Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)
From: "Jamie Riden" <jamie.riden@xxxxxxxxx>
Date: Tue, 24 Jul 2007 21:18:47 +0100
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=W80errbVgCrDUtgume5SCLW6GT2gs6tU2fCb0eVanvjcXQTXAjbHQvTheCPQArk+EgxBuutjmEd038N3fROrAqkxx6Mb1VrKnbiHx7+h5eh5WJmbeQY+qxoocVYxogBZKoGH6NFvrhT72eptuewdSqjLuvziY/RRW5DJSXzDK50=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=LWinVPdeAUBC2M2WmcbQaimH4GLC2qqIqcqRRog/5DKNko7jot+XOyGcThBCLFp3O5qdV5u/fVmmjWPLTWadqlWGScuNlnEBm13f0F1/JyVvLIxbdy03yXW8ywsaAoVQimTdwj4k4DC5OHVrODUk4YMob1ViVML0+0z/8WwevAc=
In-reply-to: <20070724174035.9273.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20070724174035.9273.qmail@xxxxxxxxxxxxxxxxx>

On 24 Jul 2007 17:40:35 -0000, securityfocus@xxxxxxxxxxxxxxxx
<securityfocus@xxxxxxxxxxxxxxxx> wrote:

I don't exactly see how this is new "News" since Zalewski's paper on TCP 
sequence number analysis (which included analysis of versions of BIND):

http://lcamtuf.coredump.cx/newtcp/


That article does not deal with attacks on BIND's PRNG.

As far as I can tell, Joe Stewart extended Zalewski's TCP sequence
number analysis to BIND's transaction IDs - however I don't think
Stewart's paper "DNS Cache Poisoning – The Next Generation" (
www.lurhq.com/dnscache.pdf ) goes as far as the recent BIND advisory
here - http://www.isc.org/sw/bind/bind-security.php:

"The DNS query id generation is vulnerable to cryptographic analysis
which provides a 1 in 8 chance of guessing the next query id for 50%
of the query ids. This can be used to perform cache poisoning by an
attacker."

I don't think that Amit's attack has been described before.

cheers,
Jamie
--
Jamie Riden / jamesr@xxxxxxxxxx / jamie@xxxxxxxxxxxxxxx
UK Honeynet Project: http://www.ukhoneynet.org/

Follow-Ups:
- Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)
  - From: Gadi Evron
- Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)
  - From: Theo de Raadt

References:
- Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)
  - From: securityfocus

Prev by Date: PHPSysInfo Index.php Cross Site Scripting
Next by Date: Breakpoint Security: Encase Pre-Advisory
Previous by thread: Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)
Next by thread: Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)
Index(es):
- Date
- Thread