[4315] in bugtraq
Re: SNI-12: BIND Vulnerabilities and Solutions
daemon@ATHENA.MIT.EDU (David Wagner)
Tue Apr 22 22:49:18 1997
Date: Tue, 22 Apr 1997 18:11:23 -0700
Reply-To: David Wagner <daw@CS.BERKELEY.EDU>
From: David Wagner <daw@CS.BERKELEY.EDU>
X-To: bugtraq@crimelab.com
To: BUGTRAQ@NETSPACE.ORG
In article <Pine.BSI.3.95.970422043557.16266A-100000@silence.secnet.com>,
Oliver Friedrichs <oliver@SECNET.COM> wrote:
> This advisory contains descriptions and solutions for two vulnerabilities
> present in current BIND distributions. These vulnerabilities are actively
> being exploited on the Internet.
>
> I. The usage of predictable IDs in queries and recursed queries allows for
> remote cache corruption. This allows malicious users to alter domain
> name server caches to change the addresses and hostnames of hosts on the
> internet.
Thanks for carefully describing the serious security vulnerability.
However, I think your patch won't fix the problem.
It attempts to make the query ID unpredictable, but fails -- the "random"
numbers it generates are still predictable (after a trivial 2^16 offline
trials). And the seeding is terrible -- two years ago Netscape used
timeofday and pid to seed their PRNG, too, and look what happened to them.
Tell me I'm missing something.
