logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: vulnerabilities | Posted by Avatar Staff 330 days ago
Via: http://www.symantec.com | Tags: phishing phishing comments Discuss  

The Microsoft DNS Server spoofing vulnerability caught my eye this month, so I thought I’d delve into it a bit more. This isn’t a complicated issue by any stretch of the imagination, but it is an interesting one and has the potential to be quite lucrative for those of the less-than-nice variety, i.e. those individuals or groups who use phishing sites to trick us out of our hard-earned cash and learn our deepest and darkest secrets (not necessarily in that order).



In a nutshell, the vulnerability allows an attacker to poison the DNS cache of a vulnerable server. This enables the attacker to direct unsuspecting victims to an attacker-specified IP address instead of to the expected site. The problem occurs when the server does a recursive lookup for a DNS request. (Recursive lookups occur when a cached entry has expired, by default 24 hours, or the server has no entry for the request.) Since DNS requests occur over UDP, they require a method to track and validate responses (a transaction ID). However, attackers can easily guess the transaction ID used on Windows Server 2000 and 2003 systems. A simple mathematical algorithm supplied with two to three previous IDs can reveal the next ID. The attacker can exploit this to impersonate a legitimate response and then poison the DNS cache.



An attack scenario may go something like this:



- The attacker locates a computer running a vulnerable DNS server

- The attacker issues a request to the vulnerable server for a DNS entry they wish to corrupt

- The vulnerable server issues a recursive lookup for the attacker-requested entry. The request will have a unique, yet easily computed, transaction ID.

- The attacker sends multiple spoofed responses, each with a different transaction ID, to the vulnerable server. The responses will provide the IP of an attacker-controlled site.



If any of the spoofed responses contains the required ID and is received by the vulnerable server prior to the legitimate response, the server will accept the response as valid and will update the DNS cache accordingly.



A poisoned DNS cache can have the effect of eliminating a step for the attacker. They no longer need to “phish” for victims (trick a user into following a malicious URI or visiting a malicious page). The user is automatically directed to the attacker’s site when they enter the address (e.g. www.example.com). DNS cache poisoning by itself or combined with other vulnerabilities (such as SSL Certificate spoofing) can greatly enhance an attacker’s ability to spoof a legitimate site and then do less-than-nice things to unsuspecting victims.
addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security