Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Vulnerability Issues in Implementations of the DNS Protocol

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Vulnerability Issues in Implementations of the DNS Protocol
Date: 2 May 2006 09:45:36 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Vulnerability Issues in Implementations of the DNS Protocol
------------------------------------------------------------------------


SUMMARY

The vulnerabilities described in this advisory affect implementations of 
the Domain Name System (DNS) protocol. Many vendors include support for 
this protocol in their products and may be impacted to varying degrees, if 
at all.

DETAILS

Impact:
If exploited, these vulnerabilities could cause a variety of outcomes 
including, for example, a Denial-of-Service (DoS) condition. In most 
cases, they can expose memory corruption, stack corruption or other types 
of fatal error conditions. Some of these conditions may expose the 
protocol to typical buffer overflow exploits, allowing arbitrary code to 
execute or the system to be modified.

Summary:
During 2002 the Oulu University Secure Programming Group (OUSPG) 
discovered a number of implementation specific vulnerabilities in the 
Simple Network Management Protocol (SNMP). Further work has been done to 
identify implementation specific vulnerabilities in related protocols that 
are used in critical infrastructure. The DNS protocol, which is the 
primary naming system used on the Internet, was studied as part of this 
program of work.

DNS is an Internet service that translates domain names into Internet 
Protocol (IP) addresses and vice versa. Because domain names are 
alphabetic, they're easier to remember, however the Internet is really 
based on IP addresses; therefore every time a domain name is requested, a 
DNS service must translate the name into the corresponding IP address.

OUSPG has developed a PROTOS DNS Test Suite for DNS implementations and 
employed it to validate their findings against a number of products from 
different vendors. NISCC has contacted multiple vendors whose products 
support the DNS protocol and provided them with the test tool to allow 
them to test their implementations. NISCC believes that most of the 
relevant vendors who provide support for the DNS protocol have been 
covered by this advisory.

Details:
DNS is a system that stores information associated with domain names in a 
distributed database on networks such as the Internet. The domain name 
system associates many types of information with domain names, but most 
importantly, it provides the IP address associated with the domain name. 
It also lists mail exchange servers accepting e-mail for each domain and a 
wide variety of other records.

The OUSPG DNS Test Suite covers a limited set of information security and 
robustness related implementation errors for the DNS protocol. The factors 
behind choosing DNS included:
 * DNS is a fundamental infrastructure of the Internet, most Internet 
applications are dependent on it.

 * DNS implementations are ubiquitous: present in servers, enduser 
equipment such as personal computers or mobile phones and in routers and 
firewalls. Therefore DNS may be a potential attack vector in a variety of 
scenarios against a variety of systems and infrastructure components.

 * There are no free, publicly available robustness test suites to 
evaluate DNS implementations.

The material contained in the test suite covers basic queries, dynamic 
updates, basic responses and zone transfers. However please be aware that 
the test material does not cover cache poisoning or address spoofing 
vulnerabilities. There are three sets of test materials available with the 
tool; these are specifically designed for the following scenarios:
1. The Query Material -> [queries, dynamic DNS updates] -> DNS server
2. The Response Material -> [query replies] -> DNS server
3. The Response Material -> [query replies] -> DNS stub resolver (client)
4. The Zone Transfer Material -> [zone transfers] -> secondary DNS server

The test material simulates hostile input to the DNS implementation by 
sending invalid and/or abnormal packets. Therefore by applying the OUSPG 
DNS Test Suite to a variety of products, several vulnerabilities can be 
revealed that can have varying effects.

Vendor Information:
The following vendors have provided information about how their products 
are affected by this vulnerability. Please note that JPCERT/CC have 
released a Japanese language advisory for this vulnerability which 
contains additional information regarding Japanese vendors. This advisory 
is available at  <http://jvn.jp/niscc/NISCC-144154/index.html> 
http://jvn.jp/niscc/NISCC-144154/index.html

 * Cisco Systems, Inc MyDNS
 * Delegate pdnsd
 * Ethereal Sun
 * Hitachi Wind River
 * ISC
 * Juniper Networks
 * Microsoft

Cisco Systems, Inc
Cisco Systems is currently testing its DNS related products. We will 
provide updates if warranted at  <http://www.cisco.com/go/psirt> 
http://www.cisco.com/go/psirt.

Delegate
Vulnerable:
 * DeleGate/9.0.5 (DEVELOPMENT) and prior versions
 * DeleGate/8.11.5 (STABLE) and prior versions

Not Vulnerable:
 * DeleGate/9.0.6 and subsequent versions
 * DeleGate/8.11.6 and subsequent versions

DeleGate is an application level gateway (proxy server) which relays 
multiple application protocols including HTTP, FTP, SMTP, SOCKS, DNS; 
running on Unix and Windows. There have been bugs in its DNS protocol 
handling unit where a DNS response message is analyzed.

Due to this problem, DeleGate can suffer a denial-of-service attack. For 
some crafted or broken response messages, it reads the message data area 
beyond the real size of it, or read it in infinitely recursive function 
call. Then the DeleGate process will abort causing segmentation fault or 
so accessing non-existent address or non-available memory. DeleGate as DNS 
proxy, ICP server and UDP-relay might stop their service receiving such 
broken DNS response, since the abortion occurs in the main process which 
is not to be restarted automatically by itself. Other DeleGate proxies for 
other protocols do not stop servicing but a child process for a session 
might abort without returning response message of each application 
protocol.

These bugs have been fixed in version 9.0.6 (development version) and 
8.11.6 (stable version). The impact for resent versions is not more than 
DoS, but upgrading to these versions (or subsequent ones) is recommended. 
The impact can be more serious in ancient versions of DeleGate prior to 
8.10.3 which also include many other kind of dangers ( 
<http://www.delegate.org/maillists/delegate-en/2793> 
http://www.delegate.org/maillists/delegate-en/2793), so they must be 
upgraded anyway.

Ethereal
The Ethereal development team is investigating the reported 
vulnerabilities to determine if any versions of Ethereal are affected. We 
will provide updated status information in the near future.

Hitachi
Hitachi believe that the AlaxalA Networks AX series, Hitachi 
GR2000/GR4000/GS4000/GS3000 and Hitachi HI-UX are NOT vulnerable to this 
issue.

ISC
ISC has reviewed a bug that can cause named to terminate abnormally if a 
broken TSIG is present in the second or later message of a zone transfer. 
However, this is not considered high-risk as the first message must have a 
correct TSIG present for the transaction to continue. A fix will be 
included in a future BIND release.

Juniper Networks
The OUSPG PROTOS c09-dns-response test tool was run against all Juniper 
Networks platforms. JUNOS and ScreenOS were unaffected. Tests against 
JUNOSe, found on the E-series routers, did result in an issue with the DNS 
client code (ref: KA 23381). The issue was resolved in the following 
JUNOSe updates: 5-3-5p0-2, 6-0-3p0-6, 6-0-4, 6-1-3p0-1, 7-0-1p0-7, 7-0-2, 
7-1-0p0-1, 7-1-1. Later JUNOSe releases are unaffected.

Microsoft
Microsoft are still testing their products and will provide an update when 
more information is available.

MyDNS
MyDNS 1.1.0 has been released which contains a fix for a query-of-death 
DoS bug uncovered by the test suite. New versions can be obtained from:  
<http://mydns.bboy.net/> http://mydns.bboy.net/

pdnsd
The current maintainer of the pdnsd project, Paul A. Rombouts, has run 
tests on pdnsd with the DNS Test Suite mentioned here and discovered one 
significant flaw in the pdnsd code, which affects several versions of 
pdnsd. A DNS query with an unsupported QTYPE or QCLASS can cause pdnsd to 
leak memory. The amount of memory used by pdnsd may thus grow continually 
and unbounded and may eventually cause pdnsd to crash or cause the system 
to become sluggish and unresponsive. All users of pdnsd are advised to 
upgrade to version 1.2.4 or later of pdnsd, which has a fix for this leak 
and is available at:
 <http://www.phys.uu.nl/~rombouts/pdnsd.html> 
http://www.phys.uu.nl/~rombouts/pdnsd.html

Sun
Sun Microsystems is currently investigating the impact of the OUSPG DNS 
test suite to Sun's products. If any issues are identified, Sun will 
publish Sun Alerts which will include details of the impact and suggested 
resolution for those issues.

Wind River
Wind River does not believe that any of the products we provide are 
currently vulnerable to the issues described in this Vulnerability Notice.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:vulteam@niscc.gov.uk> 
Vulnerability Management Team.
The original article can be found at:  
<http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf?lang=en> 
http://www.niscc.gov.uk/niscc/docs/re-20060425-00312.pdf



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Vulnerability Issues in Implementations of the DNS Protocol, SecuriTeam <=
Previous by Date:  [NT] Servant Salamander unacev2.dll Buffer Overflow, SecuriTeam
Next by Date:  [NT] WinHKI unacev2.dll Buffer Overflow, SecuriTeam
Previous by Thread:  [NT] Servant Salamander unacev2.dll Buffer Overflow, SecuriTeam
Next by Thread:  [NT] WinHKI unacev2.dll Buffer Overflow, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]