dns exploit

Skeeve Stevens skeeve at skeeve.org
Sat Jul 26 06:14:54 UTC 2008


What should actually be the correct (good?) response (sorry for the
ignorance)


server{root}:3: dig porttest.dns-oarc.net txt +short @x.x.x.x
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"x.x.x.x is GOOD: 26 queries in 4.1 seconds from 26 ports with std dev
15514.45"

Or

server{root}:8: dig porttest.dns-oarc.net txt +short @x.x.x.b
with no response


And what do each of the responses mean?

...Skeeve

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On Behalf
Of Chris Buxton
Sent: Saturday, 26 July 2008 3:43 PM
To: comp-protocols-dns-bind at isc.org
Cc: dhottinger at harrisonburg.k12.va.us
Subject: Re: dns exploit

That sure seems like a lot of work when you could just:

dig porttest.dns-oarc.net txt +short @server-ip

For example:

$ dig porttest.dns-oarc.net txt +short @217.151.171.7
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"217.151.171.7 is GOOD: 26 queries in 3.9 seconds from 26 ports with  
std dev 19886.66"

Notice the word "GOOD" in the output. Also notice the standard  
deviation shown at the end - you want 5 digits before the decimal point.

Chris Buxton
Professional Services
Men & Mice

On Jul 25, 2008, at 10:24 PM, Brian Keefer wrote:

> On Jul 25, 2008, at 5:48 PM, Gregory Hicks wrote:
>
>>> Date: Fri, 25 Jul 2008 20:36:50 -0400
>>> From: dhottinger at harrisonburg.k12.va.us
>>> To: "comp-protocols-dns-bind at isc.org"
>> <comp-protocols-dns-bind at isc.org>
>>> Subject: dns exploit
>>>
>>> Silly question, how do I tell If Im vulnerable to the dns exploit?
>>
>> Run attached against your name server thusly: (You need perl...)
>>
>> noclicky <ns>
>> ---------------------------------------------------------------------
>> Gregory Hicks                           | Principal Systems Engineer
>> Cadence Design Systems                  | Direct:   408.576.3609
>> 555 River Oaks Pkwy M/S 9B1
>> San Jose, CA 95134
>
> Hello,
>
> It looks like the listserv ate the attachment, so I'm not sure if the
> version you sent was patched to work since Dan has changed his page
> (I'd like to assume it is, but you know what assuming does...)  The
> original noclicky wasn't written to parse the date header that Dan
> added to the output, so if you're still using the original it will
> _falsely_ report that you're safe.
>
> I've written an updated patch for noclicky-1.00.pl that you can find
> at http://www.SMTPS.net/issues/patches.html , also pasted below.
> Apply by doing saving this file to the same directory as
> noclicky-1.00.pl and doing:
> $ patch -p0 <02-noclicky.patch
>
> (included inline for the lazy, or the fearful of DNS cache poisoning
> against my site)
>
> --- noclicky-1.00.pl    Fri Jul 25 21:15:04 2008
> +++ noclicky-1.00p2.pl  Fri Jul 25 22:11:09 2008
> @@ -1,7 +1,7 @@
>  #!/usr/bin/perl
>  # vim:set ts=4 sw=4 ai et:
>  #
> -# noclicky.pl, version 1.00
> +# noclicky.pl, version 1.00p2
>  #
>  # A command line ("non-clicky") client to query the toorrr.com
> service to
>  # determine if a given nameserver is vulnerable to CERT
> Vulnerability Note
> @@ -24,6 +24,7 @@
>  my @char = ("a" .. "z", 0 .. 9);
>  my $session = join "", map { $char[rand @char] } (1 .. 12);
>  my $domain = "$session.toorrr.com";
> +my $nodata = 0;
>
>  sub lookup
>  {
> @@ -64,10 +65,23 @@
>  my %ports;
>  for my $data (@data)
>  {
> -    chomp($data);
> -    my ($ip, $port, $txid) = split "-", $data;
> -    print "  $ip:$port TXID=$txid\n";
> -    $ports{$port} = 1;
> +    if ($data =~ /^(?:\d{1,3}\.){3}\d{1,3}-\d{2,5}-\d+$/) {
> +        chomp($data);
> +        my ($ip, $port, $txid) = split "-", $data;
> +        print "  $ip:$port TXID=$txid\n";
> +        $ports{$port} = 1;
> +    } else {
> +        if (++$nodata > 1) {
> +            # Brian Keefer -- chort AT smtps DOT net
> +            die '##############################################' .
> "\n" .
> +                '# Uh oh, that\'s not what we were expecting!  #' .
> "\n" .
> +                '# Dan Kaminksy must have changed his website #' .
> "\n" .
> +                '# again, please check:                       #' .
> "\n" .
> +                '#> http://www.SMTPS.net/issues/patches.html <#' .
> "\n" .
> +                '# for a patch.                               #' .
> "\n" .
> +                '##############################################' .
> "\n\n";
> +        }
> +    }
>  }
>
>  if (keys %ports == 1) {
>
>
> Hopefully that's right, but I am pretty sleepy... I did test both
> expected and unexpected data...
>
> Brian Keefer
> Sr. Systems Engineer
> www.Proofpoint.com
> "Defend email.  Protect data."
>
>
>




More information about the bind-users mailing list