<< Previous Next >>
caching
Hello!
On Wed, Sep 16, 2009 at 04:15:14PM -0700, Matthew Dempsky wrote:
> nginx maintains an internal DNS cache for resolved domain names.
> However, when searching the cache, nginx only checks that the crc32 of
> the names match and that the shorter name is a prefix of the longer
> name. It does not check that the names are equal in length.
Looks like a bug, thanks.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Several cache poisoning vulnerabilities have been found in BIND.
Background
==========
ISC BIND is the Internet Systems Consortium implementation of the
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01660723
Version: 1
HPSBMP02404 SSRT090014 rev.1 - MPE/iX Running BIND/iX, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-01-28
Last Updated: 2009-01-28
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01123426
Version: 3
HPSBUX02251 SSRT071449 rev.3 - HP-UX Running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-01
Last Updated: 2007-11-26
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01506861
Version: 3
HPSBUX02351 SSRT080058 rev.3 - HP-UX Running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-07-16
Last Updated: 2008-08-06
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01123426
Version: 2
HPSBUX02251 SSRT071449 rev.2 - HP-UX Running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-01
Last Updated: 2007-09-10
Update+Errata for "OpenBSD DNS Cache Poisoning and Multiple O/S
Predictable IP ID Vulnerability"
(http://www.trusteer.com/docs/OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP_ID_Vulnerability.pdf)
Update
******
OpenBSD
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01283837
Version: 1
HPSBUX02289 SSRT071461 rev.1 - HP-UX Running BIND 8, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-11-19
Last Updated: 2007-11-19
> external researcher, Dr. Richard Clayton of the Computer Laboratory,
> Cambridge University, found that various OpenID Providers (OPs) had
> TLS Server Certificates that used weak keys, as a result of the Debian
> Predictable Random Number Generator (CVE-2008-0166).
>
> In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and
> the fact that almost all SSL/TLS implementations do not consult CRLs
> (currently an untracked issue), this means that it is impossible to
> rely on these OPs.
>
> Attack Description
nginx maintains an internal DNS cache for resolved domain names.
However, when searching the cache, nginx only checks that the crc32 of
the names match and that the shorter name is a prefix of the longer
name. It does not check that the names are equal in length.
One way to exploit this is if nginx is configured as a forward proxy.
This is an atypical use case, but it has been discussed on the nginx
mailing list before[1].
For example, using this nginx.conf:
external researcher, Dr. Richard Clayton of the Computer Laboratory,
Cambridge University, found that various OpenID Providers (OPs) had
TLS Server Certificates that used weak keys, as a result of the Debian
Predictable Random Number Generator (CVE-2008-0166).
In combination with the DNS Cache Poisoning issue (CVE-2008-1447) and
the fact that almost all SSL/TLS implementations do not consult CRLs
(currently an untracked issue), this means that it is impossible to
rely on these OPs.
Attack Description
Product Background
- ------------------
Coda is implemented as a kernel filesystem module with userland components.
System calls involving file I/O are passed to the Coda kernel module, which in
turn passes the request to the userland Venus cache manager via a character
device. Venus answers the request by checking its cache or requesting content
from the Coda server. Coda implements most standard filesystem operations,
including providing an ioctl interface.
http://www.debian.org/security/ Florian Weimer
July 08, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : bind9
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-1447
CERT advisory : VU#800113
What is the issue?
This message is in response to the original message posted on June 3, 2010 addressing a SQL Injection vulnerability in the RSA Key Manager C Client version 1.5. The original message referenced CVE-2010-1904.
A vulnerability has been identified in the RSA Key Manager (RKM) C client 1.5 that may expose the product to a SQL Injection attack. An attacker having access to encrypted data may be able to leverage this vulnerability in an attempt to alter the RKM C Client 1.5 cache.
Affected Products:
RKM C Client versions 1.5.x.x, all platforms (Windows, Linux, Solaris, HP-UX, etc).
Unaffected Products:
01 Introduction
---------------
DNS Multiple Race Exploiting Tool exploits an inherent bug in the
implementation
of DNS Cache. The result of this exploitation is cache poisoning/overwriting
with
new entries. The exploitation happens by querying a DNS server, that either
supports recursion or is configured with forwarders, for non-existent
hostnames
for a target domain. Along with the queries are fake reply/replies with
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01506861
Version: 2
HPSBUX02351 SSRT080058 rev.2 - HP-UX Running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-07-16
Last Updated: 2008-07-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: BIND: Cache poisoning
Date: July 11, 2008
Bugs: #231201
ID: 200807-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1) "Login Detection" - if the site redirects to a login page when
/myaccount is requested, we know the user is not logged in. Unless I
am mistaken, the same information can be collected through a number of
well-known vectors: image or script onload / onerror events, including
remote CSS or scripts and testing for side effects, page unload
timing, cache timing, CSS :visited, probing frames.length and other
publicly visible global properties, etc.
All of them are well-known (see "Resource inclusion probes" in BSH),
and AFAICT, do not pose any appreciable security risk. They are a
privacy nuisance, but completely dwarfed in comparison with other
II. THE BUG
In Internet Explorer, the implementation of Select HTML element
contains an array of pointers to the Option elements the Select
element contains. This array is called the Option cache. Normally,
whenever an Option element inside a Select element is accessed via
JavaScript, Option cache is rebuilt, thus ensuring its consistency.
However, there are some JavaScript methods that can be used to delete
and modify the Option elements contained inside the Select element
without rebuilding the Option cache. In combination, these methods
>>bounces@lists.grok.org.uk] On Behalf Of George Carlson
>>Sent: Friday, December 10, 2010 10:12 AM
>>To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>>Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows
>>Local Workstation Admins to Temporarily Escalate Privileges and Login as
>>Cached Domain Admin Accounts (2010-M$-002)
>>
>>Your objections are mostly true in a normal sense. However, it is not true
>>when Group Policy is taken into account. Group Policies differentiate
>>between local and Domain administrators and so this vulnerability is
>>problematic for shops that differentiate between desktop support and AD
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01174368
Version: 1
HPSBOV02261 SSRT071449 rev.1 - HP OpenVMS running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-09-19
Last Updated: 2007-09-19
Updated January 13, 2011
Summary:
The vulnerability that was identified in the RSA Key Manager (RKM) C client 1.5 which may expose the product to SQL Injection attack has been addressed. An attacker having access to encrypted data could have leveraged this vulnerability to alter the RKM C Client 1.5 cache.
Platforms:
In whose universe? Did you even read the post? Local admins become LOCAL ADMINS by using a cached domain account who is a LOCAL ADMIN. You have to do it with the network cable unplugged. There is no privilege escalation here.
StenoPlasma's intent was to educate people on how things worked, and while there isn't a security issue here, he was completely correct in that you guys really need to learn what you are talking about.
t
>-----Original Message-----
>From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-
>bounces@lists.grok.org.uk] On Behalf Of jcoyle@winwholesale.com
>Sent: Friday, December 10, 2010 11:45 AM
>bounces@lists.grok.org.uk] On Behalf Of George Carlson
>Sent: Friday, December 10, 2010 10:12 AM
>To: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
>Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows
>Local Workstation Admins to Temporarily Escalate Privileges and Login as
>Cached Domain Admin Accounts (2010-M$-002)
>
>Your objections are mostly true in a normal sense. However, it is not true
>when Group Policy is taken into account. Group Policies differentiate
>between local and Domain administrators and so this vulnerability is
>problematic for shops that differentiate between desktop support and AD
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01523520
Version: 1
HPSBOV02357 SSRT080058 rev.1 - HP OpenVMS TCP/IP Services running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-08-13
Last Updated: 2008-08-13
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01506861
Version: 1
HPSBUX02351 SSRT080058 rev.1 - HP-UX Running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-07-16
Last Updated: 2008-07-16
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01506861
Version: 5
HPSBUX02351 SSRT080058 rev.5 - HP-UX Running BIND, Remote DNS Cache Poisoning
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2008-07-16
Last Updated: 2010-10-12
http://www.debian.org/security/ Martin Schulze
June 15th, 2010 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : bind9
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2010-0097 CVE-2010-0290 CVE-2010-0382
This update restores the PID file location for bind to the location
http://www.debian.org/security/ Florian Weimer
June 04, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : bind9
Vulnerability : DNS cache poisoning
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2010-0097 CVE-2010-0290 CVE-2010-0382
Several cache-poisoning vulnerabilities have been discovered in BIND.
Hello BugTraq
Once again, a DNS cache poisoning against a popular DNS cache
server. This time, it's PowerDNS (the third most popular DNS
server, servicing over 40 million users). The vendor coded
several impressive security measures against DNS spoofing (e.g.
UDP source port randomization and spoofed response detection),
but relied on the standard C randomization facility (the rand()
and srand() functions in <stdlib.h>). The two popular stdlib
implementations analyzed, glibc (used with GNU C++ for Linux/
<<Previous Next>>
|
