Bugtraq mailing list archives

Re: SNI-12: BIND Vulnerabilities and Solutions

From: daw () CS BERKELEY EDU (David Wagner)
Date: Tue, 22 Apr 1997 18:11:23 -0700


In article <Pine.BSI.3.95.970422043557.16266A-100000 () silence secnet com>,
Oliver Friedrichs  <oliver () SECNET COM> wrote:

This advisory contains descriptions and solutions for two vulnerabilities
present in current BIND distributions.  These vulnerabilities are actively
being exploited on the Internet.

I.  The usage of predictable IDs in queries and recursed queries allows for
    remote cache corruption.  This allows malicious users to alter domain
    name server caches to change the addresses and hostnames of hosts on the
    internet.


Thanks for carefully describing the serious security vulnerability.

However, I think your patch won't fix the problem.

It attempts to make the query ID unpredictable, but fails -- the "random"
numbers it generates are still predictable (after a trivial 2^16 offline
trials).  And the seeding is terrible -- two years ago Netscape used
timeofday and pid to seed their PRNG, too, and look what happened to them.

Tell me I'm missing something.

Current thread:

Re: SNI-12: BIND Vulnerabilities and Solutions, (continued)
- - Re: SNI-12: BIND Vulnerabilities and Solutions Paul A Vixie (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Johannes Erdfelt (Apr 23)
  - Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Gene Spafford (Apr 23)
  - Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Michael K. Sanders (Apr 23)
    - Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Johannes Erdfelt (Apr 23)
    - Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Yiorgos Adamopoulos (Apr 24)
  - firewall-1: old broadcast address hole? Tom Vandepoel (Apr 24)
  - CERT Advisory CA-97.10 - Vulnerability in Natural Language Service Aleph One (Apr 24)
  - CERT Vendor-Initiated Bulletin VB-97.02 - Guestbook Script Vul Aleph One (Apr 24)
  - [linux-security] Linux squake security hole (provides root if Aleph One (Apr 24)
- Re: SNI-12: BIND Vulnerabilities and Solutions David Wagner (Apr 22)
  - Re: SNI-12: BIND Vulnerabilities and Solutions Theo de Raadt (Apr 22)
  - ANUNCIO: Nueva lista sobre seguridad, en espanol Ivan Arce,CORE (Apr 22)
    - Re: ANUNCIO: Nueva lista sobre seguridad, en espanol The CyberFish (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions David Wagner (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions David Wagner (Apr 23)