kw3rln Posted August 14, 2008 Report Posted August 14, 2008 Cred ca FOARTE multe site-uri sunt vulnerabile... o aparut in New York Times: http://www.nytimes.com/2008/08/09/technology/09flaw.html?_r=1&oref=sloginSuccessfully poisoned the latest BIND with fully randomized ports!Exploit required to send more than 130 thousand of requests for the fake records like 131737-4795-15081.blah.com to be able to match port and ID and insert poisoned entry for the poisoned_dns.blah.com.# dig @localhost www.blah.com +norecurse; <<>> DiG 9.5.0-P2 <<>> @localhost www.blah.com +norecurse; (1 server found);; global options: printcmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6950;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; QUESTION SECTION:;www.blah.com. IN A;; AUTHORITY SECTION:www.blah.com. 73557 IN NS poisoned_dns.blah.com.;; ADDITIONAL SECTION:poisoned_dns.blah.com. 73557 IN A 1.2.3.4# named -vBIND 9.5.0-P2BIND used fully randomized source port range, i.e. around 64000 ports. Two attacking servers, connected to the attacked one via GigE link, were used, each one attacked 1-2 ports with full ID range. Usually attacking server is able to send about 40-50 thousands fake replies before remote server returns the correct one, so if port was matched probability of the successful poisoning is more than 60%.Attack took about half of the day, i.e. a bit less than 10 hours.So, if you have a GigE lan, any trojaned machine can poison your DNS during one night... original source: http://tservice.net.ru/~s0mbre/blog/2008/08/08/http://milw0rm.com/sploits/2008-dns-bind.tgz Quote
hari Posted August 14, 2008 Report Posted August 14, 2008 Nu sunt vulnerabile site-urile, sunt vulnerabile serverele de DNS Si nu sunt vulnerabile foarte multe, sunt vulnerabile toate.Si o sa mai fie, pentru ca problema este ca protocolul nu a fost gandit pentru faza asta.Idea de baza e ca pana acum serverele DNS trimiteau raspunsuri de pe un port sursa fix. Singura chestie pe care trebuia s-o ghiceasca un atacator era Transaction ID (16 biti).Asta se poate sparge cam intr-un minut trimitand TXID aleatoare.Fixul lor a fost sa faca si portul sursa random ca sa trebuiasca sa-l ghicesti si pe asta.Asa ca acum sunt 32 biti pe care trebuie sa-i ghicesti.Deci nu s-a corectat problema doar s-a facut mult mai greu de realizat practic.Rusul asta a aratat ca el a putut sa exploateze un server de DNS chiar si cu portul sursa random dar:- dureaza cel putin 10 ore (original cam 1 minut)- merge pe GigE LAN- a folosit 2 calculatoare care trimit consecutiv pachete.Deci cine are rabdare poate in orice moment sa exploateze orice server de DNS indiferent daca e patch-uit sau nu. E doar chestie de timp. Quote
