[28] in Best-of-Security
BoS: Re: Port 135 [and other NT attacks] (fwd)
daemon@ATHENA.MIT.EDU (Jonathan Wilkins)
Wed Feb 12 22:52:05 1997
Date: Wed, 12 Feb 1997 17:34:34 -0700
From: Jonathan Wilkins <jwilkins@secnet.com>
Cc: firewalls@GreatCircle.COM
Reply-To: best-of-security@suburbia.net
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
Chris Klaus posted:
>NT DNS Denial Attack
>
>If an attacker spoofs a response that the DNS never requested, DNS will
>terminate.
>There is an advisory on this available at
http://www.iss.net/lists/general/0118.html
>
>Solution:
>
>Currently, Microsoft is working on a solution.
Here's a little more information on this problem:
there were a few different problems discovered in the DNS that Microsoft
put out.. the first was due to the reception of a response to an query that
was never sent. [basically any DNS packet with the query/response bit set
to true]
I posted an advisory on this and James Gilroy (the developer of DNS at
microsoft) managed to get a fix out in about a day (an admirable feat for a
vendor).. Unfortunately the fix wasn't complete.. I managed to find another
bug a day or so later.. but once more James put out a patch and this one
has passed a few tests I threw at it.. It is due to be released along with
service pack 3 which is due out this quarter..
you can also get a copy at ftp://rhino.microsoft.com/
this fix is only available for intel, and as I don't have a NT system
running on alpha I haven't confirmed whether or not the alpha version of
DNS is vulnerable..
if anyone wants to volunteer a little bit of time we can test it out...
Jonathan
-=-=-=-=-=-=-=-
Jonathan Wilkins | Futuaris | If only they had used their
jwilkins@secnet.com | Non Irresus | terminals for niceness instead
http://www.secnet.com | Ridebus | of evil ...-Maxwell Smart