<< Previous Next >>
cache poisoning
may lead to disclosure and manipulation of cookies and web pages, disclosure
of NTLM credentials and clipboard data of the logged-on user, and even
firewall bypass.
2. A vulnerability in multiuser Windows environments which enables local DNS
cache poisoning of arbitrary domains. This vulnerability can be triggered
by a normal user (i.e. one with non-administrative rights) in order to
attack other users of the system. A successful exploitation of this
vulnerability may lead to information disclosure, privilege escalation,
universal XSS and more.
external researcher, Dr. Richard Clayton of the Computer Laboratory,
Cambridge University, found that various OpenID Providers (OPs) had
TLS Server Certificates that used weak keys, as a result of the Debian
Predictable Random Number Generator (CVE-2008-0166).
In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and
the fact that almost all SSL/TLS implementations do not consult CRLs
(currently an untracked issue), this means that it is impossible to
rely on these OPs.
Attack Description
> external researcher, Dr. Richard Clayton of the Computer Laboratory,
> Cambridge University, found that various OpenID Providers (OPs) had
> TLS Server Certificates that used weak keys, as a result of the Debian
> Predictable Random Number Generator (CVE-2008-0166).
>
> In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and
> the fact that almost all SSL/TLS implementations do not consult CRLs
> (currently an untracked issue), this means that it is impossible to
> rely on these OPs.
>
> Attack Description
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: PowerDNS Recursor: DNS Cache Poisoning
Date: April 18, 2008
Updated: August 21, 2008
Bugs: #215567, #231335
ID: 200804-22:03
http://www.debian.org/security/ Florian Weimer
December 23, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : bind9
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-4022
CERT advisory : VU#418861
http://www.debian.org/security/ Florian Weimer
July 08, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : glibc
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1447
CERT advisory : VU#800113
Synopsis
========
The ISC BIND random number generator uses a weak algorithm, making it
easier to guess the next query ID and perform a DNS cache poisoning
attack.
Background
==========
DNS transaction ID (OpenBSD ported BIND 9 into their code tree,
but rolled their own PRNG for the DNS transaction ID field). I
discovered a serious weakness in OpenBSD's PRNG, which allows an
attacker to predict the next transaction ID (typically up to 8-10
guesses) given a series of consecutive 12-15 transaction IDs. As
you may appreciate, this enables DNS cache poisoning for OpenBSD
much like my earlier attacks on BIND 9, BIND 8 and Microsoft
Windows DNS server.
Interestingly enough, OpenBSD uses a flavor of this PRNG for
another field, this time the IP fragmentation ID, part of the
The paper
(http://www.trusteer.com/docs/OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP_ID_Vulnerability.pdf)
describes how to predict IP ID of various (BSD style) operating systems.
This can be used for "blind TCP data injection" The latter term is a
technique described by Michal Zalewski, and the paper references 2
BugTraq submissions by Zalewski that nicely explain this concept. These
are (from the paper):
[27] “A new TCP/IP blind data injection technique?” (BugTraq mailing
CVE Id(s) : CVE-2008-1447
Debian Bug : 490271
In DSA-1603-1, Debian released an update to the BIND 9 domain name
server, which introduced UDP source port randomization to mitigate
the threat of DNS cache poisoning attacks (identified by the Common
Vulnerabilities and Exposures project as CVE-2008-1447). The fix,
while correct, was incompatible with the version of SELinux Reference
Policy shipped with Debian Etch, which did not permit a process
running in the named_t domain to bind sockets to UDP ports other than
the standard 'domain' port (53). The incompatibility affects both
Synopsis
========
Multiple vulnerabilities have been discovered in the Net::DNS Perl
module, allowing for a Denial of Service and a cache poisoning attack.
Background
==========
Net::DNS is a Perl implementation of a DNS resolver.
=============================================================================
FreeBSD-SA-08:06.bind Security Advisory
The FreeBSD Project
Topic: DNS cache poisoning
Category: contrib
Module: bind
Announced: 2008-07-13
Credits: Dan Kaminsky
* The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality
random number generator to produce unpredictable IP packet identifiers,
initial TCP sequence numbers and outgoing port numbers. During the
first 300 seconds after booting, it may be easier for an attacker to
execute IP session hijacking, OS fingerprinting, idle scanning, or in
some cases DNS cache poisoning and blind TCP data injection attacks.
* The kernel RPC code uses arc4random(9) to retrieve transaction
identifiers, which might make RPC clients vulnerable to hijacking
attacks.
===============/========================================================
Exploit ID: CAU-EX-2008-0002
Release Date: 2008.07.23
Title: bailiwicked_host.rb
Description: Kaminsky DNS Cache Poisoning Flaw Exploit
Tested: BIND 9.4.1-9.4.2
Attributes: Remote, Poison, Resolver, Metasploit
Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
Author/Email: I)ruid <druid (@) caughq.org>
H D Moore <hdm (@) metasploit.com>
Hello BugTraq
Once again, a DNS cache poisoning against a popular DNS cache
server. This time, it's PowerDNS (the third most popular DNS
server, servicing over 40 million users). The vendor coded
several impressive security measures against DNS spoofing (e.g.
UDP source port randomization and spoofed response detection),
but relied on the standard C randomization facility (the rand()
and srand() functions in <stdlib.h>). The two popular stdlib
implementations analyzed, glibc (used with GNU C++ for Linux/
instead of throwing an exception in certain circumstances, which
might allow context-dependent attackers to bypass the intended
security policy by creating instances of ClassLoader.
CVE-2010-4448
Malicious applets can perform DNS cache poisoning.
CVE-2010-4450
An empty (but set) LD_LIBRARY_PATH environment variable results in
a misconstructed library search path, resulting in code execution
from possibly untrusted sources.
Some vulnerabilities were discovered and corrected in bind:
Unspecified vulnerability in ISC BIND 9.4 before 9.4.3-P4, 9.5
before 9.5.2-P1, 9.6 before 9.6.1-P2, 9.7 beta before 9.7.0b3,
and 9.0.x through 9.3.x with DNSSEC validation enabled and checking
disabled (CD), allows remote attackers to conduct DNS cache poisoning
attacks via additional sections in a response sent for resolution
of a recursive client query, which is not properly handled when the
response is processed at the same time as requesting DNSSEC records
(DO). (CVE-2009-4022).
>
> ===============/========================================================
> Exploit ID: CAU-EX-2008-0002
> Release Date: 2008.07.23
> Title: bailiwicked_host.rb
> Description: Kaminsky DNS Cache Poisoning Flaw Exploit
> Tested: BIND 9.4.1-9.4.2
> Attributes: Remote, Poison, Resolver, Metasploit
> Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
> Author/Email: I)ruid <druid (@) caughq.org>
> H D Moore <hdm (@) metasploit.com>
http://www.debian.org/security/ Florian Weimer
January 28, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : pdns-recursor
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-4010
It was discovered that pdns-recursor, the PowerDNS recursive name server,
5.0 Update 27 and earlier, and 1.4.2_29 earlier allows remote
untrusted Java Web Start applications and untrusted Java applets to
affect integrity via unknown vectors related to Networking. NOTE: the
previous information was obtained from the February 2011 CPU. Oracle
has not commented on claims from a downstream vendor that this issue
involves DNS cache poisoning by untrusted applets. (CVE-2010-4448)
Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier for
Solaris and Linux; 5.0 Update 27 and earlier for Solaris and Linux;
and 1.4.2_29 and earlier for Solaris and Linux allows local standalone
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2010-0097 to this issue.
A vulnerability was discovered which could allow remote attackers
to conduct DNS cache poisoning attacks by receiving a recursive
client query and sending a response that contains CNAME or DNAME
records, which do not have the intended validation before caching.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2010-0290 to this issue.
requests to slave DNS servers, named(8) uses a predictable query id.
III. Impact
An attacker who can see the query id for some request(s) sent by named(8)
is likely to be able to perform DNS cache poisoning by predicting the
query id for other request(s).
IV. Workaround
No workaround is available.
Some vulnerabilities were discovered and corrected in bind:
Unspecified vulnerability in ISC BIND 9.4 before 9.4.3-P4, 9.5
before 9.5.2-P1, 9.6 before 9.6.1-P2, 9.7 beta before 9.7.0b3,
and 9.0.x through 9.3.x with DNSSEC validation enabled and checking
disabled (CD), allows remote attackers to conduct DNS cache poisoning
attacks via additional sections in a response sent for resolution
of a recursive client query, which is not properly handled when the
response is processed at the same time as requesting DNSSEC records
(DO). (CVE-2009-4022).
In light of the new DNS cache poisoning issue and now that everyone has had
plenty of time to apply patches, I've decided to release a new version of my
nameserver security scanner called porkbind. It is a multi-threaded nameserver
scanner that can recursively query nameservers of subdomains for version
strings. (i.e. sub.host.dom's nameservers then host.dom's nameservers)
After acquiring the version strings it tests them against version numbers
from CERT advisories and reports back to the user. Zone transfer
capability is also tested for. It is available for download at:
http://innu.org/~super/tools/porkbind-1.2.tar.gz
--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--
HTTP Response Splitting can be used to trigger a number of different
vectors, ranging from automatic Reflected XSS to Browser and Proxy
Cache Poisoning.
IV. DETECTION
FormMail 1.92 and possibly earlier versions are vulnerable.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: pdnsd: Denial of Service and cache poisoning
Date: January 11, 2009
Bugs: #231285
ID: 200901-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
While this control is marked as safe for scripting, the control has been
designed so that it can only be run from the "symantec.com" domain. In
practice this requirement can be bypassed through the use of any Cross
Site Scripting (XSS) vulnerabilities in the Symantec domain.
Exploitation could also occur through the use of DNS poisoning attacks.
IV. DETECTION
iDefense confirmed that this vulnerability exists in version 2.7.0.1 of
the control that is installed with the 2008 version of Norton Internet
Synopsis
========
Two vulnerabilities have been discovered in PowerDNS, possibly leading
to a Denial of Service and easing cache poisoning attacks.
Background
==========
The PowerDNS Nameserver is an authoritative-only nameserver which uses
5. Once an attacker has access to a modem (through telnet and/or a firmware update), he/she can launch the following attacks and/or more:
* use MITM attacks to capture encrypted data, including passwords, credit-card numbers and other confidential data
* inject malicious content into the network stream which can hijack the user's system [viruses, trojans, malware, bots]
* sniff, tap and monitor the network user and his/her actions online
* redirect user's traffic and subject the user to SPAM, Ads, or use DNS poisoning in inventive ways
* generate network traffic to launch DDoS attacks - effectively hijacking the user's internet connection and making them zombie bots
* redirect nefarious network activities through hijacked modems to make it difficult/impossible to track the attack source/origin, and carry out illegal activities. In such cases, the blame might go to an innocent Airtel subscriber as his/her IP would apparently be the source of the illegal activity.
There is no limit to the creativity of attackers once a vulnerability is available, so these are just my guesses. There may be other attacks
possible. I believe, the ones I have listed are bad enough.
SUBJECT: Microsoft SWI blog inaccuracies
Hello BugTraq
As you know, 3 weeks ago I published my paper, "Microsoft
Windows DNS Stub Resolver Cache Poisoning"
(http://www.trusteer.com/docs/Microsoft_Windows_resolver_DNS_cache_poisoning.pdf),
simultaneously with Microsoft's release of MS08-020
(http://www.microsoft.com/technet/security/Bulletin/MS08-020.mspx).
A day later, Microsoft's Secure Windows
<<Previous Next>>
|
