41 lines
No EOL
1.5 KiB
Text
41 lines
No EOL
1.5 KiB
Text
Successfully poisoned the latest BIND with fully randomized ports!
|
|
|
|
Exploit required to send more than 130 thousand of requests for the fake records like
|
|
131737-4795-15081.blah.com to be able to match port and ID and insert poisoned entry
|
|
for the poisoned_dns.blah.com.
|
|
|
|
# dig @localhost www.blah.com +norecurse
|
|
|
|
; <<>> DiG 9.5.0-P2 <<>> @localhost www.blah.com +norecurse
|
|
; (1 server found)
|
|
;; global options: printcmd
|
|
;; Got answer:
|
|
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6950
|
|
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
|
|
|
|
;; QUESTION SECTION:
|
|
;www.blah.com. IN A
|
|
|
|
;; AUTHORITY SECTION:
|
|
www.blah.com. 73557 IN NS poisoned_dns.blah.com.
|
|
|
|
;; ADDITIONAL SECTION:
|
|
poisoned_dns.blah.com. 73557 IN A 1.2.3.4
|
|
|
|
# named -v
|
|
BIND 9.5.0-P2
|
|
|
|
BIND used fully randomized source port range, i.e. around 64000 ports.
|
|
Two attacking servers, connected to the attacked one via GigE link, were used,
|
|
each one attacked 1-2 ports with full ID range. Usually attacking server is able
|
|
to send about 40-50 thousands fake replies before remote server returns the
|
|
correct one, so if port was matched probability of the successful poisoning is more than 60%.
|
|
|
|
Attack took about half of the day, i.e. a bit less than 10 hours.
|
|
So, if you have a GigE lan, any trojaned machine can poison your DNS during one night...
|
|
|
|
original source: http://tservice.net.ru/~s0mbre/blog/2008/08/08/
|
|
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6236.tgz (2008-dns-bind.tgz)
|
|
|
|
# milw0rm.com [2008-08-13] |