BIND 9.5.0-P2 (randomized ports) Remote DNS Cache Poisoning Exploit
来源:互联网 发布:我的世界0.14枪械js 编辑:程序博客网 时间:2024/05/18 02:04
- Successfully poisoned the latest BIND with fully randomized ports!
- Exploit required to send more than 130 thousand of requests for the fake records like
- 131737-4795-15081.blah.com to be able to match port and ID and insert poisoned entry
- for the poisoned_dns.blah.com.
- # dig @localhost www.blah.com +norecurse
- ; <<>> DiG 9.5.0-P2 <<>> @localhost www.blah.com +norecurse
- ; (1 server found)
- ;; global options: printcmd
- ;; Got answer:
- ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6950
- ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
- ;; QUESTION SECTION:
- ;www.blah.com. IN A
- ;; AUTHORITY SECTION:
- www.blah.com. 73557 IN NS poisoned_dns.blah.com.
- ;; ADDITIONAL SECTION:
- poisoned_dns.blah.com. 73557 IN A 1.2.3.4
- # named -v
- BIND 9.5.0-P2
- BIND used fully randomized source port range, i.e. around 64000 ports.
- Two attacking servers, connected to the attacked one via GigE link, were used,
- each one attacked 1-2 ports with full ID range. Usually attacking server is able
- to send about 40-50 thousands fake replies before remote server returns the
- correct one, so if port was matched probability of the successful poisoning is more than 60%.
- Attack took about half of the day, i.e. a bit less than 10 hours.
- So, if you have a GigE lan, any trojaned machine can poison your DNS during one night...
- original source: http:
- http: