Full Disclosure: Re: DNS and Checkpoint

Re: DNS and Checkpoint

From: "Rodrigo Rubira Branco (BSDaemon)" <rodrigo () kernelhacking com>
Date: Wed, 9 Jul 2008 19:04:10 -0000

Hello,

SmartDefense includes protection for this attack since 2005 scrambling the
source port and query ID of each DNS request (just activate the DNS spoofing
protection in SD).


cya,


Rodrigo (BSDaemon).

--
http://www.kernelhacking.com/rodrigo

Kernel Hacking: If i really know, i can hack

GPG KeyID: 1FCEDEA1


--------- Mensagem Original --------
De: imipak <imipak () gmail com>
Para: Full Disclosure <full-disclosure () lists grok org uk>
Assunto: [Full-disclosure] DNS and Checkpoint
Data: 09/07/08 10:52


Hello everyone,

I've had a report from someone with clue (and tcpdump) that a properly
functioning DNS resolver that correctly uses randomised source ports
magically becomes vulnerable once the traffic's passed through a
Checkpoint firewall, where Dan Kaminsky's tool shows:

    x.y.z.155:56978 TXID=712
    x.y.z.155:56979 TXID=45713
    x.y.z.155:56980 TXID=63532
    x.y.z.155:56981 TXID=7243
    x.y.z.155:56982 TXID=17620

(note the incrementing port numbers.)

Can anyone else confirm this behaviour?

Checkpoint are one of the dozens of vendors listed on the CERT
advisory as &quot;Status: Unknown&quot;
http://www.kb.cert.org/vuls/id/MIMG-7ECL6B

They do have an advisory up:

http://www.checkpoint.com/defense/advisories/public/2008/cpai-01-Jul.html


I don't have the login needed to read the whole thing, but the front
page just says:

&quot;Protection provided by:
       VPN-1:    * NGX R65
                       * NGX R62
                       * NGX R61
                       * NGX R60
        [...etc, etc...] &quot;


cheers

=i

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

DNS and Checkpoint imipak (Jul 09)
- Re: DNS and Checkpoint Ray P (Jul 10)
  - Re: DNS and Checkpoint Deniz Cevik (Jul 10)
    - Re: DNS and Checkpoint Sandro Gauci (Jul 10)
- <Possible follow-ups>
- Re: DNS and Checkpoint Rodrigo Rubira Branco (BSDaemon) (Jul 09)