BIND 9.5.0-P2 (randomized ports) Remote DNS Cache Poisoning Exploit

ID 1337DAY-ID-9240
Type zdt
Reporter Zbr
Modified 2008-08-13T00:00:00


Exploit for multiple platform in category remote exploits

BIND 9.5.0-P2 (randomized ports) Remote DNS Cache Poisoning Exploit

Successfully poisoned the latest BIND with fully randomized ports!

Exploit required to send more than 130 thousand of requests for the fake records like to be able to match port and ID and insert poisoned entry 
for the

# dig @localhost +norecurse

; <<>> DiG 9.5.0-P2 <<>> @localhost +norecurse
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6950
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;                  IN      A

;; AUTHORITY SECTION:           73557   IN      NS

;; ADDITIONAL SECTION:  73557   IN      A

# named -v
BIND 9.5.0-P2

BIND used fully randomized source port range, i.e. around 64000 ports. 
Two attacking servers, connected to the attacked one via GigE link, were used, 
each one attacked 1-2 ports with full ID range. Usually attacking server is able 
to send about 40-50 thousands fake replies before remote server returns the 
correct one, so if port was matched probability of the successful poisoning is more than 60%.

Attack took about half of the day, i.e. a bit less than 10 hours.
So, if you have a GigE lan, any trojaned machine can poison your DNS during one night... 

original source:

# [2018-04-12]  #