Cert Vulnerability 734644

Kevin Darcy kcd at daimlerchrysler.com
Wed Jun 29 22:44:17 UTC 2005


trusted linux wrote:

>Hi,
>
>I have a question about the CERT 734644. If this is a
>problem, we have to do a major upgrade. However, it
>does not really convince me that this is a real
>threat. Can anybody help clarify it? 
>
>http://www.kb.cert.org/vuls/id/734644 
>
>per 734644, 
>
> Several versions of the BIND 8 name server are
>vulnerable to cache poisoning via negative responses.
>To exploit this vulnerability, an attacker must
>configure a name server to return authoritative
>negative responses for a given target domain. Then,
>the attacker must convince a victim user to query the
>attacker's maliciously configured name server. When
>the attacker's name server receives the query, it will
>reply with an authoritative negative response
>containing a large TTL (time-to-live) value. If the
>victim's site runs a vulnerable version of BIND 8, it
>will cache the negative response and render the target
>domain unreachable until the TTL expires. 
> 
>    Assume the victim dns is ns.victim.net, the target
>domain is xyz.com, 
>    If I interpret this correctly, to run the attack,
>the attacker has to do the followings:
> 
>    1. create and configure a dns server to server as
>the authoritative DNS for xyz.com domain, called
>dnsxyz.attack.com (or just a IP) - fine. 
>    2. convince ns.victim.net to query
>dnsxyz.attack.com for any queries for xyz.com (i.e.
>www.xyz.com) - how? 
>    3. dnsxyz.attack.com replies with negative
>response with a big TTL.
> 
>    The problem is #2. How is it possible? Actually,
>without preset trust, this is equivalent to say that
>the attacker has already controlled the ns.victim.net.
>So, why does he bother to run this attack? 
> 
>    I understand that birthday attack and space
>searching can break the random query ID without
>requiring the trust. However this CERT vulnerability
>does not seem to rely on these techniques. 
>
Well, I don't know the specifics of this particular vulnerability, but 
maybe BIND 8 was accepting xyz.com negative cache entries in response to 
attack.com queries, under certain circumstances...

                                                                         
                                                            - Kevin




More information about the bind-users mailing list