A data packet to eliminate a single server of the DNS vulnerability-vulnerability warning-the black bar safety net

2 0 1 5 year 7 on 2 8 August, the world’s most widely used DNS server bind9 broke a serious denial of service vulnerability, CVE-2 0 1 5-5 4 7 7 to.

A little background: DNS is the domain name mapped to the IP address of the service. When you visit google.com when, the computer will ask you where the cell of the DNS server, google.com the IP address is? If your neighbor also happens in access google.com the DNS server will return directly to its IP; otherwise, the DNS server will go ask Google official DNS server, to give google.com the IP address and return to you. This cell of the DNS server is called a recursive DNS; recursive DNS hung up, will cause it to service the region cannot access to the Internet. Google’s official DNS server is called authoritative DNS; the authoritative DNS hung up, cause it to the service site from the face of the earth.

!

DNS recursive queries [image source](<http://www.technicalinfo.net/papers/Pharming.html&gt; the)

This vulnerability is serious and to what extent? Just send a UDP packet, you can get a hanging one DNS server. Whether it is a recursive DNS or authoritative DNS, regardless of bind9 to do what configuration, as long as this data package is bind9 process of receiving, it will immediately throw an exception and terminate the service.

LUG DNS maintainer Roy Zhang from the Debian Security Notice that this vulnerability and quickly hit on a patch. I write a POC to test out some DNS server, the school DNS to engage in hang up, and report the network center james greatly subsequently received thanks to the testing of most of the operators of the DNS and the smaller some public DNS is also affected by the vulnerability. Now from vulnerability disclosure has been over 7 2 hours, but this serious vulnerability has not yet received enough attention. In the POC (Proof of Concept exploit code) to put out, but also to share with you to write the POC process.

Vulnerability where

To be timely informed of the vulnerability information, it is recommended to subscribe you care about the release of the Security Tracker. For example Debian on the vulnerability of the Bulletin, from the Source column can be linked to the vulnerability source is CVE, and the other release of the security Bulletin. Description is like this:

named in ISC BIND 9. x before 9.9.7-P2 and 9.10. x before 9.10.2-P3 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries.

To further understand this vulnerability the best way is to source code. To fix this vulnerability, bind9 code to do what modifications, bug out somewhere. Ask Google to find the bind9 source tree Gitweb, and in the commit log to find this line

2015-07-14 Mark Andrews add CVE-2 0 1 5-5 4 7 7

This is just an illustration, real code changes in it before. We can look through the commit log to find the real code modify.

! [](/Article/UploadPic/2015-8/2 0 1 5 8 2 1 6 5 0 4 4 2 8 6. png)

The attentive reader may have found, the commit time is 2 0 1 5 year 7 month 1 4 day, which is half a month ago! Yes, vulnerability fix and disclosure process is like that.

1. A vulnerability report, and this was the only vulnerability reported by people and bind9 security team know.
2. bind9 vulnerability fix.
3. Notice to some of the “important vendors”, including major releases, partnerships with large companies to.
4. In the negotiated time of public release.

If you stare at some of the open source software of the warehouse to see, will find some security vulnerabilities were fixed, but the network on almost search anything. A few days later, the CVE database can be checked, each of the transmission line version of the published security advisories, hacker news and the like of the media also began coverage. That is, when we from the “official channels” that a vulnerability when it is not 0day, 1day are not.

Disaster from the ASSERTION

Get down to business. This vulnerability fix is very simple, just add the name = NULL; this word. The problem description said that the illegal packets will cause the assertion fail and quit.

DNS query is a UDP packet, ask a question; the DNS server will respond to a UDP packet, to tell the query answer. DNS query and response packet format is the same, by the question, answer, authority, information, additional information, etc. parts.

!

DNS request format images source

The problematic code block is this in dns_tkey_processquery function:

! [](/Article/UploadPic/2015-8/2 0 1 5 8 2 1 6 5 0 4 6 9 1 7. png)

The calling procedure is like this:

1. From the DNS request QUESTION block is found to be a query name stored in the qname is. For example, we query google.com that QUESTION block there is a problem, and its name is google.com the.
2. From the DNS request the ADDITIONAL blocks found with the query name qname）match the name stored in the name. For legitimate TKEY request, this one place should be a transaction key This is not important, interested students can go to see the RFC 2 9 3 0. the
3. If the ADDITIONAL block is not found, then try to go from the ANSWER block. （NIMA Win2000 developer brain pumping?, obviously this is a problem, but put TKEY into the answer block, this is it.）

[1] [2] next