On Jul 25, 2008, at 5:48 PM, Gregory Hicks wrote: >> Date: Fri, 25 Jul 2008 20:36:50 -0400 >> From: [EMAIL PROTECTED] >> To: "[email protected]" > <[email protected]> >> Subject: dns exploit >> >> Silly question, how do I tell If Im vulnerable to the dns exploit? > > Run attached against your name server thusly: (You need perl...) > > noclicky <ns> > --------------------------------------------------------------------- > Gregory Hicks | Principal Systems Engineer > Cadence Design Systems | Direct: 408.576.3609 > 555 River Oaks Pkwy M/S 9B1 > San Jose, CA 95134
Hello, It looks like the listserv ate the attachment, so I'm not sure if the version you sent was patched to work since Dan has changed his page (I'd like to assume it is, but you know what assuming does...) The original noclicky wasn't written to parse the date header that Dan added to the output, so if you're still using the original it will _falsely_ report that you're safe. I've written an updated patch for noclicky-1.00.pl that you can find at http://www.SMTPS.net/issues/patches.html , also pasted below. Apply by doing saving this file to the same directory as noclicky-1.00.pl and doing: $ patch -p0 <02-noclicky.patch (included inline for the lazy, or the fearful of DNS cache poisoning against my site) --- noclicky-1.00.pl Fri Jul 25 21:15:04 2008 +++ noclicky-1.00p2.pl Fri Jul 25 22:11:09 2008 @@ -1,7 +1,7 @@ #!/usr/bin/perl # vim:set ts=4 sw=4 ai et: # -# noclicky.pl, version 1.00 +# noclicky.pl, version 1.00p2 # # A command line ("non-clicky") client to query the toorrr.com service to # determine if a given nameserver is vulnerable to CERT Vulnerability Note @@ -24,6 +24,7 @@ my @char = ("a" .. "z", 0 .. 9); my $session = join "", map { $char[rand @char] } (1 .. 12); my $domain = "$session.toorrr.com"; +my $nodata = 0; sub lookup { @@ -64,10 +65,23 @@ my %ports; for my $data (@data) { - chomp($data); - my ($ip, $port, $txid) = split "-", $data; - print " $ip:$port TXID=$txid\n"; - $ports{$port} = 1; + if ($data =~ /^(?:\d{1,3}\.){3}\d{1,3}-\d{2,5}-\d+$/) { + chomp($data); + my ($ip, $port, $txid) = split "-", $data; + print " $ip:$port TXID=$txid\n"; + $ports{$port} = 1; + } else { + if (++$nodata > 1) { + # Brian Keefer -- chort AT smtps DOT net + die '##############################################' . "\n" . + '# Uh oh, that\'s not what we were expecting! #' . "\n" . + '# Dan Kaminksy must have changed his website #' . "\n" . + '# again, please check: #' . "\n" . + '#> http://www.SMTPS.net/issues/patches.html <#' . "\n" . + '# for a patch. #' . "\n" . + '##############################################' . "\n\n"; + } + } } if (keys %ports == 1) { Hopefully that's right, but I am pretty sleepy... I did test both expected and unexpected data... Brian Keefer Sr. Systems Engineer www.Proofpoint.com "Defend email. Protect data."
