Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

"BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)

from [Amit Klein] Network Security [Permanent Link]
Subject: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)
Date: Tue, 24 Jul 2007 10:33:51 +0300
I discovered a new weakness in BIND 9 DNS server which enables "DNS Forgery Pharming". An attacker can remotely poison the cache of any BIND 9 caching DNS server and force users who use this DNS server to reach fraudulent websites each time they try to access real websites. BIND 9 is the most popular DNS server nowadays thus this attack applies to a big part of Internet users.

The concept of DNS cache poisoning was discussed many times before. However, this attack was considered impractical for the leading industrial DNS servers due to the transaction ID mechanism that DNS servers implement today. The transaction ID is supposed to be a secure, random number that the attacker must guess in order to poison the DNS cache. There are 65,536 combinations which make enumeration impractical in the current network conditions.

I've recently found a weakness in the transaction ID generation algorithm of BIND 9. By observing a few consecutive transaction IDs from the same DNS server an attacker can reconstruct the random number generator's internal state, and/or predict its next value.

This weakness can be turned into a mass attack in the following way: (1) the attacker lures a single user that uses the target DNS server to click on a link. No further action other than clicking the link is required (2) by clicking the link the user starts a chain reaction that eventually poisons the DNS server?s cache (subject to some standard conditions) and associates fraudulent IP addresses with real website domains. (3) All users that use this DNS server will now reach the fraudulent website each time they try to reach the real website.

The 2 algorithms for predicting the transaction ID (one for the single next transaction ID, the other for full reconstruction of the internal state and all future transaction IDs) were coded in Perl and were demonstrated to work well (and fast!).

The algorithms, as well as the paper, are available Trusteer's website:

 Full paper: http://www.trusteer.com/docs/bind9dns.html

 Executive version: http://www.trusteer.com/docs/bind9dns_s.html

ISC were informed on May 29th, and patched versions of BIND 9 are now available on their website, http://www.isc.org/

Thanks,
Amit Klein
CTO
Trusteer


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  PR07-21: Webbler CMS forms are susceptible to spamming and phishing abuses, research
Next by Date:  PR07-19: Cross-site Scripting (XSS) / HTML injection on Webbler CMS admin login page (2), research
Previous by Thread:  PR07-21: Webbler CMS forms are susceptible to spamming and phishing abuses, research
Next by Thread:  Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer), securityfocus
Indexes:  [Date] [Thread] [Top] [All Lists]