User: Password:
Subscribe / Log in / New account


Details of the DNS flaw revealed

By Jake Edge
August 13, 2008

Dan Kaminsky spoke to a packed house at Black Hat on 6 August to outline the fundamental flaw he found in the Domain Name System (DNS). Contrary to his hopes, though, the flaw was discovered and publicized before his presentation. The vulnerability is interesting in its own right, but the implications of what can be done with it are staggering. In addition, the "fix" has well understood shortcomings that can still potentially be exploited to poison DNS caches.

We reported on the vulnerability in early July, including Kaminsky's request that security folks not publicly speculate about the flaw. As one might guess, that request was largely ignored. When security researcher Halvar Flake published his speculation, another researcher, who was known to have the details of the flaw, publicly confirmed it, but just as quickly removed the confirmation. While it sounds a bit like a security community soap opera, it was fairly clearly caused by the attempt to contain the vulnerability information.

An important part of DNS is the ability to delegate to another nameserver. When looking up, first one of the root nameservers is consulted; it does not know the answer so it delegates to one of the nameservers that handles .net addresses. The delegation response includes the names of the servers being delegated to, but also helpfully includes the IP address of those servers as well. It is this helpful addition, which is meant to reduce DNS traffic, that can be exploited.

The key to DNS cache poisoning is that the first good answer wins. If an attacker can send a packet with all of the proper information, but with his own IP address substituted for the correct one, and that packet reaches the querying server first, the attacker wins. In order for that to happen, the attacker needs to arrange or know that the victim will be making a particular query as well as be able to create a response that will be considered "good".

Each DNS query has a 16-bit transaction ID; early implementations just had an incrementing counter, but since that time random transaction IDs have been used. In order for a DNS response to be accepted, it must have the same transaction ID as the request. Just over a year ago, we wrote about a cache poisoning vulnerability in BIND that was caused by a predictable random number generator. When an attacker can narrow down the possible values for transaction IDs, it reduces the number of responses they must generate commensurately.

Absent any method to predict transaction IDs, an attacker must send 32K responses on average before the correct response arrives—which is difficult, at best, to do. If the attacker can cause the victim to make multiple requests, though, they can increase their chances. Because DNS servers cache the results of their queries, repeated requests for the same host information will not generate additional lookups.

Kaminsky observed that if you make the victim request information about multiple, probably non-existent names in a domain, it will have to make a request to the nameserver responsible for that domain multiple times. If the victim queries for,, etc., it will use a different, random transaction ID for each request. The attacker can flood the victim with packets purporting to delegate the request to another server, say, but include an IP address under its control as the IP for that server.

The net result is that if one of the attacker's responses gets accepted, because it finally guessed the right transaction ID, the victim's nameserver cache has been poisoned. The attacker can control all lookups in the entire domain because it has substituted its own server as the nameserver for that domain. Because of the birthday paradox, the attacker does not need to generate anywhere near 32K responses to have a high probability of having one with a correct transaction ID. In his testing, Kaminsky found that he could poison a cache like this in less than 10 seconds.

This technique works all the way up the hierarchy of DNS servers, potentially allowing top-level-domain or root nameservers to be poisoned. It is clearly a very serious flaw that can be exploited in a huge number of ways. Kaminsky's Black Hat slides [Powerpoint format, but viewable in OpenOffice], detail many different implications and are well worth a read. Also, for an excellent description of how DNS works as well as more details on the flaw Kaminsky found, see Steve Friedl's illustrated guide.

The "fix" that was rolled out in a coordinated fashion by many different vendors is to randomize the source UDP port for each query. This is a technique that was implemented years ago in Daniel Bernstein's djbdns and has been recommended by various cache poisoning researchers (notably Amit Klein) for some time. By doing this, an attacker must also guess the proper UDP port to send the response to, which can provide up to an additional 16 bits of randomness to the query. In the best case, where all possible UDP source ports are used, that increases the number of possible responses from 64K to over 4 billion.

That seems like it would take the attack out of the realm of possibility, but that clearly isn't the case. Kaminsky and the vendors all knew that adding source port randomization only made it harder—not impossible. Linux kernel hacker Evgeniy Polyakov has done some experiments with the patched version of BIND on a gigabit ethernet LAN, finding that he could poison a cache in under ten hours. As he points out: "So, if you have a GigE lan, any trojaned machine can poison your DNS during one night."

Other solutions are actively being sought, but it is a difficult problem because backward compatibility with countless DNS installations needs to be maintained. As always when a DNS problem is publicized, DNSSEC is touted as the solution. There are numerous technical and political problems that have stood in the way of DNSSEC adoption; those seem unlikely to just disappear.

This DNS flaw is serious, but there are plenty of serious internet security issues as Kaminsky points out in his blog:

Even if we go from 32 bits of entropy to 128 bits — even if we deploy DNSSec — we're still going to deliver email insecurely. We're still going to have an almost entirely unauthenticated web. We're still going to ignore SSL certificate errors, and we're still going to have application after application that can't autoupdate securely.

That, at the end of the day, is a far larger problem than this particular DNS issue.

While there may be bigger problems in our internet infrastructure, there are few things that are as pervasive as DNS. Kaminsky points out a number of non-obvious places where it is used—and could be abused—such as mailer lookups of HELO strings to try and decide whether to accept email or web servers doing reverse lookups for logfile messages. It is a little surprising that something so integral had such an obvious, in retrospect, flaw in its design that went undetected for around 25 years. It makes one wonder what else is lurking out there.

Comments (27 posted)

Brief items

EFF: MIT Students Gagged by Federal Court Judge

Three MIT students have been ordered by a US Federal judge to cancel their presentation at DEFCON in Las Vegas. The Massachusetts Bay Transit Authority (MBTA) sued the students to stop the presentation of security problems with MBTA fare cards. In a special Saturday court session, they were ordered not to disclose their findings for ten days. The Electronic Frontier Foundation represented the students, click below for their press release. "The court relied on a federal law aimed at computer intrusions in issuing its order, holding that even discussing the flaws at a public conference constituted a 'transmission' of a computer program that could harm the fare collection system."

Full Story (comments: 15)

Keyczar - simple cryptography

The Keyczar project, initially developed at Google, has announced its existence. "Cryptography is easy to get wrong. Developers can choose improper cipher modes, use obsolete algorithms, compose primitives in an unsafe manner, or fail to anticipate the need for key rotation. Keyczar abstracts some of these details by choosing safe defaults, automatically tagging outputs with key version information, and providing a simple programming interface." It is distributed under the Apache 2 license.

Comments (none posted)

An Illustrated Guide to the Kaminsky DNS Vulnerability

Steve Friedl has a comprehensive guide to the Kaminsky DNS vulnerability. Lavishly illustrated with packet dumps and network traffic diagrams, it explains DNS and what Kaminsky found in great detail. "This has been an exceptionally serious vulnerability because it undermines the very faith in DNS: this is at the core of the internet. Most experts believe that if you can't trust DNS, all else is lost, and we're of this same mind."

Comments (32 posted)

New vulnerabilities

acroread: arbitrary code execution

Package(s):moodle, opera, libxcrypt, acroread, gnumeric CVE #(s):CVE-2008-2641
Created:August 8, 2008 Updated:August 13, 2008

From the SUSE advisory:

An unspecified vulnerability in acroread allowed remote attackers to cause a denial-of-service or possibly execute arbitrary code via unknown vectors. (CVE-2008-2641).

SuSE SUSE-SR:2008:016 moodle, opera, libxcrypt, acroread, gnumeric 2008-08-08
Gentoo 200808-10 acroread 2008-08-09

Comments (none posted)

clamav: denial of service

Package(s):clamav CVE #(s):CVE-2008-3215
Created:August 8, 2008 Updated:August 13, 2008

From the CVE entry:

libclamav/petite.c in ClamAV before 0.93.3 allows remote attackers to cause a denial of service via a malformed Petite file that triggers an out-of-bounds memory access. NOTE: this issue exists because of an incomplete fix for CVE-2008-2713.

Gentoo 200808-07 clamav 2008-08-08
Mandriva MDVSA-2008:166 clamav 2007-08-12

Comments (none posted)

condor: unauthorized access

Package(s):condor CVE #(s):CVE-2008-3424
Created:August 11, 2008 Updated:October 8, 2008

From the Red Hat advisory:

A flaw was found in the way Condor interpreted wildcards in authorization lists. Certain authorization lists using wildcards in DENY rules, such as DENY_WRITE or HOSTDENY_WRITE, that conflict with the definitions in ALLOW rules, could permit authenticated remote users to submit computation jobs, even when such access should have been denied. (CVE-2008-3424)

Fedora FEDORA-2008-7205 condor 2008-08-12
Red Hat RHSA-2008:0814-01 condor 2008-08-11
Red Hat RHSA-2008:0816-01 condor 2008-08-11

Comments (none posted)

git: denial of service

Package(s):git CVE #(s):CVE-2008-3546
Created:August 13, 2008 Updated:February 23, 2009

From the rPath advisory:

Previous versions of the git package are vulnerable to a Denial of Service in which repositories using long path-names may cause buffer overflows and application crashes on certain platforms. It has not been determined that this vulnerability can be exploited to execute malicious code.

Slackware SSA:2009-051-02 git 2009-02-23
Ubuntu USN-723-1 git-core 2009-02-18
Fedora FEDORA-2008-9080 git 2008-10-23
Gentoo 200809-16 git 2008-09-25
Debian DSA-1637-1 git-core 2008-09-15
rPath rPSA-2008-0253-1 git 2008-08-12

Comments (none posted)

hplip: multiple vulnerabilties

Package(s):hplip CVE #(s):CVE-2008-2940 CVE-2008-2941
Created:August 13, 2008 Updated:January 21, 2009

From the Red Hat advisory:

A flaw was discovered in the hplip alert-mailing functionality. A local attacker could elevate their privileges by using specially-crafted packets to trigger alert mails, which are sent by the root account. (CVE-2008-2940)

A flaw was discovered in the hpssd message parser. By sending specially-crafted packets, a local attacker could cause a denial of service, stopping the hpssd process. (CVE-2008-2941)

rPath rPSA-2009-0014-1 hplip 2009-01-20
Ubuntu USN-674-2 hplip 2008-11-24
Ubuntu USN-674-1 hplip 2008-11-19
SuSE SUSE-SR:2008:021 cups, hplip, apache2-mod_php5, openldap2 2008-10-17
Mandriva MDVSA-2008:169 hplip 2007-08-13
Red Hat RHSA-2008:0818-02 hplip 2008-08-12

Comments (none posted)

moodle: multiple vulnerabilities

Package(s):moodle, opera, libxcrypt, acroread, gnumeric CVE #(s):CVE-2008-3325 CVE-2008-3326
Created:August 8, 2008 Updated:December 22, 2008

From the SUSE advisory:

An incorrect input validation in moodle could be exploited by remote attackers to inject arbitrary script code or to forge HTTP requests (CVE-2008-3325, CVE-2008-3326).

Debian DSA-1691-1 moodle 2008-12-22
SuSE SUSE-SR:2008:016 moodle, opera, libxcrypt, acroread, gnumeric 2008-08-08

Comments (none posted)

opera: information leak

Package(s):moodle, opera, libxcrypt, acroread, gnumeric CVE #(s):CVE-2008-3078
Created:August 8, 2008 Updated:August 13, 2008

From the SUSE advisory:

Opera did not properly manage memory within functions supporting the CANVAS element. This allowed attackers to read unintitialized memory contents using malicious JavaScript code (CVE-2008-3078).

SuSE SUSE-SR:2008:016 moodle, opera, libxcrypt, acroread, gnumeric 2008-08-08

Comments (none posted)

pdns: simpler spoofing attacks

Package(s):pdns CVE #(s):CVE-2008-3337
Created:August 8, 2008 Updated:December 22, 2008

From the Red Hat bugzilla:

PowerDNS does not respond to certain queries it considers malformed. This in itself is not a problem, and was even thought of as a security measure.

Brian and Florian have discovered that not answering a query for an invalid DNS record within a valid domain allows for a larger spoofing window of the valid domain. Because of the Kaminsky-discovery, this has become bad.

For a sophisticated attacker, this provides no benefit. However, such a long window allows unsophisticated hackers to achieve better results.

Gentoo 200812-19 pdns 2008-12-19
SuSE SUSE-SR:2008:017 powerdns, dnsmasq, python, mailman, ruby, Opera, neon, rxvt-unicode, perl, wireshark, namazu, gnome-screensaver, mysql 2008-08-29
SuSE SUSE-SA:2008:041 openwsman 2008-08-14
Fedora FEDORA-2008-7048 pdns 2008-08-07
Debian DSA-1628-1 pdns 2008-08-10
Fedora FEDORA-2008-7083 pdns 2008-08-07

Comments (none posted)

uudeview: insecure temporary file creation

Package(s):uudeview CVE #(s):CVE-2008-2266
Created:August 12, 2008 Updated:August 13, 2008
Description: From the Gentoo advisory: UUdeview makes insecure usage of the tempnam() function when creating temporary files. NZBGet includes a copy of the vulnerable code. A local attacker could exploit this vulnerability to overwrite arbitrary files on the system.
Gentoo 200808-11 uudeview 2008-08-11

Comments (none posted)

vim: arbitrary command execution

Package(s):gvim CVE #(s):CVE-2008-2712
Created:August 12, 2008 Updated:March 24, 2009
Description: From the CVE entry: Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (2) zipplugin, (3) xpm.vim, (4) gzip_vim, and (5) netrw.
SuSE SUSE-SR:2009:007 vim, gvim, apache2, opera, multipath tools, java-1_6_0-openjdk, imp, horde, lcms, moodle, ghostscript 2009-03-24
Debian DSA-1733 vim 2009-03-03
Ubuntu USN-712-1 vim 2009-01-27
Mandriva MDVSA-2008:236-1 vim 2008-12-08
Mandriva MDVSA-2008:236 vim 2008-12-03
CentOS CESA-2008:0580 vim 2008-11-26
CentOS CESA-2008:0617 vim 2008-11-25
Red Hat RHSA-2008:0618-01 vim 2008-11-25
Red Hat RHSA-2008:0617-01 vim 2008-11-25
Red Hat RHSA-2008:0580-01 vim 2008-11-25
rPath rPSA-2008-0247-1 gvim 2008-08-11

Comments (none posted)

xine-lib: buffer overflow

Package(s):xine-lib CVE #(s):CVE-2008-1110
Created:August 7, 2008 Updated:August 21, 2008
Description: xine-lib has a buffer overflow vulnerability. From the National Vulnerability Database entry: Buffer overflow in demuxers/demux_asf.c (aka the ASF demuxer) in the plugin in xine-lib before 1.1.10 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a crafted ASF header.
Mandriva MDVSA-2008:178 xine-lib 2008-08-20
Ubuntu USN-635-1 xine-lib 2008-08-06

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds