Search...

BIND 9.5.0-P2 (randomized ports) Remote DNS Cache Poisoning Exploit

2008-08-13T00:00:00

ID 1337DAY-ID-9240
Type zdt
Reporter Zbr
Modified 2008-08-13T00:00:00

Description

Exploit for multiple platform in category remote exploits

                                        
                                            ===================================================================
BIND 9.5.0-P2 (randomized ports) Remote DNS Cache Poisoning Exploit
===================================================================

Successfully poisoned the latest BIND with fully randomized ports!

Exploit required to send more than 130 thousand of requests for the fake records like 
131737-4795-15081.blah.com to be able to match port and ID and insert poisoned entry 
for the poisoned_dns.blah.com.

# dig @localhost www.blah.com +norecurse

; &lt;&lt;&gt;&gt; DiG 9.5.0-P2 &lt;&lt;&gt;&gt; @localhost www.blah.com +norecurse
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 6950
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.blah.com.                  IN      A

;; AUTHORITY SECTION:
www.blah.com.           73557   IN      NS      poisoned_dns.blah.com.

;; ADDITIONAL SECTION:
poisoned_dns.blah.com.  73557   IN      A       1.2.3.4

# named -v
BIND 9.5.0-P2

BIND used fully randomized source port range, i.e. around 64000 ports. 
Two attacking servers, connected to the attacked one via GigE link, were used, 
each one attacked 1-2 ports with full ID range. Usually attacking server is able 
to send about 40-50 thousands fake replies before remote server returns the 
correct one, so if port was matched probability of the successful poisoning is more than 60%.

Attack took about half of the day, i.e. a bit less than 10 hours.
So, if you have a GigE lan, any trojaned machine can poison your DNS during one night... 

original source: http://tservice.net.ru/~s0mbre/blog/2008/08/08/

http://inj3ct0r.com/sploits/9240.tgz




#  0day.today [2018-04-12]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-9240", "lastseen": "2018-04-12T19:46:01", "viewCount": 3, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2018-04-12T19:46:01", "rev": 2}, "dependencies": {"references": [], "modified": "2018-04-12T19:46:01", "rev": 2}, "vulnersScore": 0.1}, "type": "zdt", "sourceHref": "https://0day.today/exploit/9240", "description": "Exploit for multiple platform in category remote exploits", "title": "BIND 9.5.0-P2 (randomized ports) Remote DNS Cache Poisoning Exploit", "cvelist": [], "sourceData": "===================================================================\r\nBIND 9.5.0-P2 (randomized ports) Remote DNS Cache Poisoning Exploit\r\n===================================================================\r\n\r\nSuccessfully poisoned the latest BIND with fully randomized ports!\r\n\r\nExploit required to send more than 130 thousand of requests for the fake records like \r\n131737-4795-15081.blah.com to be able to match port and ID and insert poisoned entry \r\nfor the poisoned_dns.blah.com.\r\n\r\n# dig @localhost www.blah.com +norecurse\r\n\r\n; <<>> DiG 9.5.0-P2 <<>> @localhost www.blah.com +norecurse\r\n; (1 server found)\r\n;; global options: printcmd\r\n;; Got answer:\r\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6950\r\n;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\r\n\r\n;; QUESTION SECTION:\r\n;www.blah.com. IN A\r\n\r\n;; AUTHORITY SECTION:\r\nwww.blah.com. 73557 IN NS poisoned_dns.blah.com.\r\n\r\n;; ADDITIONAL SECTION:\r\npoisoned_dns.blah.com. 73557 IN A 1.2.3.4\r\n\r\n# named -v\r\nBIND 9.5.0-P2\r\n\r\nBIND used fully randomized source port range, i.e. around 64000 ports. \r\nTwo attacking servers, connected to the attacked one via GigE link, were used, \r\neach one attacked 1-2 ports with full ID range. Usually attacking server is able \r\nto send about 40-50 thousands fake replies before remote server returns the \r\ncorrect one, so if port was matched probability of the successful poisoning is more than 60%.\r\n\r\nAttack took about half of the day, i.e. a bit less than 10 hours.\r\nSo, if you have a GigE lan, any trojaned machine can poison your DNS during one night... \r\n\r\noriginal source: http://tservice.net.ru/~s0mbre/blog/2008/08/08/\r\n\r\nhttp://inj3ct0r.com/sploits/9240.tgz\r\n\r\n\r\n\r\n\n# 0day.today [2018-04-12] #", "published": "2008-08-13T00:00:00", "references": [], "reporter": "Zbr", "modified": "2008-08-13T00:00:00", "href": "https://0day.today/exploit/description/9240", "immutableFields": []}