diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..dd004ee --- /dev/null +++ b/Dockerfile @@ -0,0 +1,52 @@ +FROM centos:7 +MAINTAINER knqyf263 + +ENV version 9.12.4 + +# Install packages +RUN yum -y update \ + && yum -y groupinstall "Development Tools" \ + && yum install -y epel-release \ + && yum -y install kernel-devel kernel-headers openssl-devel perl-Net-DNS wget bind-utils vim tar python-pip \ + && pip install --upgrade pip && pip install argparse ply + +# Install BIND9 from source +RUN cd /usr/local/src && \ + wget ftp://ftp.isc.org/isc/bind9/${version}/bind-${version}.tar.gz && \ + tar zxvf bind-${version}.tar.gz && \ + mv bind-${version} bind && \ + rm bind-${version}.tar.gz +RUN cd /usr/local/src/bind && \ + ./configure --enable-syscalls --prefix=/var/named/chroot --enable-threads --with-openssl=yes --enable-openssl-version-check --enable-ipv6 --disable-linux-caps && \ + chown -R root:root /usr/local/src/bind && \ + make && \ + make install + +# Create device files +RUN mkdir /var/named/chroot/dev && \ + mknod -m 666 /var/named/chroot/dev/null c 1 3 && \ + mknod -m 666 /var/named/chroot/dev/random c 1 8 + +# Create rndc key +RUN /var/named/chroot/sbin/rndc-confgen -a + +RUN mkdir /var/named/chroot/data && \ + mkdir /var/named/chroot/var/log && \ + mkdir /var/named/chroot/var/named + +# Create hint file +RUN cd /var/named/chroot/var/named && \ + wget ftp://ftp.nic.ad.jp/internet/rs.internic.net/domain/named.root + +# Add files +ADD ./contents/named.conf /var/named/chroot/etc/named.conf +ADD ./contents/named /etc/sysconfig/named +ADD ./contents/example.com.zone /var/named/chroot/var/named/example.com.zone + +# Create symbolic link +RUN ln -s /var/named/chroot/etc/rndc.key /etc/rndc.key && \ + ln -s /var/named/chroot/etc/named.conf /etc/named.conf + +EXPOSE 53 953 + +CMD ["/var/named/chroot/sbin/named", "-g", "-t", "/var/named/chroot", "-c", "/etc/named.conf"] diff --git a/README.md b/README.md index f75d6ba..9371af3 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,26 @@ # CVE-2019-6467 -CVE-2019-6467 (BIND nxdomain-redirect) +BIND nxdomain-redirect + +For educational purposes only + +![demo](imgs/cve-2019-6467.gif) + +## Run + +``` +$ docker run --rm --name cve-2019-6467 -it -p 53:53/udp knqyf263/cve-2019-6467 +``` + +## Exploit +Normal query + +``` +$ dig @127.0.0.1 nxdomain.example.com +``` + +`nxdomain` can be replaced by anything that means non-existent domain name. (e.g. foobar.example.com) + + +## Reference +- https://ftp.isc.org/isc/bind/9.12.4-P1/RELEASE-NOTES-bind-9.12.4-P1.html +- https://ftp.isc.org/isc/bind9/9.14.1/RELEASE-NOTES-bind-9.14.1.html diff --git a/contents/example.com.zone b/contents/example.com.zone new file mode 100644 index 0000000..ef90c71 --- /dev/null +++ b/contents/example.com.zone @@ -0,0 +1,20 @@ +$ORIGIN example.com. +$TTL 3600 ; 1 hour +@ IN SOA ns1.example.com. postmaster.example.com. ( + 2015012902 ; serial + 3600 ; refresh (1 hour) + 1200 ; retry (20 min.) + 1209600 ; expire (2 weeks) + 900 ; minimum (15 min.) + ) +@ IN NS ns1.example.com. +@ IN NS ns2.example.com. +@ IN MX 10 mail.example.com. +@ IN TXT "v=spf1 mx ~all" ; TXT +@ IN SPF "v=spf1 mx ~all" ; SPF + +ns1 IN A 192.168.1.2 +ns2 IN A 192.168.1.3 +mail IN A 192.168.1.4 +host1 IN A 192.168.1.5 +www IN CNAME host1 diff --git a/contents/named b/contents/named new file mode 100644 index 0000000..1cfbfdd --- /dev/null +++ b/contents/named @@ -0,0 +1,2 @@ +ROOTDIR=/var/named/chroot +OPTIONS=-4 diff --git a/contents/named.conf b/contents/named.conf new file mode 100644 index 0000000..8b090c6 --- /dev/null +++ b/contents/named.conf @@ -0,0 +1,80 @@ +Controls { + inet 127.0.0.1 allow { localhost; } keys { rndc-key; }; +}; + +include "/etc/rndc.key"; + +acl "internal-network" { + localhost; + 127.0.0.1/32; + 172.16.0.0/12; + 192.168.0.0/16; +}; + +options { + version "unknown"; + hostname "ns1.test.example.com"; + + directory "/var/named"; + dump-file "/data/cache_dump.db"; + statistics-file "/data/named_status.dat"; + pid-file "/var/run/named/named.pid"; + + listen-on port 53 { + internal-network; + }; + + allow-query { internal-network; }; + + recursion yes; + allow-recursion { internal-network; }; + + notify yes; + max-transfer-time-in 60; + transfer-format many-answers; + transfers-in 10; + transfers-per-ns 2; + allow-transfer { none; }; + allow-update { none; }; + + nxdomain-redirect signed; +}; + +logging { + channel "log_default"{ + file "/var/log/named.log" versions 5 size 5m; + print-time yes; + severity info; + print-category yes; + }; + channel "alert" { + file "/var/log/alert.log" versions 8 size 4m; + severity info; + print-time yes; + print-severity yes; + print-category yes; + }; + channel "query" { + file "/var/log/query.log" versions 8 size 50m; + severity debug; + print-time yes; + print-severity yes; + print-category yes; + }; + + category default {"log_default";}; + category security {"alert";}; + category queries {"query";}; + category lame-servers { null; }; +}; + +zone "." IN { + type hint; + file "named.root"; +}; + +zone "example.com." IN { + type master; + file "example.com.zone"; + allow-update { none; }; +}; diff --git a/imgs/cve-2019-6467.gif b/imgs/cve-2019-6467.gif new file mode 100644 index 0000000..15ae019 Binary files /dev/null and b/imgs/cve-2019-6467.gif differ