[14360] in bugtraq
Re: The out-of-domain NS registration attack
daemon@ATHENA.MIT.EDU (Sanford Whiteman)
Mon Mar 20 10:34:46 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01BF903B.53CDBA88"
Message-Id: <03BD4485807BD311A9BA00902786F5F80864CC@ERDEV100-NTFS01>
Date: Fri, 17 Mar 2000 13:05:06 -0500
Reply-To: Sanford Whiteman <sanford.whiteman@INTERNAL.CONVEY.COM>
From: Sanford Whiteman <sanford.whiteman@INTERNAL.CONVEY.COM>
X-To: "dgover@cindy.hol.net" <dgover@cindy.hol.net>,
"BUGTRAQ@SECURITYFOCUS.COM" <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01BF903B.53CDBA88
Content-Type: text/plain;
charset="iso-8859-1"
Dave, you are certainly correct. We just performed a giant name server
migration and can verify that NSI's database has dual primary keys, or
what-have-you, that prevent the attack. A name server's IP address can only
be associated with one NIC handle...once you bind a hostname to the IP, the
hostname is bound to the NIC handle as well. The only way to change this
information is to be the contact for the name server's domain. No one else
can duplicate either of the keys.
Sandy
-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of David,
Gover
Sent: Wednesday, March 15, 2000 3:55 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: The out-of-domain NS registration attack
On Tue, 14 Mar 2000, D. J. Bernstein wrote:
> Let's say an attacker wants to steal your mail to hotmail.com.
>
[snip]
> The attacker then registers a new domain with NSI, using ns1.jsnet.com
> as the domain's server name, but his own IP address for ns1.jsnet.com:
>
> zerosecurity.com NS ns1.jsnet.com
> ns1.jsnet.com A 5.6.7.8
Afaik, you will be unable to do this, as for each host record at NSI, they
also hold an IP address. When you specify ns1.jsnet.com as an NS for
your domain, the IP address NSI already holds for this hostname is used.
Even if you are able to specify a different address for 'ns1.jsnet.com' on
your application form, NSI (should|will) either reject it, or
ns1.jsnet.com will have both the old, and new A record on NSI's
nameservers. Couldn't this lead to other major problems apart from
stealing email?
It's a while since I've registered a domain name with NSI, and so things
may work slightly differently, than I have stated or expect..
Dave
------_=_NextPart_001_01BF903B.53CDBA88
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2448.0">
<TITLE>RE: The out-of-domain NS registration attack</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>Dave, you are certainly correct. We just =
performed a giant name server migration and can verify that NSI's =
database has dual primary keys, or what-have-you, that prevent the =
attack. A name server's IP address can only be associated with =
one NIC handle...once you bind a hostname to the IP, the hostname is =
bound to the NIC handle as well. The only way to change this =
information is to be the contact for the name server's domain. No =
one else can duplicate either of the keys.</FONT></P>
<P><FONT SIZE=3D2>Sandy</FONT>
</P>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Bugtraq List [<A =
HREF=3D"mailto:BUGTRAQ@SECURITYFOCUS.COM">mailto:BUGTRAQ@SECURITYFOCUS.C=
OM</A>]On Behalf Of David,</FONT>
<BR><FONT SIZE=3D2>Gover</FONT>
<BR><FONT SIZE=3D2>Sent: Wednesday, March 15, 2000 3:55 AM</FONT>
<BR><FONT SIZE=3D2>To: BUGTRAQ@SECURITYFOCUS.COM</FONT>
<BR><FONT SIZE=3D2>Subject: Re: The out-of-domain NS registration =
attack</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>On Tue, 14 Mar 2000, D. J. Bernstein wrote:</FONT>
</P>
<P><FONT SIZE=3D2>> Let's say an attacker wants to steal your mail =
to hotmail.com.</FONT>
<BR><FONT SIZE=3D2>></FONT>
</P>
<P><FONT SIZE=3D2>[snip]</FONT>
</P>
<P><FONT SIZE=3D2>> The attacker then registers a new domain with =
NSI, using ns1.jsnet.com</FONT>
<BR><FONT SIZE=3D2>> as the domain's server name, but his own IP =
address for ns1.jsnet.com:</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> zerosecurity.com NS =
ns1.jsnet.com</FONT>
<BR><FONT SIZE=3D2>> ns1.jsnet.com A =
5.6.7.8</FONT>
</P>
<P><FONT SIZE=3D2>Afaik, you will be unable to do this, as for each =
host record at NSI, they</FONT>
<BR><FONT SIZE=3D2>also hold an IP address. When you specify =
ns1.jsnet.com as an NS for</FONT>
<BR><FONT SIZE=3D2>your domain, the IP address NSI already holds for =
this hostname is used.</FONT>
<BR><FONT SIZE=3D2>Even if you are able to specify a different address =
for 'ns1.jsnet.com' on</FONT>
<BR><FONT SIZE=3D2>your application form, NSI (should|will) either =
reject it, or</FONT>
<BR><FONT SIZE=3D2>ns1.jsnet.com will have both the old, and new A =
record on NSI's</FONT>
<BR><FONT SIZE=3D2>nameservers. Couldn't this lead to other major =
problems apart from</FONT>
<BR><FONT SIZE=3D2>stealing email?</FONT>
</P>
<P><FONT SIZE=3D2>It's a while since I've registered a domain name with =
NSI, and so things</FONT>
<BR><FONT SIZE=3D2>may work slightly differently, than I have stated or =
expect..</FONT>
</P>
<P><FONT SIZE=3D2>Dave</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01BF903B.53CDBA88--
