BIND 9.5.0-P2 - 'Randomized Ports' Remote DNS Cache Poisoning

Author: Zbr
type: remote
platform: multiple
port: 
date_added: 2008-08-12 
date_updated: 2017-09-08 
verified: 1 
codes:  
tags: 
aliases: 2008-dns-bind.tgz 
screenshot_url:  
application_url: http://www.exploit-db.comBIND9.5.0-P2.zip

Successfully poisoned the latest BIND with fully randomized ports!

Exploit required to send more than 130 thousand of requests for the fake records like
131737-4795-15081.blah.com to be able to match port and ID and insert poisoned entry
for the poisoned_dns.blah.com.

# dig @localhost www.blah.com +norecurse

; <<>> DiG 9.5.0-P2 <<>> @localhost www.blah.com +norecurse
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6950
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.blah.com.                  IN      A

;; AUTHORITY SECTION:
www.blah.com.           73557   IN      NS      poisoned_dns.blah.com.

;; ADDITIONAL SECTION:
poisoned_dns.blah.com.  73557   IN      A       1.2.3.4

# named -v
BIND 9.5.0-P2

BIND used fully randomized source port range, i.e. around 64000 ports.
Two attacking servers, connected to the attacked one via GigE link, were used,
each one attacked 1-2 ports with full ID range. Usually attacking server is able
to send about 40-50 thousands fake replies before remote server returns the
correct one, so if port was matched probability of the successful poisoning is more than 60%.

Attack took about half of the day, i.e. a bit less than 10 hours.
So, if you have a GigE lan, any trojaned machine can poison your DNS during one night...

original source: http://tservice.net.ru/~s0mbre/blog/2008/08/08/

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6236.tgz (2008-dns-bind.tgz)

# milw0rm.com [2008-08-13]