Cert Vulnerability 734644
Kevin Darcy
kcd at daimlerchrysler.com
Wed Jun 29 22:44:17 UTC 2005
trusted linux wrote:
>Hi,
>
>I have a question about the CERT 734644. If this is a
>problem, we have to do a major upgrade. However, it
>does not really convince me that this is a real
>threat. Can anybody help clarify it?
>
>http://www.kb.cert.org/vuls/id/734644
>
>per 734644,
>
> Several versions of the BIND 8 name server are
>vulnerable to cache poisoning via negative responses.
>To exploit this vulnerability, an attacker must
>configure a name server to return authoritative
>negative responses for a given target domain. Then,
>the attacker must convince a victim user to query the
>attacker's maliciously configured name server. When
>the attacker's name server receives the query, it will
>reply with an authoritative negative response
>containing a large TTL (time-to-live) value. If the
>victim's site runs a vulnerable version of BIND 8, it
>will cache the negative response and render the target
>domain unreachable until the TTL expires.
>
> Assume the victim dns is ns.victim.net, the target
>domain is xyz.com,
> If I interpret this correctly, to run the attack,
>the attacker has to do the followings:
>
> 1. create and configure a dns server to server as
>the authoritative DNS for xyz.com domain, called
>dnsxyz.attack.com (or just a IP) - fine.
> 2. convince ns.victim.net to query
>dnsxyz.attack.com for any queries for xyz.com (i.e.
>www.xyz.com) - how?
> 3. dnsxyz.attack.com replies with negative
>response with a big TTL.
>
> The problem is #2. How is it possible? Actually,
>without preset trust, this is equivalent to say that
>the attacker has already controlled the ns.victim.net.
>So, why does he bother to run this attack?
>
> I understand that birthday attack and space
>searching can break the random query ID without
>requiring the trust. However this CERT vulnerability
>does not seem to rely on these techniques.
>
Well, I don't know the specifics of this particular vulnerability, but
maybe BIND 8 was accepting xyz.com negative cache entries in response to
attack.com queries, under certain circumstances...
- Kevin
More information about the bind-users
mailing list