<<< Date Index >>>     <<< Thread Index >>>

Microsoft Windows DNS Stub Resolver Cache Poisoning (MS08-020)



Hello BugTraq,

The Microsoft Windows DNS stub resolver (the component in Windows
that queries the upstream DNS server for address resolutions on
behalf of most Windows programs, e.g. browsers) sends predictable
DNS queries with respect to DNS transaction ID and source UDP
port. This allows some interesting attacks on DNS clients (i.e.
desktops), including DNS cache poisoning of the client's local
DNS cache (which is maintained by the stub resolver).

Affected products: Windows Vista, Windows XP SP2, Windows 2003
and Windows 2000 SP4.

Microsoft was informed on April 30th, 2007. Microsoft security
bulletin MS08-020 (released today) addresses this issue.

For the full details, please read the paper "Microsoft Windows
DNS Stub Resolver Cache Poisoning" by yours truly, which you can
download in the following URL:

http://www.trusteer.com/docs/windowsresolver.html

Note that the subject of DNS cache poisoning was widely discussed
in the context of caching DNS server. The case of the (caching)
stub resolver was very little discussed though, partly due to the
belief that this problem is limited to the LAN. However, the
paper covers some interesting scenarios which extend beyond the
simple LAN attack - e.g. in some cases, this attack can be used
to actually poison a caching DNS server, and in another example,
multi-homed clients are shown to be particularly vulnerable.


Thanks,

Amit Klein
CTO
Trusteer