dns exploit
Brian Keefer
chort at smtps.net
Sat Jul 26 05:24:45 UTC 2008
On Jul 25, 2008, at 5:48 PM, Gregory Hicks wrote:
>> Date: Fri, 25 Jul 2008 20:36:50 -0400
>> From: dhottinger at harrisonburg.k12.va.us
>> To: "comp-protocols-dns-bind at isc.org"
> <comp-protocols-dns-bind at isc.org>
>> Subject: dns exploit
>>
>> Silly question, how do I tell If Im vulnerable to the dns exploit?
>
> Run attached against your name server thusly: (You need perl...)
>
> noclicky <ns>
> ---------------------------------------------------------------------
> Gregory Hicks | Principal Systems Engineer
> Cadence Design Systems | Direct: 408.576.3609
> 555 River Oaks Pkwy M/S 9B1
> San Jose, CA 95134
Hello,
It looks like the listserv ate the attachment, so I'm not sure if the
version you sent was patched to work since Dan has changed his page
(I'd like to assume it is, but you know what assuming does...) The
original noclicky wasn't written to parse the date header that Dan
added to the output, so if you're still using the original it will
_falsely_ report that you're safe.
I've written an updated patch for noclicky-1.00.pl that you can find
at http://www.SMTPS.net/issues/patches.html , also pasted below.
Apply by doing saving this file to the same directory as
noclicky-1.00.pl and doing:
$ patch -p0 <02-noclicky.patch
(included inline for the lazy, or the fearful of DNS cache poisoning
against my site)
--- noclicky-1.00.pl Fri Jul 25 21:15:04 2008
+++ noclicky-1.00p2.pl Fri Jul 25 22:11:09 2008
@@ -1,7 +1,7 @@
#!/usr/bin/perl
# vim:set ts=4 sw=4 ai et:
#
-# noclicky.pl, version 1.00
+# noclicky.pl, version 1.00p2
#
# A command line ("non-clicky") client to query the toorrr.com
service to
# determine if a given nameserver is vulnerable to CERT
Vulnerability Note
@@ -24,6 +24,7 @@
my @char = ("a" .. "z", 0 .. 9);
my $session = join "", map { $char[rand @char] } (1 .. 12);
my $domain = "$session.toorrr.com";
+my $nodata = 0;
sub lookup
{
@@ -64,10 +65,23 @@
my %ports;
for my $data (@data)
{
- chomp($data);
- my ($ip, $port, $txid) = split "-", $data;
- print " $ip:$port TXID=$txid\n";
- $ports{$port} = 1;
+ if ($data =~ /^(?:\d{1,3}\.){3}\d{1,3}-\d{2,5}-\d+$/) {
+ chomp($data);
+ my ($ip, $port, $txid) = split "-", $data;
+ print " $ip:$port TXID=$txid\n";
+ $ports{$port} = 1;
+ } else {
+ if (++$nodata > 1) {
+ # Brian Keefer -- chort AT smtps DOT net
+ die '##############################################' .
"\n" .
+ '# Uh oh, that\'s not what we were expecting! #' .
"\n" .
+ '# Dan Kaminksy must have changed his website #' .
"\n" .
+ '# again, please check: #' .
"\n" .
+ '#> http://www.SMTPS.net/issues/patches.html <#' .
"\n" .
+ '# for a patch. #' .
"\n" .
+ '##############################################' .
"\n\n";
+ }
+ }
}
if (keys %ports == 1) {
Hopefully that's right, but I am pretty sleepy... I did test both
expected and unexpected data...
Brian Keefer
Sr. Systems Engineer
www.Proofpoint.com
"Defend email. Protect data."
More information about the bind-users
mailing list