BIND 9.5.0-P2 - 'Randomized Ports' Remote DNS Cache Poisoning

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1056786 漏洞类型
发布时间 2008-08-13 更新时间 2008-08-13
漏洞平台 Multiple CVSS评分 N/A
Successfully poisoned the latest BIND with fully randomized ports!

Exploit required to send more than 130 thousand of requests for the fake records like to be able to match port and ID and insert poisoned entry 
for the

# dig @localhost +norecurse

; <<>> DiG 9.5.0-P2 <<>> @localhost +norecurse
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6950
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;                  IN      A

;; AUTHORITY SECTION:           73557   IN      NS

;; ADDITIONAL SECTION:  73557   IN      A

# named -v
BIND 9.5.0-P2

BIND used fully randomized source port range, i.e. around 64000 ports. 
Two attacking servers, connected to the attacked one via GigE link, were used, 
each one attacked 1-2 ports with full ID range. Usually attacking server is able 
to send about 40-50 thousands fake replies before remote server returns the 
correct one, so if port was matched probability of the successful poisoning is more than 60%.

Attack took about half of the day, i.e. a bit less than 10 hours.
So, if you have a GigE lan, any trojaned machine can poison your DNS during one night... 

original source: (2008-dns-bind.tgz)

# [2008-08-13]