_dns.blah.com.

;; ADDITIONAL SECTION:
poisoned_dns.blah.com.  73557   IN      A       1.2.3.4

# named -v
BIND 9.5.0-P2

BIND used fully randomized source port range, i.e. around 64000 ports. 
Two attacking servers, connected to the attacked one via GigE link, were used, 
each one attacked 1-2 ports with full ID range. Usually attacking server is able 
to send about 40-50 thousands fake replies before remote server returns the 
correct one, so if port was matched probability of the successful poisoning is more than 60%.

Attack took about half of the day, i.e. a bit less than 10 hours.
So, if you have a GigE lan, any trojaned machine can poison your DNS during one night... 

original source: http://tservice.net.ru/~s0mbre/blog/2008/08/08/

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6236.tgz (2008-dns-bind.tgz)

# milw0rm.com [2008-08-13]