Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)

from [Theo de Raadt] Network Security [Permanent Link]
Subject: Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)
Date: Thu, 26 Jul 2007 16:50:04 -0600 
On 24 Jul 2007 17:40:35 -0000, securityfocus@networkontap.com
<securityfocus@networkontap.com> wrote:

I don't exactly see how this is new "News" since Zalewski's paper on TCP =

sequence number analysis (which included analysis of versions of BIND):


http://lcamtuf.coredump.cx/newtcp/


That article does not deal with attacks on BIND's PRNG.

As far as I can tell, Joe Stewart extended Zalewski's TCP sequence
number analysis to BIND's transaction IDs - however I don't think
Stewart's paper "DNS Cache Poisoning =96 The Next Generation" (
www.lurhq.com/dnscache.pdf ) goes as far as the recent BIND advisory
here - http://www.isc.org/sw/bind/bind-security.php:

"The DNS query id generation is vulnerable to cryptographic analysis
which provides a 1 in 8 chance of guessing the next query id for 50%
of the query ids. This can be used to perform cache poisoning by an
attacker."

I don't think that Amit's attack has been described before.


The problem comes from ISC writing an incomplete solution to a problem
initially described in 1997 (and solved, I might add).

http://www.openbsd.org/advisories/res_random.txt

Before 1997, the attack was even easier -- take Amit's attack and
delete all the complicated math and replace it with id++.

Amit just shows that ISC ignored a better solution; that of using
a LCG-based generator.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  PHP Safe_mode bypass exploit (win32service), nima_501
Next by Date:  Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer), Tim
Previous by Thread:  Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer), Jamie Riden
Next by Thread:  Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer), Gadi Evron
Indexes:  [Date] [Thread] [Top] [All Lists]