Birkac gun once detaylarina buradan -ve teknik olarak buradan-erisebileceginiz bir DNS protokolu zaafiyeti yayinlandi. Zaafiyetin kotuye kullanilmasi sonucu bu acigi barindiran (Internetin %99′u diyebiliriz) dns sunucularin cachelerinin zehirlenmesi ihtimali var.
Yukarıda verdigim adreste zaafiyet icin onerilen maddelerden biri de DNS sunucularin sorgulama yaparken rastgele kaynak port kullanmalari idi. Bildigim kadari ile DJBdns haric bunu native saglayan dns sunucu/istemci yazilimi yok.
Packet Filter gibi Nat yaparken kaynak portlari degistirebilen(cogu Firewall bunu yapar) bir Firewall kullaniyorsaniz DNS sunucunuzun udp 53 cikislarini nat yaparak cikarirsaniz kaynak port numalari rastgele secilmis olur.
Asagidaki ornekleme OpenBSD named ve PF ile gerceklenmistir.
PF ile NAT yapmadan cikis yapan bir DNS sunucudan yapilan sorgulamalar
# nslookup > server 127.0.0.1 Default server: 127.0.0.1 Address: 127.0.0.1#53 > www.google.com Server: 127.0.0.1 Address: 127.0.0.1#53
Non-authoritative answer: www.google.com canonical name = www.l.google.com. Name: www.l.google.com Address: 74.125.39.103 Name: www.l.google.com Address: 74.125.39.147 Name: www.l.google.com Address: 74.125.39.99 Name: www.l.google.com Address: 74.125.39.104 > www.lifeoverip.net Server: 127.0.0.1 Address: 127.0.0.1#53
Non-authoritative answer: Name: www.lifeoverip.net Address: 80.93.212.86 > set q=a > www.huzeyfe.net Server: 127.0.0.1 Address: 127.0.0.1#53
Non-authoritative answer: Name: www.huzeyfe.net Address: 80.93.212.86 > www.cnn.com Server: 127.0.0.1 Address: 127.0.0.1#53
Non-authoritative answer: Name: www.cnn.com Address: 64.236.91.23 Name: www.cnn.com Address: 64.236.16.20 Name: www.cnn.com Address: 64.236.16.52 Name: www.cnn.com Address: 64.236.24.12 Name: www.cnn.com Address: 64.236.29.120 Name: www.cnn.com Address: 64.236.91.21 > exit
Bu isteklerin cikisini tcpdump ile izledigimizde asagidaki sonuclari aliriz.
# tcpdump -ttnn udp port 53 tcpdump: listening on vic0, link-type EN10MB 1214527060.000368 192.168.2.23.26926 > 192.33.14.30.53: 52135% [1au] A? www.huzeyfe.net. (44) (43) 1214527060.202598 192.168.2.23.26926 > 70.84.223.230.53: 26205% [1au] AAAA? jet.tekrom.com. (43) 1214527060.202728 192.168.2.23.26926 > 70.84.223.230.53: 45553% [1au] A? ns3.tekrom.com. (43) 1214527060.202918 192.168.2.23.26926 > 70.84.223.230.53: 9887% [1au] AAAA? ns3.tekrom.com. (43) 1214527060.203064 192.168.2.23.26926 > 70.84.223.230.53: 19219% [1au] A? ns4.tekrom.com. (43) 1214527060.203171 192.168.2.23.26926 > 70.84.223.230.53: 9937% [1au] AAAA? ns4.tekrom.com. (43) 1214527060.478490 70.84.223.230.53 > 192.168.2.23.26926: 23575*- 1/2/3 A 74.52.0.226 (127) (DF) 1214527060.479070 192.168.2.23.26926 > 70.84.223.226.53: 5700% [1au] A? www.huzeyfe.net. (44) 1214527060.483016 70.84.223.230.53 > 192.168.2.23.26926: 26205*- 0/1/1 (91) (DF) 1214527060.487206 70.84.223.230.53 > 192.168.2.23.26926: 45553*- 1/2/2 A 70.84.223.226 (107) (DF) 1214527060.492574 70.84.223.230.53 > 192.168.2.23.26926: 9887*- 0/1/1 (87) (DF) 1214527060.496554 70.84.223.230.53 > 192.168.2.23.26926: 19219*- 1/2/2 A 70.84.223.227 (107) (DF) 1214527060.501199 70.84.223.230.53 > 192.168.2.23.26926: 9937*- 0/1/1 (91) (DF) 1214527060.756220 70.84.223.226.53 > 192.168.2.23.26926: 5700- 0/13/1 (252) (DF) 1214527060.756753 192.168.2.23.26926 > 70.84.223.227.53: 58800% [1au] A? www.huzeyfe.net. (44) 1214527061.031910 70.84.223.227.53 > 192.168.2.23.26926: 58800- 0/13/1 (252) (DF) 1214527061.032272 192.168.2.23.26926 > 74.52.0.226.53: 54605% [1au] A? www.huzeyfe.net. (44) 1214527061.309713 74.52.0.226.53 > 192.168.2.23.26926: 54605*- 1/2/3 A 80.93.212.86 (138) (DF) 1214527081.550135 192.168.2.23.26926 > 192.26.92.30.53: 48697% [1au] A? www.cnn.com. (40) 1214527081.694272 192.26.92.30.53 > 192.168.2.23.26926: 48697- 0/4/5 (203) (DF) 1214527081.695022 192.168.2.23.26926 > 205.188.146.88.53: 10679% [1au] A? www.cnn.com. (40) 1214527081.851653 205.188.146.88.53 > 192.168.2.23.26926: 10679- 0/2/3 (123) (DF)
Dikkat edilecek olursa tum dns istekleri ayni kaynak porttan cikiyor…
Packet Filter ile cikis yonundeki UDP 53 ler icin NAT islemi uyguladiktan sonra ayni islemleri tekrarlayalim
Sorgulamalar
# nslookup > server 127.0.0.1 Default server: 127.0.0.1 Address: 127.0.0.1#53 > set query=a > www.lifeoverip.net Server: 127.0.0.1 Address: 127.0.0.1#53
Non-authoritative answer: Name: www.lifeoverip.net Address: 80.93.212.86 > www.linux.com Server: 127.0.0.1 Address: 127.0.0.1#53
Non-authoritative answer: www.linux.com canonical name = linux.com. Name: linux.com Address: 216.34.181.51 > www.fazlamesai.net Server: 127.0.0.1 Address: 127.0.0.1#53
Non-authoritative answer: Name: www.fazlamesai.net Address: 82.222.181.125 > netsec.lifeoverip.net Server: 127.0.0.1 Address: 127.0.0.1#53
Non-authoritative answer: Name: netsec.lifeoverip.net Address: 80.93.212.86
Sorgualamarin tcpdump ciktisi
# tcpdump -ttnn udp port 53 tcpdump: listening on vic0, link-type EN10MB 1214527500.423316 192.168.2.23.55819 > 192.42.93.30.53: 15093% [1au] A? www.linux.com. (42) 1214527500.692729 192.42.93.30.53 > 192.168.2.23.55819: 15093- 0/3/4 (168) (DF) 1214527500.694008 192.168.2.23.63085 > 12.31.165.79.53: 8055% [1au] A? www.linux.com. (42) 1214527500.991152 12.31.165.79.53 > 192.168.2.23.63085: 8055*- 2/0/0 CNAME linux.com., (61) (DF) 1214527500.995350 192.168.2.23.60810 > 216.34.181.21.53: 732% [1au] A? linux.com. (38) 1214527501.165336 216.34.181.21.53 > 192.168.2.23.60810: 732*- 1/0/0 A 216.34.181.51 (43) (DF) 1214527515.105501 192.168.2.23.63168 > 192.54.112.30.53: 38190% [1au] A? www.fazlamesai.net. (47) 1214527515.176086 192.54.112.30.53 > 192.168.2.23.63168: 38190- 0/2/1 (97) (DF) 1214527515.177442 192.168.2.23.52894 > 199.19.57.1.53: 13823% [1au] A? ns1.fazlamesai.org. (47) 1214527515.177701 192.168.2.23.52894 > 199.19.57.1.53: 63052% [1au] AAAA? ns1.fazlamesai.org. (47) 1214527515.177963 192.168.2.23.52894 > 199.19.57.1.53: 52497% [1au] A? ns2.fazlamesai.org. (47) 1214527515.178148 192.168.2.23.52894 > 199.19.57.1.53: 19103% [1au] AAAA? ns2.fazlamesai.org. (47) 1214527515.251261 199.19.57.1.53 > 192.168.2.23.52894: 13823- 0/2/3 (111) (DF) 1214527515.251972 192.168.2.23.57625 > 195.33.233.59.53: 64528% [1au] A? ns1.fazlamesai.org. (47) 1214527515.256090 199.19.57.1.53 > 192.168.2.23.52894: 63052- 0/2/3 (111) (DF) 1214527515.256721 192.168.2.23.57625 > 195.33.233.59.53: 19139% [1au] AAAA? ns1.fazlamesai.org. (47) 1214527515.260952 199.19.57.1.53 > 192.168.2.23.52894: 52497- 0/2/3 (111) (DF) 1214527515.261360 192.168.2.23.57625 > 195.33.233.59.53: 2367% [1au] A? ns2.fazlamesai.org. (47) 1214527515.265682 199.19.57.1.53 > 192.168.2.23.52894: 19103- 0/2/3 (111) (DF) 1214527515.266223 192.168.2.23.57625 > 195.33.233.59.53: 19193% [1au] AAAA? ns2.fazlamesai.org. (47) 1214527515.695411 192.168.2.23.57625 > 195.33.233.59.53: 22141% [1au] A? www.fazlamesai.net. (47) 1214527515.764586 192.168.2.23.61756 > 82.222.181.125.53: 51328% [1au] A? ns1.fazlamesai.org. (47) 1214527515.764749 192.168.2.23.61756 > 82.222.181.125.53: 60964% [1au] AAAA? ns1.fazlamesai.org. (47) 1214527515.764895 192.168.2.23.61756 > 82.222.181.125.53: 48058% [1au] A? ns2.fazlamesai.org. (47) 1214527515.779404 82.222.181.125.53 > 192.168.2.23.61756: 51328* 1/2/2 A 82.222.181.125 (111) (DF) 1214527515.779909 192.168.2.23.61756 > 82.222.181.125.53: 11798% [1au] AAAA? ns2.fazlamesai.org. (47) 1214527515.785161 82.222.181.125.53 > 192.168.2.23.61756: 60964* 0/1/1 (94) (DF) 1214527515.789313 82.222.181.125.53 > 192.168.2.23.61756: 48058* 1/2/2 A 212.175.237.162 (111) (DF) 1214527515.794834 82.222.181.125.53 > 192.168.2.23.61756: 11798* 0/1/1 (98) (DF) 1214527516.215004 192.168.2.23.61756 > 82.222.181.125.53: 54317% [1au] A? www.fazlamesai.net. (47) 1214527516.228870 82.222.181.125.53 > 192.168.2.23.61756: 54317* 1/2/3 A 82.222.181.125 (145) (DF) 1214527540.838462 192.168.2.23.62275 > 70.84.223.227.53: 2944% [1au] A? netsec.lifeoverip.net. (50) 1214527541.105514 70.84.223.227.53 > 192.168.2.23.62275: 2944*- 1/2/3 A[|domain] (DF)
Gorulecegi uzere nat yapinca kaynak portlar rastgele olarak degisiyor…
Saygılar..