<< Previous
DNS server
denial of service to Simple DNS Plus
Sending multiple DNS respond packets to the source port of the server
This vulnerability is fixed in the new version of Simple DNS Plus 5.1.101.
usage: sdns-dos.pl <dns server> <dns source port> <num of packets>
Exploit written by Exodus.
http://www.blackhat.org.il
http://www.blackhat.org.il/index.php/simple-dns-plus-5041-remote-denial-of-s
ervice-exploit/
UPnP control point and as such reconfigure the device in order to
enable further attacks..
The most malicious of all malicious things to do when a device is
compromised via the attack described in the link pointed at the top of
this email, is to change the primary DNS server. That will effectively
turn the router and the network it controls into a zombie which the
attacker can take advantage of whenever they feel like it. It is also
possible to reset the admin credentials and create the sort of onion
routing network all bad guys want. Many routers come with Layer3
portforwarding UPnP service. This is also a potential vector that
I'm put in an awkward position of having to respond to a message which
wasn't sent to me in the first place. But still...
"This bug was reported over and over again" - I find this statement
confusing. The bug class of "DNS transaction ID not being random enough"
was sure reported for several DNS server, including BIND. My paper
clearly references e.g.
http://www.openbsd.org/advisories/res_random.txt (as reference [7]).
However, I'm not familiar with public reports that outline the
seriousness of the non-randomness of BIND *9*, to the extent my report
did. So the way I see it is that this particular bug, in BIND 9, was not
Impact
======
A remote attacker could use a specially crafted resolved hostname to
execute arbitrary code with root privileges. However, it is required
that the attacker controls the DNS server used by the victim, and that
the "-p" (or "--split") command line option is used.
Workaround
==========
Hash: SHA256
Note: https://www.isc.org/CVE-2011-1907 is the authoritative source
for this Security Advisory. Please check the source for any updates.
Summary: When a name server is configured with a response policy zone
(RPZ), queries for type RRSIG can trigger a server crash.
CVE: CVE-2011-1907
Posting date: 05 May 2011
Program Impacted: BIND
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.
II. Problem Description
Size/MD5 checksum: 80612 66cdb0206efd5384a6c12059bed6a810
http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-pgsql_2.9.20-8+etch1_alpha.deb
Size/MD5 checksum: 89786 5b5b81b0b2b5a652047c8b5843f853a5
http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-mysql_2.9.20-8+etch1_alpha.deb
Size/MD5 checksum: 85122 7b27de3ebd7f6b97b56aac71b724bf74
http://security.debian.org/pool/updates/main/p/pdns/pdns-server_2.9.20-8+etch1_alpha.deb
Size/MD5 checksum: 809372 9de5122e1f69aafe84e9cfa5804223c5
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/p/pdns/pdns-backend-geo_2.9.20-8+etch1_amd64.deb
Hello BugTraq
Once again, a DNS cache poisoning against a popular DNS cache
server. This time, it's PowerDNS (the third most popular DNS
server, servicing over 40 million users). The vendor coded
several impressive security measures against DNS spoofing (e.g.
UDP source port randomization and spoofed response detection),
but relied on the standard C randomization facility (the rand()
and srand() functions in <stdlib.h>). The two popular stdlib
implementations analyzed, glibc (used with GNU C++ for Linux/
Debian-specific: no
CVE Id(s) : CVE-2009-0696
CERT advisory : VU#725188
Debian Bug : 538975
It was discovered that the BIND DNS server terminates when processing a
specially crafted dynamic DNS update. This vulnerability affects all
BIND servers which serve at least one DNS zone authoritatively, as a
master, even if dynamic updates are not enabled. The default Debian
configuration for resolvers includes several authoritative zones, too,
so resolvers are also affected by this issue unless these zones have
Description
===========
* Dan Kaminsky of IOActive reported that dnsmasq does not randomize
UDP source ports when forwarding DNS queries to a recursing DNS
server (CVE-2008-1447).
* Carlos Carvalho reported that dnsmasq in the 2.43 version does not
properly handle clients sending inform or renewal queries for unknown
DHCP leases, leading to a crash (CVE-2008-3350).
Dear lee.e.rian@census.gov,
Why do you think you can't do it with SNMP? An examples are settings DNS
server option via DHCP (or DNS domain name for proxy server
autodiscovery protocol) or even configuring a VPN tunnel for all
traffic. I'm not sure about Tsunami, for Orinoco these settings are
read/write:
http://support.ipmonitor.com/mibs/ORINOCO-MIB/oids.aspx
the attack.
The paper details a way of making DNS cache poisoning / response
spoofing attacks more reliable. A caching server will store any NS
delegation RRs if it receives a delegation which is "closer" to the
answer than the nameservers it already knows. By spoofing replies that
contain a delegation for a single node, the nameserver will eventually
cache the delegation when we hit the right transfer id.
http://www.sec-consult.com/whitepapers_e.html
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS Security
Extensions (DNSSEC) are additional protocol options that add
authentication as part of responses to DNS queries.
FreeBSD includes software from the OpenSSL Project. The OpenSSL
Project is a collaborative effort to develop a robust,
This program retrieves version information for the nameservers of a domain
and produces a report that describes possible vulnerabilities of each.
Vulnerability information is configurable through a configuration
file; the default is porkbind.conf. Each nameserver is tested for
recursive queries and zone transfers. The code is parallelized with
libpthread.
http://www.innu.org/~super/tools/porkbind-1.3.tar.gz
ChangeLog for this version:
and b.ns.bar; with my patch applied, only records within
burlap.dempsky.org are output. Also, there's significant freedom in
what poisonous records the attacker can produce.
The security hole here is that an administrator that uses djbdns 1.05
to serve DNS content does not expect that configuring his name server
as above will cause it to send records for names outside of
burlap.dempsky.org. I.e., an attacker can trick the administrator's
name servers to include arbitrary DNS records in response to queries
for names within domains he controls. Note that axfr-get is doing the
right thing here: it already strips out names from outside of the
execute arbitrary code or cause a Denial of Service.
Background
==========
MaraDNS is a proxy DNS server with permanent caching.
Affected packages
=================
-------------------------------------------------------------------
Debian-specific: no
CVE Id(s) : CVE-2008-1447
Debian Bug : 490271
In DSA-1603-1, Debian released an update to the BIND 9 domain name
server, which introduced UDP source port randomization to mitigate
the threat of DNS cache poisoning attacks (identified by the Common
Vulnerabilities and Exposures project as CVE-2008-1447). The fix,
while correct, was incompatible with the version of SELinux Reference
Policy shipped with Debian Etch, which did not permit a process
running in the named_t domain to bind sockets to UDP ports other than
1. An interface must have IPv6 enabled.
2. One or more of the following IPv4 UDP-based services must be
enabled:
TACACS - port 49
Domain Name System (DNS) server - port 53
Resource Reservation Protocol (RSVP) - port 1698
Layer Two Forwarding (L2F)/Layer Two Tunnel Protocol (L2TP) -
port 1701
IP SLA Responder - port 1967
Media Gateway Control Protocol (MGCP) - port 2427
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
II. Problem Description
A logic error in the BIND code causes the BIND daemon to accept bogus
data, which could cause the daemon to crash.
resolver. Provided that the network between both resolvers is trusted,
this protects the BIND 8 resolver from cache poisoning attacks (to the
same degree that the BIND 9 resolver is protected).
This problem does not apply to BIND 8 when used exclusively as an
authoritative DNS server. It is theoretically possible to safely use
BIND 8 in this way, but updating to BIND 9 is strongly recommended.
BIND 8 (that is, the bind package) will be removed from the etch
distribution in a future point release.
- ---------------------------------------------------------------------------------
400611368 2269184 named_9.3.2_11.31PA
MD5 (named_9.3.2_11.31IA) = 9bd93b513fde895ebc32602824db3341
MD5 (named_9.3.2_11.31PA) = 81041c98b5699d90e0d90cca14f90d18
3. Stop the DNS server:
If named is normally started and stopped during system reboot, use this command:
/sbin/init.d/named stop
If rndc is in use, from the managing server issue ths command:
<<Previous
|
