Next Page >>
DNS server
> 'Name' => 'DNS BailiWicked Host Attack',
> 'Description' => %q{
> This exploit attacks a fairly ubiquitous flaw in DNS implementations which
> Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single
> malicious host entry into the target nameserver by sending random sub-domain
> queries to the target DNS server coupled with spoofed replies to those
> queries from the authoritative nameservers for the domain which contain a
> malicious host entry for the hostname to be poisoned in the authority and
> additional records sections. Eventually, a guessed ID will match and the
> spoofed packet will get accepted, and due to the additional hostname entry
> being within bailiwick constraints of the original request the malicious host
Severity: Medium
References: Microsoft Security Bulletin MS07-062, CVE-2007-3898
2) Vulnerability Description
Microsoft DNS server generates predictable DNS transaction IDs. If the
server is configured to allow recursive queries it is possible to insert
fake records in the DNS cache (DNS cache poisoning) by guessing the next
transaction ID that the server will use and sending a spoofed DNS reply
to the server. To observe the transaction IDs an attacker needs to
control a DNS server that is authoritative for some domain and to be
'Name' => 'DNS BailiWicked Host Attack',
'Description' => %q{
This exploit attacks a fairly ubiquitous flaw in DNS implementations which
Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single
malicious host entry into the target nameserver by sending random sub-domain
queries to the target DNS server coupled with spoofed replies to those
queries from the authoritative nameservers for the domain which contain a
malicious host entry for the hostname to be poisoned in the authority and
additional records sections. Eventually, a guessed ID will match and the
spoofed packet will get accepted, and due to the additional hostname entry
being within bailiwick constraints of the original request the malicious host
due to their use of insufficiently randomized DNS transaction IDs and
UDP source ports in the DNS queries that they produce, which may allow
an attacker to more easily forge DNS answers that can poison DNS caches.
To exploit this vulnerability an attacker must be able to cause a
vulnerable DNS server to perform recursive DNS queries. Therefore, DNS
servers that are only authoritative, or servers where recursion is not
allowed, are not affected.
Cisco has released free software updates that address this vulnerability.
It is possible to overflow buffor on stack in suid program - mtr. Remote attack
is possible too. Bug is in function which print result of runing program with parametr
'split' (-p). Victim must use DNS which we can control or we can try exploit this
vulnerability by spoofing technique. In remote exploiting this vulnerability we must
know which IP user gave to program - or he must simply run program and argument
must be IP adres which we can controle in DNS server.
Look for this code:
"split.c"
#define MAX_LINE_SIZE 256
After 6 months - fix available for Microsoft DNS cache poisoning
attack
On April this year I discovered a new vulnerability that enables
DNS cache poisoning attack against the Windows DNS server. Today
(November 13th, 2007) - six and a half months after being informed
- Microsoft released a fix for this vulnerability. As the fix is
now publicly available, I can finally share my research finding
with you.
BIND 8 EOL and BIND 8 DNS Cache Poisoning
Note: this is a different attack from BIND 9 DNS cache poisoning.
I discovered a new weakness in BIND 8 DNS server which enables "DNS
Forgery Pharming". An attacker can remotely poison the cache of any
BIND 8 caching DNS server and force users who use this DNS server to
reach fraudulent websites each time they try to access real websites.
BIND 8 is still a very popular DNS server nowadays thus this attack
applies to a big part of Internet users.
---------------
DNS Multiple Race Exploiting Tool exploits an inherent bug in the
implementation
of DNS Cache. The result of this exploitation is cache poisoning/overwriting
with
new entries. The exploitation happens by querying a DNS server, that either
supports recursion or is configured with forwarders, for non-existent
hostnames
for a target domain. Along with the queries are fake reply/replies with
static
Transaction ID(s). Every query will generate another query from the DNS
mailing list when the binaries are available via freebsd-update.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.
Dynamic update messages may be used to update records in a master zone
on a nameserver.
II. Problem Description
to a Denial of Service and easing cache poisoning attacks.
Background
==========
The PowerDNS Nameserver is an authoritative-only nameserver which uses
a flexible backend architecture.
Affected packages
=================
vulnerability in the BIND software used for Domain Name
resolution (DNS). VMware doesn't install all the BIND packages
on ESX Server and is not vulnerable by default to the reported
vulnerability. Of the BIND packages, VMware only ships bind-util
and bind-lib in the service console and these components by
themselves cannot be used to setup a DNS server. Bind-lib and
bind-util are used in client DNS applications like nsupdate,
nslookup, etc.
VMware explicitly discourages installing applications like BIND
on the service console. In case the customer has installed BIND,
DNSSEC does not need to be enabled on the resolver for it to be
vulnerable.
IV. Workaround
No workaround is available, but systems not running the BIND DNS server
or using it exclusively as an authoritative name server (i.e., not as a
caching resolver) are not vulnerable.
V. Solution
Hello BugTraq,
The Microsoft Windows DNS stub resolver (the component in Windows
that queries the upstream DNS server for address resolutions on
behalf of most Windows programs, e.g. browsers) sends predictable
DNS queries with respect to DNS transaction ID and source UDP
port. This allows some interesting attacks on DNS clients (i.e.
desktops), including DNS cache poisoning of the client's local
DNS cache (which is maintained by the stub resolver).
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS requests
contain a query id which is used to match a DNS request with the response
and to make it harder for anybody but the DNS server which received the
request to send a valid response.
II. Problem Description
The BIND DNS implementation does not randomize the UDP source port when
OpenBSD
=======
Apparently the OpenBSD team changed their mind (again...) and have
now incorporated a fix for the DNS server transaction ID
predictability, and the IP ID predictability, in the OpenBSD 4.3
branch. The solution in both cases resembles that of DragonFlyBSD
and NetBSD.
It seems that OpenBSD does not plan to address the DNS resolver
transaction ID predictability though.
Imagine running your favourite vulnerability scanner against a target
site, while using the victim user's router as a proxy - sweet!
There are other UPnP functionalities besides port forwarding rules
that look potentially interesting from a hacking point of view. For
instance, SetDNSServer [6] allows you to guess what, set the gateway's
DNS server. Imagine someone changing your router's DNS server setting
by simply visiting a webpage. After that you visit
yourfavoritebank.com and guess what, you're actually visiting a
malicious server that is harvesting all your banking login details!
I'll leave the exercise of writing a remote UPnP exploit that changes
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS requests
contain a query id which is used match a DNS request with the response
and to make it harder for anybody but the DNS server which received the
request to send a valid response.
II. Problem Description
When named(8) is operating as a recursive DNS server or sending NOTIFY
A vulnerability exists in the GSS when processing a specific sequence
of DNS requests. An exploit of the vulnerability may result in a
crash of the DNS service on the GSS.
When the DNS server crashes, an error message will appear in the logs
similar to the following example:
Dec 18 04:47:21 gss NMR-6-LAUNCHSVR_EXIT[27261] dnsserver' has exited [ExitUnknown(139)]"
This vulnerability is documented in Cisco Bug ID: CSCsj70093
In light of the new DNS cache poisoning issue and now that everyone has had
plenty of time to apply patches, I've decided to release a new version of my
nameserver security scanner called porkbind. It is a multi-threaded nameserver
scanner that can recursively query nameservers of subdomains for version
strings. (i.e. sub.host.dom's nameservers then host.dom's nameservers)
After acquiring the version strings it tests them against version numbers
from CERT advisories and reports back to the user. Zone transfer
capability is also tested for. It is available for download at:
http://innu.org/~super/tools/porkbind-1.2.tar.gz
Hello, I'd like to document what appears to be a common named
misconfiguration that can result in a minor security issue with web
applications.
It's a common and sensible practice to install records of the form
"localhost. IN A 127.0.0.1" into nameserver configurations, bizarrely
however, administrators often mistakenly drop the trailing dot,
introducing an interesting variation of Cross-Site Scripting (XSS) I
call Same-Site Scripting. The missing dot indicates that the record is
not fully qualified, and thus queries of the form
"localhost.example.com" are resolved. While superficially this may
g. Updated Service Console package bind
Service Console package bind updated to version 9.3.6-4.P1.el5
The Berkeley Internet Name Domain (BIND) is an implementation of the
Domain Name System (DNS) protocols. BIND includes a DNS server
(named); a resolver library (routines for applications to use when
interfacing with DNS); and tools for verifying that the DNS server
is operating correctly.
A flaw was found in the way BIND handles dynamic update message
cache-poisoning attack due to a weakness in the DNS protocol.
This update improves bind's resilience to this attack; however,
it does not provide a definitive solution.
Additionally, the bind package has been updated with root
nameserver information, including the new IP address for
the "L" root nameserver.
http://wiki.rpath.com/Advisories:rPSA-2008-0231
Copyright 2008 rPath, Inc.
MS10-024 provides the following question and answer:
/-----
How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a
malicious DNS server that
returns a specially crafted response to an MX resource record query.
- -----/
Basic analysis of the vulnerabilities disclosed in this advisory that
were fixed but not disclosed in MS10-024 indicates that the threat of
discovered a serious weakness in OpenBSD's PRNG, which allows an
attacker to predict the next transaction ID (typically up to 8-10
guesses) given a series of consecutive 12-15 transaction IDs. As
you may appreciate, this enables DNS cache poisoning for OpenBSD
much like my earlier attacks on BIND 9, BIND 8 and Microsoft
Windows DNS server.
Interestingly enough, OpenBSD uses a flavor of this PRNG for
another field, this time the IP fragmentation ID, part of the
OpenBSD kernel network stack. The analysis carries out quite
similarly to show that OpenBSD's IP ID is predictable as well,
Two errors in pdnsd allow for Denial of Service and cache poisoning.
Background
==========
pdnsd is a proxy DNS server with permanent caching that is designed to
cope with unreachable DNS servers.
Affected packages
=================
DNS Domain Search List
Malformed option
DNS recursive name server
option type: 23
option length: 32
DNS servers address: fec0:0:beef:f00d::feed
DNS servers address: fe80::2d42:5a6d:9472:a9fb
-----------------------------------------------------------------
(tunnel type "ipsec-ra") tunnel groups.
Warning: In addition to filtering out IKE traffic on UDP port 4500, this
workaround may also affect other procotols like DNS and SNMP that send
traffic on UDP port 4500. For example, if a DNS resolver sends traffic
from UDP port 4500 to a DNS server, the response from the DNS server
will be destined to UDP port 4500, which then may be filtered out by the
filter used in this workaround.
For a more comprehensive example of the VPN filter feature of the Cisco
ASA 5500 Series Adaptive Security Appliances, refer to the whitepaper
MD5 (named_9.3.2_11.23IA) = 22ebde858def1ebafcfaef9b98cebe28
MD5 (named_9.3.2_11.23PA) = 20c21b8fd19bc11a0020118c32172b71
MD5 (named_9.3.2_11.31IA) = 9bd93b513fde895ebc32602824db3341
MD5 (named_9.3.2_11.31PA) = 81041c98b5699d90e0d90cca14f90d18
3. Stop the DNS server:
If named is normally started and stopped during system reboot, use this command:
/sbin/init.d/named stop
If rndc is in use, from the managing server issue ths command:
Package : bind9
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
The BIND, a DNS server, contains a defect related to the processing of
new DNSSEC DS records by the caching resolver, which may lead to name
resolution failures in the delegated zone. If DNSSEC validation is
enabled, this issue can make domains ending in .COM unavailable when
the DS record for .COM is added to the DNS root zone on March 31st,
2011. An unpatched server which is affected by this issue can be
cache poisoning.
Background
==========
The PowerDNS Recursor is an advanced recursing nameserver.
Affected packages
=================
-------------------------------------------------------------------
Next Page>>
|
