VaaS - Showcasing CVE 2015-5477, a DDoS condition in the bind9 software

Docker container vaas-cve-2015-5477 released

Posted by Emre Bastuz on August 4, 2015

Overview

For pentesting purposes I have created a Docker container that uses a vulnerable version of bind9.

For further details, please see GitHub or simply install the container via the Docker hub.

This docker container is based on Debian Wheezy and has been modified to use a vulernable version of bind9 (bind9_9.8.4.dfsg.P1-6+nmu2+deb7u5).

Usage

Get the container with docker pull hmlio/vaas-cve-2015-5477.

Run the container with a port mapping (for the maximum "Dude! This sucks!" effect I recommend starting the container without detaching it as a background process): docker run -p 53:53/udp hmlio/vaas-cve-2015-5477

You should be able to do DNS queries via the container: dig @<your-ip> hml.io any

Exploitation

At the time of this writing, a proof of concept exploit is available here.

From another terminal windows fire up the exploit like so: python exploit.py <your-ip>

Change back to the original terminal window where you started the container in the foreground and you should see someting similar to this:

04-Aug-2015 20:47:14.841 createfetch: hml.io DS
04-Aug-2015 20:47:14.886 createfetch: de DNSKEY
04-Aug-2015 20:48:54.130 message.c:2311: REQUIRE(*name == ((void *)0)) failed, back trace
04-Aug-2015 20:48:54.130 #0 0x7fa696e2fdd9 in ??
04-Aug-2015 20:48:54.130 #1 0x7fa695770f3a in ??
04-Aug-2015 20:48:54.130 #2 0x7fa69669806f in ??
04-Aug-2015 20:48:54.130 #3 0x7fa696723bd9 in ??
04-Aug-2015 20:48:54.130 #4 0x7fa696e40615 in ??
04-Aug-2015 20:48:54.130 #5 0x7fa696e26e71 in ??
04-Aug-2015 20:48:54.130 #6 0x7fa69578fe1d in ??
04-Aug-2015 20:48:54.130 #7 0x7fa695143b50 in ??
04-Aug-2015 20:48:54.130 #8 0x7fa694b2d95d in ??
04-Aug-2015 20:48:54.130 exiting (due to assertion failure)
Aborted (core dumped)
 failed!