Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Paper by Amit Klein (Trusteer): "PowerDNS Recursor DNS Cache Poisoning [

from [Amit Klein] Network Security [Permanent Link]
Subject: Paper by Amit Klein (Trusteer): "PowerDNS Recursor DNS Cache Poisoning [pharming]"
Date: Mon, 31 Mar 2008 15:07:19 +0300 
Hello BugTraq

Once again, a DNS cache poisoning against a popular DNS cache
server. This time, it's PowerDNS (the third most popular DNS
server, servicing over 40 million users). The vendor coded
several impressive security measures against DNS spoofing (e.g.
UDP source port randomization and spoofed response detection),
but relied on the standard C randomization facility (the rand()
and srand() functions in <stdlib.h>). The two popular stdlib
implementations analyzed, glibc (used with GNU C++ for Linux/
Unix-like systems) and MSVCRT (used with Microsoft's MSVC for
Windows) are shown to be easily predictable, thus enabling an
attacker to predict the DNS queries sent by PowerDNS Recursor,
and in turn mount an efficient and effective DNS cache poisoning
attack (or a pharming attack, as it is often called today).

PowerDNS's security contact, Bert Hubert, responded in a quick
and professional manner - an immediate fix was silently
incorporated (with my blessing) in Recursor 3.1.5-snapshot5 which
was released less than 6 hours after the initial report. A stable
version, Recursor 3.1.5, that "officially" includes the fix, is
announced today, and is available for immediate download (see
http://doc.powerdns.com/powerdns-advisory-2008-01.html).

The full analysis can be found in the following link:

http://www.trusteer.com/docs/powerdnsrecursor.html


Thanks,
-Amit
CTO, Trusteer


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Paper by Amit Klein (Trusteer): "PowerDNS Recursor DNS Cache Poisoning [pharming]", Amit Klein <=
Previous by Date:  rPSA-2008-0132-1 lighttpd, rPath Update Announcements
Next by Date:  [Full-disclosure] iDefense Security Advisory 03.31.08: Macrovision InstallShield InstallScript One-Click Install Untrusted Library Loading Vulnerability, iDefense Labs
Previous by Thread:  rPSA-2008-0132-1 lighttpd, rPath Update Announcements
Next by Thread:  [Full-disclosure] iDefense Security Advisory 03.31.08: Macrovision InstallShield InstallScript One-Click Install Untrusted Library Loading Vulnerability, iDefense Labs
Indexes:  [Date] [Thread] [Top] [All Lists]