RE: CAIS-ALERT: Vulnerability in the sending requests control of BIND

[Iván Arce <core.lists.bugtraq () core-sdi com>]

Vagner Sacramento wrote:
> -----------------------------------------------------------------------
> @ Copyright CAIS - Brazilian Research Network CSIRT
>   Security Incidents Response Center (CAIS/RNP)
>
> Subject         : Vulnerability in the sending requests control of BIND
>                   versions 4 and 8 allows DNS spoofing
> Date            : November 19th, 2002
> Credits         : Vagner Sacramento, DIMAp-UFRN
> Systems affected: 4.9.11 and priors (4.9.x); 8.2.7 and priors (8.2.x);
>                   8.3.4 and priors (8.3.x);
>
> -----------------------------------------------------------------------

[stuff deleted]

> 2. Details
>
>    BIND versions 4 and 8 use procedures that allow a remote DNS Spoofing
>    attack against DNS servers.
>
>    The attack goal is to anticipate a reply with false information to the
>    target DNS server, making the server to store in its cache a false IP
>    address for a certain domain name.
>
>    To better understand the identified vulnerability, consider the
>    following scenario. When n different DNS clients send simultaneous
>    requests to a target DNS server (running BIND 4 or BIND 8) to resolve
>    the same domain name, the target server will forward the requests
>    received to others DNS servers, starting from root-servers and trying
>    to get replies for each one of the requests.
>
>    In this context, the identified vulnerability can be exploited if an
>    attacker sends simultaneously n requests to the target DNS server using
>    in each one a different IP source address and the same domain name. The
>    target DNS server will send all the received requests to others DNS
>    servers in order to resolve them. Since these requests will be
>    processed independently, they will be assigned different identifiers
>    (ID).  As a result, this server will be waiting for n replies with
>    different IDs for the resolution of the same domain name. The attacker
>    then sends several replies with different IDs to the target DNS server
>    attempting to guess one of the expected replies ID, thus applying a DNS
>    Spoofing attack.


I am sorry to burst the bubble but this has been a known problem for
more than 5 years:

Original advisory posted in 1997:

http://www.codetalker.com/advisories/sni/sni-12.html
http://www.corest.com/common/showdoc.php?idx=133&idxseccion=10 (spanish)

Discussion on how to fix bug #1 and the actual patch lead to
the following comment:

+  /*
+  * The 16 bit space is very small and brute force attempts are
+  * entirly feasible, we skip a random number of transaction ids
+  * so that an attacker will not get sequential ids.
+  */

I have not read BIND source for years, is this not explicitly mentioned
anywhere in the source or docs or updated RFCs??

BTW, what does BIND 9 do to prevent this?


> . configure anti-spoofing rules on the firewall or border router;
>
>  . considering the network topology, set up the DNS server into a DMZ
>   (demilitarized zone).

Maybe I am missing something but how will this prevent cache poisoning
of the DNS server in  the DMZ? (assuming it does recursion)

Inbound DNS replies (with spoofed source IP address) to
DNS requests forwarded to Internet servers will look perfectly valid to the
border router or firewall.


-ivan

---
Perscriptio in manibus tabellariorum est
Noli me vocare, ego te vocabo

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A


--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <iarce () core-sdi com>