[8544] in bugtraq
Re: NT DNS hacked ... ?
daemon@ATHENA.MIT.EDU (bobk)
Fri Nov 13 18:48:22 1998
Date: Fri, 13 Nov 1998 18:24:30 -0500
Reply-To: bobk <bobk@SINISTER.COM>
From: bobk <bobk@SINISTER.COM>
X-To: Marc Slemko <marcs@ZNEP.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSF.4.05.9811130857090.12077-100000@alive.znep.com>
On Fri, 13 Nov 1998, Marc Slemko wrote:
> On Thu, 12 Nov 1998, John Fraizer wrote:
>
> > You weren't hacked. It was NetSol/InterNIC showing us just how lame they
> > are again by corrupting root servers.
> >
> > http://www.news.com/News/Item/0,4,28664,00.html?st.ne.fd.mdh
>
> The above is unrelated to the below, AFAIK.
>
> > At 11:47 AM 11/11/98 -0500, you wrote:
> > >Anyone running MS's DNS notice, overnite or so, their cache files
> > >(specifically the root name servers) replaced with a handful of entries for
> > >allegro.net ... ?
>
>
> The only thing that the Internic being idiots would have done, as far as I
> have any evidence of, is claim that .com domains do not exist.
>
> If your nameserver's cache was corrupted to think that allegro.net is
> authoritative for .com (or .), then that is NOT related. While I would
> need exact output from sample queries to the server to tell for sure, it
> would appear that, if what the poster above said is true, the software
> they are running is vulnerable to cache pollution, just like old versions
> of BIND are. This is quite bad, both because someone with malicious
> intent can do evil things and because there are an increasing number of
> accidental situations where people somehow misconfigure their servers to
> claim false authority.
For some reason, my first message on this topic was not accepted by
Aleph1. Hence, I will attempt to repeat what I sent upon the first report
of this problem to this list:
Microsoft's DNS server is vulnerable to two different types of
cache-poisoning attacks, while the latest versions of BIND are only known
to be vulnerable to one type:
"cache corruption through attachment of unrelated additional records" is
the simpler of the two methods, and is the one most likely used to corrupt
your server. As far as I know, there is no Microsoft fix for this. BIND
used to be vulnerable to this, but the latest versions of it are not.
"cache corruption through sequence ID prediction" is a more complex
attack. Both Microsoft and BIND are vulnerable to this. Luckily, there
aren't many crackers attempting to use this, as far as I can tell. There
is no complete protection for this attack, even though vendors of DNS
software have known about the vulnerability for years.
