dns exploit

[Brian Keefer]

On Jul 25, 2008, at 5:48 PM, Gregory Hicks wrote:

>> Date: Fri, 25 Jul 2008 20:36:50 -0400
>> From: dhottinger at harrisonburg.k12.va.us
>> To: "comp-protocols-dns-bind at isc.org"
> <comp-protocols-dns-bind at isc.org>
>> Subject: dns exploit
>>
>> Silly question, how do I tell If Im vulnerable to the dns exploit?
>
> Run attached against your name server thusly: (You need perl...)
>
> noclicky <ns>
> ---------------------------------------------------------------------
> Gregory Hicks                           | Principal Systems Engineer
> Cadence Design Systems                  | Direct:   408.576.3609
> 555 River Oaks Pkwy M/S 9B1
> San Jose, CA 95134

Hello,

It looks like the listserv ate the attachment, so I'm not sure if the  
version you sent was patched to work since Dan has changed his page  
(I'd like to assume it is, but you know what assuming does...)  The  
original noclicky wasn't written to parse the date header that Dan  
added to the output, so if you're still using the original it will  
_falsely_ report that you're safe.

I've written an updated patch for noclicky-1.00.pl that you can find  
at http://www.SMTPS.net/issues/patches.html , also pasted below.   
Apply by doing saving this file to the same directory as  
noclicky-1.00.pl and doing:
$ patch -p0 <02-noclicky.patch

(included inline for the lazy, or the fearful of DNS cache poisoning  
against my site)

--- noclicky-1.00.pl    Fri Jul 25 21:15:04 2008
+++ noclicky-1.00p2.pl  Fri Jul 25 22:11:09 2008
@@ -1,7 +1,7 @@
  #!/usr/bin/perl
  # vim:set ts=4 sw=4 ai et:
  #
-# noclicky.pl, version 1.00
+# noclicky.pl, version 1.00p2
  #
  # A command line ("non-clicky") client to query the toorrr.com  
service to
  # determine if a given nameserver is vulnerable to CERT  
Vulnerability Note
@@ -24,6 +24,7 @@
  my @char = ("a" .. "z", 0 .. 9);
  my $session = join "", map { $char[rand @char] } (1 .. 12);
  my $domain = "$session.toorrr.com";
+my $nodata = 0;

  sub lookup
  {
@@ -64,10 +65,23 @@
  my %ports;
  for my $data (@data)
  {
-    chomp($data);
-    my ($ip, $port, $txid) = split "-", $data;
-    print "  $ip:$port TXID=$txid\n";
-    $ports{$port} = 1;
+    if ($data =~ /^(?:\d{1,3}\.){3}\d{1,3}-\d{2,5}-\d+$/) {
+        chomp($data);
+        my ($ip, $port, $txid) = split "-", $data;
+        print "  $ip:$port TXID=$txid\n";
+        $ports{$port} = 1;
+    } else {
+        if (++$nodata > 1) {
+            # Brian Keefer -- chort AT smtps DOT net
+            die '##############################################' .  
"\n" .
+                '# Uh oh, that\'s not what we were expecting!  #' .  
"\n" .
+                '# Dan Kaminksy must have changed his website #' .  
"\n" .
+                '# again, please check:                       #' .  
"\n" .
+                '#> http://www.SMTPS.net/issues/patches.html <#' .  
"\n" .
+                '# for a patch.                               #' .  
"\n" .
+                '##############################################' .  
"\n\n";
+        }
+    }
  }

  if (keys %ports == 1) {


Hopefully that's right, but I am pretty sleepy... I did test both  
expected and unexpected data...

Brian Keefer
Sr. Systems Engineer
www.Proofpoint.com
"Defend email.  Protect data."