[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

WIN : Predictable Query IDs Pose Security Risks for DNS Servers]



Received: from hydra.acs.uci.edu by nis.acs.uci.edu (8.8.5) id XAA06272; Tue, 10 Jun 1997 23:00:46 -0700 (PDT)
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) by hydra.acs.uci.edu (8.8.5/8.7.1) with ESMTP id XAA22435; Tue, 10 Jun 1997 23:00:34 -0700 (PDT)
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <35357-15687>; Wed, 11 Jun 1997 00:47:42 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 4158869 for BUGTRAQ@NETSPACE.ORG; Wed, 11 Jun 1997 00:20:57
          -0400
Received: from brimstone.netspace.org (brimstone [128.148.157.143]) by
          netspace.org (8.8.5/8.8.2) with ESMTP id AAA18023 for
          <BUGTRAQ@netspace.org>; Wed, 11 Jun 1997 00:18:08 -0400
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with
          ESMTP id <33076-15687>; Wed, 11 Jun 1997 00:22:44 -0400
Approved-By: aleph1@UNDERGROUND.ORG
Received: from dfw.dfw.net (aleph1@dfw.dfw.net [198.175.15.10]) by netspace.org
          (8.8.5/8.8.2) with SMTP id TAA16049 for <bugtraq@netspace.org>; Tue,
          10 Jun 1997 19:24:54 -0400
Received: from localhost by  dfw.dfw.net (4.1/SMI-4.1) id AA13559; Tue, 10 Jun
          97 18:31:16 CDT
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.SUN.3.94.970610183031.12910D-100000@dfw.dfw.net>
Date: 	Tue, 10 Jun 1997 18:31:16 -0500
Reply-To: Aleph One <aleph1@dfw.net>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: Aleph One <aleph1@dfw.net>
Subject:      Q167629: Predictable Query IDs Pose Security Risks for DNS Servers
To: BUGTRAQ@NETSPACE.ORG

DOCUMENT:Q167629    [winnt]
TITLE: Predictable Query IDs Pose Security Risks for DNS Servers
PRODUCT: Microsoft Windows NT
PROD/VER:4.00
OPER/SYS:WINDOWS
KEYWORDS:kbbug4.00 kbnetwork NTSrv nttcp

--------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Windows NT Server versions 4.0
--------------------------------------------------------------------------

SYMPTOMS
========

An attacker can send a query to a DNS server asking for the IP address (for
example, of www.microsoft.com.) The DNS server sends a recursive query on
behalf of the client at which point the attacker floods the DNS server with
responses indicating the IP address (for example, for www.microsoft.com it
may return 127.0.0.1,) or any other incorrect response as desired by the
attacker. The DNS server caches this result and subsequent queries for this
site return the incorrect IP address. The cached entry can be set to live
for an arbitrarily long time in the cache and is not purged until the DNS
server is reset.

CAUSE
=====

The Domain Name System (DNS) is used to resolve names with IP addresses and
a DNS query can be sent to any DNS server. If the server does not have the
authoritative answer to the query, it can ask other DNS servers in the DNS
tree for the answer. This is called a recursive query. The result of a
recursive query is cached by the originating DNS server to improve
performance. A DNS server may have many outstanding recursive queries at
any one moment in time and each outstanding query is identified by a query
ID.

Microsoft Windows NT (and many other) DNS servers use a predictable
sequence of query IDs when resolving recursive queries. If an attacker can
determine the current sequence number, they can determine future sequence
numbers. Knowledge of future sequence numbers helps an attacker flood a DNS
server with spoofed responses to recursive queries. This makes a "cache
pollution" attack easier to accomplish.

RESOLUTION
==========

The Microsoft DNS Server has been modified to use random query IDs. Random
query IDs reduce the effectiveness of this cache pollution attack. Obtain
the following fix, or wait for the next Windows NT service pack.

This hotfix has been posted to the following Internet location:

   ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/
   hotfixes-postSP3/dns-fix

STATUS
======

Microsoft has confirmed this to be a problem in Windows NT version 4.0.
A supported fix is now available, but has not been fully regression-tested
and should be applied only to systems experiencing this specific problem.
Unless you are severely impacted by this specific problem, Microsoft
recommends that you wait for the next Service Pack that contains this fix.
Contact Microsoft Technical Support for more information.

Additional query words: 4.00 prodnt

============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.