|
Bugtraq
mailing list archives
RE: CAIS-ALERT: Vulnerability in the sending requests control of BIND
From: Iván Arce <core.lists.bugtraq () core-sdi com>
Date: Wed, 27 Nov 2002 19:51:43 -0300
Vagner Sacramento wrote:
-----------------------------------------------------------------------
@ Copyright CAIS - Brazilian Research Network CSIRT
Security Incidents Response Center (CAIS/RNP)
Subject : Vulnerability in the sending requests control of BIND
versions 4 and 8 allows DNS spoofing
Date : November 19th, 2002
Credits : Vagner Sacramento, DIMAp-UFRN
Systems affected: 4.9.11 and priors (4.9.x); 8.2.7 and priors (8.2.x);
8.3.4 and priors (8.3.x);
-----------------------------------------------------------------------
[stuff deleted]
2. Details
BIND versions 4 and 8 use procedures that allow a remote DNS Spoofing
attack against DNS servers.
The attack goal is to anticipate a reply with false information to the
target DNS server, making the server to store in its cache a false IP
address for a certain domain name.
To better understand the identified vulnerability, consider the
following scenario. When n different DNS clients send simultaneous
requests to a target DNS server (running BIND 4 or BIND 8) to resolve
the same domain name, the target server will forward the requests
received to others DNS servers, starting from root-servers and trying
to get replies for each one of the requests.
In this context, the identified vulnerability can be exploited if an
attacker sends simultaneously n requests to the target DNS server using
in each one a different IP source address and the same domain name. The
target DNS server will send all the received requests to others DNS
servers in order to resolve them. Since these requests will be
processed independently, they will be assigned different identifiers
(ID). As a result, this server will be waiting for n replies with
different IDs for the resolution of the same domain name. The attacker
then sends several replies with different IDs to the target DNS server
attempting to guess one of the expected replies ID, thus applying a DNS
Spoofing attack.
I am sorry to burst the bubble but this has been a known problem for
more than 5 years:
Original advisory posted in 1997:
http://www.codetalker.com/advisories/sni/sni-12.html
http://www.corest.com/common/showdoc.php?idx=133&idxseccion=10 (spanish)
Discussion on how to fix bug #1 and the actual patch lead to
the following comment:
+ /*
+ * The 16 bit space is very small and brute force attempts are
+ * entirly feasible, we skip a random number of transaction ids
+ * so that an attacker will not get sequential ids.
+ */
I have not read BIND source for years, is this not explicitly mentioned
anywhere in the source or docs or updated RFCs??
BTW, what does BIND 9 do to prevent this?
. configure anti-spoofing rules on the firewall or border router;
. considering the network topology, set up the DNS server into a DMZ
(demilitarized zone).
Maybe I am missing something but how will this prevent cache poisoning
of the DNS server in the DMZ? (assuming it does recursion)
Inbound DNS replies (with spoofed source IP address) to
DNS requests forwarded to Internet servers will look perfectly valid to the
border router or firewall.
-ivan
---
Perscriptio in manibus tabellariorum est
Noli me vocare, ego te vocabo
Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES
44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <iarce () core-sdi com>
 By Date 
By Thread
Current thread:
| 
Intro
