dns exploit
Skeeve Stevens
skeeve at skeeve.org
Sat Jul 26 06:14:54 UTC 2008
What should actually be the correct (good?) response (sorry for the
ignorance)
server{root}:3: dig porttest.dns-oarc.net txt +short @x.x.x.x
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"x.x.x.x is GOOD: 26 queries in 4.1 seconds from 26 ports with std dev
15514.45"
Or
server{root}:8: dig porttest.dns-oarc.net txt +short @x.x.x.b
with no response
And what do each of the responses mean?
...Skeeve
-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On Behalf
Of Chris Buxton
Sent: Saturday, 26 July 2008 3:43 PM
To: comp-protocols-dns-bind at isc.org
Cc: dhottinger at harrisonburg.k12.va.us
Subject: Re: dns exploit
That sure seems like a lot of work when you could just:
dig porttest.dns-oarc.net txt +short @server-ip
For example:
$ dig porttest.dns-oarc.net txt +short @217.151.171.7
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"217.151.171.7 is GOOD: 26 queries in 3.9 seconds from 26 ports with
std dev 19886.66"
Notice the word "GOOD" in the output. Also notice the standard
deviation shown at the end - you want 5 digits before the decimal point.
Chris Buxton
Professional Services
Men & Mice
On Jul 25, 2008, at 10:24 PM, Brian Keefer wrote:
> On Jul 25, 2008, at 5:48 PM, Gregory Hicks wrote:
>
>>> Date: Fri, 25 Jul 2008 20:36:50 -0400
>>> From: dhottinger at harrisonburg.k12.va.us
>>> To: "comp-protocols-dns-bind at isc.org"
>> <comp-protocols-dns-bind at isc.org>
>>> Subject: dns exploit
>>>
>>> Silly question, how do I tell If Im vulnerable to the dns exploit?
>>
>> Run attached against your name server thusly: (You need perl...)
>>
>> noclicky <ns>
>> ---------------------------------------------------------------------
>> Gregory Hicks | Principal Systems Engineer
>> Cadence Design Systems | Direct: 408.576.3609
>> 555 River Oaks Pkwy M/S 9B1
>> San Jose, CA 95134
>
> Hello,
>
> It looks like the listserv ate the attachment, so I'm not sure if the
> version you sent was patched to work since Dan has changed his page
> (I'd like to assume it is, but you know what assuming does...) The
> original noclicky wasn't written to parse the date header that Dan
> added to the output, so if you're still using the original it will
> _falsely_ report that you're safe.
>
> I've written an updated patch for noclicky-1.00.pl that you can find
> at http://www.SMTPS.net/issues/patches.html , also pasted below.
> Apply by doing saving this file to the same directory as
> noclicky-1.00.pl and doing:
> $ patch -p0 <02-noclicky.patch
>
> (included inline for the lazy, or the fearful of DNS cache poisoning
> against my site)
>
> --- noclicky-1.00.pl Fri Jul 25 21:15:04 2008
> +++ noclicky-1.00p2.pl Fri Jul 25 22:11:09 2008
> @@ -1,7 +1,7 @@
> #!/usr/bin/perl
> # vim:set ts=4 sw=4 ai et:
> #
> -# noclicky.pl, version 1.00
> +# noclicky.pl, version 1.00p2
> #
> # A command line ("non-clicky") client to query the toorrr.com
> service to
> # determine if a given nameserver is vulnerable to CERT
> Vulnerability Note
> @@ -24,6 +24,7 @@
> my @char = ("a" .. "z", 0 .. 9);
> my $session = join "", map { $char[rand @char] } (1 .. 12);
> my $domain = "$session.toorrr.com";
> +my $nodata = 0;
>
> sub lookup
> {
> @@ -64,10 +65,23 @@
> my %ports;
> for my $data (@data)
> {
> - chomp($data);
> - my ($ip, $port, $txid) = split "-", $data;
> - print " $ip:$port TXID=$txid\n";
> - $ports{$port} = 1;
> + if ($data =~ /^(?:\d{1,3}\.){3}\d{1,3}-\d{2,5}-\d+$/) {
> + chomp($data);
> + my ($ip, $port, $txid) = split "-", $data;
> + print " $ip:$port TXID=$txid\n";
> + $ports{$port} = 1;
> + } else {
> + if (++$nodata > 1) {
> + # Brian Keefer -- chort AT smtps DOT net
> + die '##############################################' .
> "\n" .
> + '# Uh oh, that\'s not what we were expecting! #' .
> "\n" .
> + '# Dan Kaminksy must have changed his website #' .
> "\n" .
> + '# again, please check: #' .
> "\n" .
> + '#> http://www.SMTPS.net/issues/patches.html <#' .
> "\n" .
> + '# for a patch. #' .
> "\n" .
> + '##############################################' .
> "\n\n";
> + }
> + }
> }
>
> if (keys %ports == 1) {
>
>
> Hopefully that's right, but I am pretty sleepy... I did test both
> expected and unexpected data...
>
> Brian Keefer
> Sr. Systems Engineer
> www.Proofpoint.com
> "Defend email. Protect data."
>
>
>
More information about the bind-users
mailing list