1. Forum
  2. Newsgroups
  3. comp.protocols.dns.bind

  • Fwd: DNS Misconfiguration on- http://cyberia.net.sa/

    From Ejaz Ahmed@mejaz@cyberia.net.sa to bind-users@lists.isc.org on Fri Jun 5 11:54:51 2020
    From Newsgroup: comp.protocols.dns.bind

    --000000000000a5831405a7526af1
    Content-Type: text/plain; charset="UTF-8"

    Some one is is claiming that our name server 212.118.64.2 is vulnerable
    with below information is this true

    Any suggestions would be appreciated

    Thanks a n advance

    Ejaz




    Dear CYBERIA GROUP Security Team ,

    I Rahul a Ethical Hacker and Security Researcher. I found a vulnerability
    on your website that is DNS Misconfiguration .

    Your *localhost.cyberia.net.sa <http://localhost.cyberia.net.sa> *has
    address 127.0.0.1 and this may lead to "Same- Site" Scripting. I can also
    ping the localhost network.


    Here is detailed description of this minor security issue :* http://www.securityfocus.com/archive/1/486606/30/0/threaded <https://hackerone.com/redirect?signature=f22656dd5afea782410979cdd3fbb951f819c82e&url=http%3A%2F%2Fwww.securityfocus.com%2Farchive%2F1%2F486606%2F30%2F0%2Fthreaded>*

    *Find attached POC Video. *

    *Dear Team Waiting for your response and I want bounty(money) with an Appreciation letter for my work and effort which I have given for *


    *Thanks in advance *
    *Ejaz *

    --000000000000a5831405a7526af1
    Content-Type: text/html; charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable

    <div><br></div><div><div class=3D"gmail_quote"><br><br><div><div dir=3D"aut= o">Some one is is claiming that our name server 212.118.64.2 is vulnerable = with below information is this true</div><div dir=3D"auto"><br></div><div d= ir=3D"auto">Any suggestions would be appreciated=C2=A0</div><div dir=3D"aut= o"><br></div><div dir=3D"auto">Thanks a n advance=C2=A0</div></div><div><di=
    v dir=3D"auto"><br></div><div dir=3D"auto">Ejaz=C2=A0</div></div><div><br><= div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr"><br></div><= br><br><div dir=3D"ltr"><div>Dear CYBERIA GROUP Security Team ,</div><div><= br></div><div><span>I Rahul a Ethical Hacker and Security Researcher. I fou=
    nd a vulnerability on your website that is DNS Misconfiguration .</span></d= iv><div><span><br></span></div><div><span>Your <b><a href=3D"http://localho= st.cyberia.net.sa" target=3D"_blank">localhost.cyberia.net.sa</a>=C2=A0=C2=
    =A0 </b>has address 127.0.0.1 and this may lead to &quot;Same- Site&quot; S= cripting. I can also ping the localhost network. <b><br><span></span></b></= span><div><br></div><div><br></div><div><div><div><div><div dir=3D"ltr"><sp= an><font size=3D"2" style=3D"color:rgb(0,0,0)"><span style=3D"color:rgb(0,0= ,0)"><span><font face=3D"arial black, sans-serif" style=3D"font-family:&quo= t;arial black&quot;,sans-serif;color:rgb(0,0,0)">Here is detailed descripti=
    on of this minor security issue :</font></span><b><span><font face=3D"arial=
    black, sans-serif" style=3D"font-family:&quot;arial black&quot;,sans-serif= ;color:rgb(0,0,0)"> <a title=3D"http://www.securityfocus.com/archive/1/4866= 06/30/0/threaded" href=3D"https://hackerone.com/redirect?signature=3Df22656= dd5afea782410979cdd3fbb951f819c82e&amp;url=3Dhttp%3A%2F%2Fwww.securityfocus= .com%2Farchive%2F1%2F486606%2F30%2F0%2Fthreaded" rel=3D"nofollow noopener n= oreferrer" style=3D"font-family:&quot;arial black&quot;,sans-serif" target= =3D"_blank"><span style=3D"font-family:&quot;arial black&quot;,sans-serif">= http://www.securityfocus.com/archive/1/486606/30/0/threaded</span></a></fon= t></span></b></span></font></span></div></div></div><div><span style=3D"col= or:rgb(255,0,0)"><br></span></div></div><div><div><div dir=3D"ltr"><div dir= =3D"ltr"><div><div dir=3D"ltr"><div><div><span style=3D"color:rgb(255,0,0)"= ><b>Find attached POC=C2=A0 Video. </b></span><br></div></div></div></div><= /div></div></div></div></div><div><div dir=3D"ltr"><div dir=3D"ltr"><div di= r=3D"ltr"><div dir=3D"ltr"><span><br></span></div><div dir=3D"ltr"><span><f= ont size=3D"2" style=3D"color:rgb(0,0,0)"><span style=3D"color:rgb(0,0,0)">= <b>Dear Team Waiting for your response and <span><font face=3D"arial black,=
    sans-serif" style=3D"font-family:&quot;arial black&quot;,sans-serif;color:= rgb(0,0,0)"> I want bounty(money) with an Appreciation letter for my work a=
    nd effort which I have given for=C2=A0</font></span></b></span></font></spa= n></div><div dir=3D"ltr"><span><font size=3D"2" style=3D"color:rgb(0,0,0)">= <span style=3D"color:rgb(0,0,0)"><b><span><font face=3D"arial black, sans-s= erif" style=3D"font-family:&quot;arial black&quot;,sans-serif;color:rgb(0,0= ,0)"><br></font></span></b></span></font></span></div><div dir=3D"ltr"><spa= n><font size=3D"2" style=3D"color:rgb(0,0,0)"><span style=3D"color:rgb(0,0,= 0)"><b><span><font face=3D"arial black, sans-serif" style=3D"font-family:&q= uot;arial black&quot;,sans-serif;color:rgb(0,0,0)"><br></font></span></b></= span></font></span></div><div dir=3D"ltr"><span><font size=3D"2" style=3D"c= olor:rgb(0,0,0)"><span style=3D"color:rgb(0,0,0)"><b><span><font face=3D"ar= ial black, sans-serif" style=3D"font-family:&quot;arial black&quot;,sans-se= rif;color:rgb(0,0,0)">Thanks in advance=C2=A0</font></span></b></span></fon= t></span></div><div dir=3D"ltr"><span><font size=3D"2" style=3D"color:rgb(0= ,0,0)"><span style=3D"color:rgb(0,0,0)"><b><span><font face=3D"arial black,=
    sans-serif" style=3D"font-family:&quot;arial black&quot;,sans-serif;color:= rgb(0,0,0)">Ejaz=C2=A0</font></span></b></span></font></span></div></div></= div></div></div></div><div><div><div><div dir=3D"ltr"><div dir=3D"ltr"><div= ><div dir=3D"ltr"><div><div dir=3D"ltr"><span><br></span></div></div></div>= </div></div></div></div></div></div><div><div dir=3D"ltr" data-smartmail=3D= "gmail_signature"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><span>= <br><div dir=3D"ltr" style=3D"margin-left:0pt" align=3D"left"><table style= =3D"border:medium none;border-collapse:collapse"><colgroup><col width=3D"28= 0"></colgroup><tbody><tr style=3D"height:41.25pt"><td style=3D"border:1pt s= olid rgb(255,255,255);vertical-align:top;padding:5pt;overflow:hidden"><p di= r=3D"ltr" style=3D"line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br></= p></td></tr><tr style=3D"height:141pt"><td style=3D"border:1pt solid rgb(25= 5,255,255);vertical-align:top;padding:5pt;overflow:hidden"><p dir=3D"ltr" s= tyle=3D"line-height:1.2;margin-top:0pt;margin-bottom:0pt"><br><span style= =3D"font-size:11pt;font-family:Arial;vertical-align:baseline;white-space:pr= e-wrap;background-color:transparent;color:rgb(0,0,0)"><span style=3D"border= :medium none;display:inline-block;overflow:hidden;width:91px;height:61px;fo= nt-family:Arial"></span></span></p><br></td></tr></tbody></table></div></sp= an></div></div></div></div></div></div>

    </div></div>
    </div></div>

    --000000000000a5831405a7526af1--
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Matus UHLAR - fantomas@uhlar@fantomas.sk to bind-users on Fri Jun 5 11:23:05 2020
    From Newsgroup: comp.protocols.dns.bind

    On 05.06.20 11:54, Ejaz Ahmed wrote:
    Some one is is claiming that our name server 212.118.64.2 is vulnerable
    with below information is this true

    it's not the nameserver. It's the domain "cyberia.net.sa" that has
    "localhost" in it pointing go 127.0.0.1

    This is useless. The localhost hostname should not exist in domains other
    than "localhost." that should be configured on recursive servers.

    Any suggestions would be appreciated

    simply remove the "localhost" record from cyberia.net.sa and possibly other domains.

    Dear CYBERIA GROUP Security Team ,

    I Rahul a Ethical Hacker and Security Researcher. I found a vulnerability
    on your website that is DNS Misconfiguration .

    Your *localhost.cyberia.net.sa <http://localhost.cyberia.net.sa> *has >address 127.0.0.1 and this may lead to "Same- Site" Scripting. I can also >ping the localhost network.


    Here is detailed description of this minor security issue :* >http://www.securityfocus.com/archive/1/486606/30/0/threaded ><https://hackerone.com/redirect?signature=f22656dd5afea782410979cdd3fbb951f819c82e&url=http%3A%2F%2Fwww.securityfocus.com%2Farchive%2F1%2F486606%2F30%2F0%2Fthreaded>*

    *Find attached POC Video. *

    *Dear Team Waiting for your response and I want bounty(money) with an >Appreciation letter for my work and effort which I have given for *


    *Thanks in advance *
    *Ejaz *

    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe.
    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Fred Morris@m3047@m3047.net to bind-users@lists.isc.org on Fri Jun 5 09:16:37 2020
    From Newsgroup: comp.protocols.dns.bind

    Hrmmm... I'm reminded of something else I've seen reported on recently...

    On Fri, 5 Jun 2020, Ejaz Ahmed wrote:
    localhost.cyberia.net.sa

    I don't know if you've been paying attention, but it's been reported that among others EBay has been port scanning visitor's devices [0]. Having localhost.ebay.com could be handy for them in terms of circumventing some rules on setting of cookies and the execution of scripts. Not saying
    that's what they're doing, heaven forbid.

    Any domain you visit could have entries in it which point to e.g.
    localhost or nonrouting addresses commonly used for gateways, things like that.

    This is not a DNS problem, it's a problem in what commonly used programs
    aid and abet in the name of "freedom of commerce" or something.

    --

    Fred Morris

    --

    [0] https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/

    --- Synchronet 3.18a-Linux NewsLink 1.113
  • From Lee@ler762@gmail.com to Fred Morris on Fri Jun 5 20:33:21 2020
    From Newsgroup: comp.protocols.dns.bind

    On 6/5/20, Fred Morris <m3047@m3047.net> wrote:
    Hrmmm... I'm reminded of something else I've seen reported on recently...

    On Fri, 5 Jun 2020, Ejaz Ahmed wrote:
    localhost.cyberia.net.sa

    I don't know if you've been paying attention, but it's been reported that among others EBay has been port scanning visitor's devices [0]. Having localhost.ebay.com could be handy for them in terms of circumventing some rules on setting of cookies and the execution of scripts. Not saying
    that's what they're doing, heaven forbid.

    Any domain you visit could have entries in it which point to e.g.
    localhost or nonrouting addresses commonly used for gateways, things like that.

    This is not a DNS problem, it's a problem in what commonly used programs
    aid and abet in the name of "freedom of commerce" or something.

    It's possible to block with rpz & something else that I can't recall
    right now. I did RPZ blocking first, so I didn't bother changing

    ; return NXDOMAIN for any 127.0.0.0/8 answers
    ; exceptions:
    onea.net-snmp.org CNAME rpz-passthru.
    twoa.net-snmp.org CNAME rpz-passthru.
    localhost CNAME rpz-passthru.
    8.0.0.0.127.rpz-ip CNAME . ; 127.0.0.0/8
    ; check:
    ; localhost 127.0.0.1
    ; onea.net-snmp.org 127.0.0.1
    ; twoa.net-snmp.org 127.0.0.2 127.0.0.3

    All my other host names that used to return 127.0.0.1 answers don't
    any more :( Anyone know some valid names I can use for testing?

    Lee
    --- Synchronet 3.18a-Linux NewsLink 1.113