Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
179 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
FROM centos:7 | ||
MAINTAINER knqyf263 | ||
|
||
ENV version 9.12.4 | ||
|
||
# Install packages | ||
RUN yum -y update \ | ||
&& yum -y groupinstall "Development Tools" \ | ||
&& yum install -y epel-release \ | ||
&& yum -y install kernel-devel kernel-headers openssl-devel perl-Net-DNS wget bind-utils vim tar python-pip \ | ||
&& pip install --upgrade pip && pip install argparse ply | ||
|
||
# Install BIND9 from source | ||
RUN cd /usr/local/src && \ | ||
wget ftp://ftp.isc.org/isc/bind9/${version}/bind-${version}.tar.gz && \ | ||
tar zxvf bind-${version}.tar.gz && \ | ||
mv bind-${version} bind && \ | ||
rm bind-${version}.tar.gz | ||
RUN cd /usr/local/src/bind && \ | ||
./configure --enable-syscalls --prefix=/var/named/chroot --enable-threads --with-openssl=yes --enable-openssl-version-check --enable-ipv6 --disable-linux-caps && \ | ||
chown -R root:root /usr/local/src/bind && \ | ||
make && \ | ||
make install | ||
|
||
# Create device files | ||
RUN mkdir /var/named/chroot/dev && \ | ||
mknod -m 666 /var/named/chroot/dev/null c 1 3 && \ | ||
mknod -m 666 /var/named/chroot/dev/random c 1 8 | ||
|
||
# Create rndc key | ||
RUN /var/named/chroot/sbin/rndc-confgen -a | ||
|
||
RUN mkdir /var/named/chroot/data && \ | ||
mkdir /var/named/chroot/var/log && \ | ||
mkdir /var/named/chroot/var/named | ||
|
||
# Create hint file | ||
RUN cd /var/named/chroot/var/named && \ | ||
wget ftp://ftp.nic.ad.jp/internet/rs.internic.net/domain/named.root | ||
|
||
# Add files | ||
ADD ./contents/named.conf /var/named/chroot/etc/named.conf | ||
ADD ./contents/named /etc/sysconfig/named | ||
ADD ./contents/example.com.zone /var/named/chroot/var/named/example.com.zone | ||
|
||
# Create symbolic link | ||
RUN ln -s /var/named/chroot/etc/rndc.key /etc/rndc.key && \ | ||
ln -s /var/named/chroot/etc/named.conf /etc/named.conf | ||
|
||
EXPOSE 53 953 | ||
|
||
CMD ["/var/named/chroot/sbin/named", "-g", "-t", "/var/named/chroot", "-c", "/etc/named.conf"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,26 @@ | ||
# CVE-2019-6467 | ||
CVE-2019-6467 (BIND nxdomain-redirect) | ||
BIND nxdomain-redirect | ||
|
||
For educational purposes only | ||
|
||
![demo](imgs/cve-2019-6467.gif) | ||
|
||
## Run | ||
|
||
``` | ||
$ docker run --rm --name cve-2019-6467 -it -p 53:53/udp knqyf263/cve-2019-6467 | ||
``` | ||
|
||
## Exploit | ||
Normal query | ||
|
||
``` | ||
$ dig @127.0.0.1 nxdomain.example.com | ||
``` | ||
|
||
`nxdomain` can be replaced by anything that means non-existent domain name. (e.g. foobar.example.com) | ||
|
||
|
||
## Reference | ||
- https://ftp.isc.org/isc/bind/9.12.4-P1/RELEASE-NOTES-bind-9.12.4-P1.html | ||
- https://ftp.isc.org/isc/bind9/9.14.1/RELEASE-NOTES-bind-9.14.1.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
$ORIGIN example.com. | ||
$TTL 3600 ; 1 hour | ||
@ IN SOA ns1.example.com. postmaster.example.com. ( | ||
2015012902 ; serial | ||
3600 ; refresh (1 hour) | ||
1200 ; retry (20 min.) | ||
1209600 ; expire (2 weeks) | ||
900 ; minimum (15 min.) | ||
) | ||
@ IN NS ns1.example.com. | ||
@ IN NS ns2.example.com. | ||
@ IN MX 10 mail.example.com. | ||
@ IN TXT "v=spf1 mx ~all" ; TXT | ||
@ IN SPF "v=spf1 mx ~all" ; SPF | ||
|
||
ns1 IN A 192.168.1.2 | ||
ns2 IN A 192.168.1.3 | ||
mail IN A 192.168.1.4 | ||
host1 IN A 192.168.1.5 | ||
www IN CNAME host1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
ROOTDIR=/var/named/chroot | ||
OPTIONS=-4 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
Controls { | ||
inet 127.0.0.1 allow { localhost; } keys { rndc-key; }; | ||
}; | ||
|
||
include "/etc/rndc.key"; | ||
|
||
acl "internal-network" { | ||
localhost; | ||
127.0.0.1/32; | ||
172.16.0.0/12; | ||
192.168.0.0/16; | ||
}; | ||
|
||
options { | ||
version "unknown"; | ||
hostname "ns1.test.example.com"; | ||
|
||
directory "/var/named"; | ||
dump-file "/data/cache_dump.db"; | ||
statistics-file "/data/named_status.dat"; | ||
pid-file "/var/run/named/named.pid"; | ||
|
||
listen-on port 53 { | ||
internal-network; | ||
}; | ||
|
||
allow-query { internal-network; }; | ||
|
||
recursion yes; | ||
allow-recursion { internal-network; }; | ||
|
||
notify yes; | ||
max-transfer-time-in 60; | ||
transfer-format many-answers; | ||
transfers-in 10; | ||
transfers-per-ns 2; | ||
allow-transfer { none; }; | ||
allow-update { none; }; | ||
|
||
nxdomain-redirect signed; | ||
}; | ||
|
||
logging { | ||
channel "log_default"{ | ||
file "/var/log/named.log" versions 5 size 5m; | ||
print-time yes; | ||
severity info; | ||
print-category yes; | ||
}; | ||
channel "alert" { | ||
file "/var/log/alert.log" versions 8 size 4m; | ||
severity info; | ||
print-time yes; | ||
print-severity yes; | ||
print-category yes; | ||
}; | ||
channel "query" { | ||
file "/var/log/query.log" versions 8 size 50m; | ||
severity debug; | ||
print-time yes; | ||
print-severity yes; | ||
print-category yes; | ||
}; | ||
|
||
category default {"log_default";}; | ||
category security {"alert";}; | ||
category queries {"query";}; | ||
category lame-servers { null; }; | ||
}; | ||
|
||
zone "." IN { | ||
type hint; | ||
file "named.root"; | ||
}; | ||
|
||
zone "example.com." IN { | ||
type master; | ||
file "example.com.zone"; | ||
allow-update { none; }; | ||
}; |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.