[NT] Cache Corruption on Microsoft DNS Servers

From: support@securiteam.com
Date: 09/01/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Cache Corruption on Microsoft DNS Servers
Message-Id: <20010901210819.D857A138BF@mail.der-keiler.de>
Date: Sat,  1 Sep 2001 23:08:19 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Cache Corruption on Microsoft DNS Servers
------------------------------------------------------------------------

SUMMARY

The CERT/CC has received reports from sites experiencing cache corruption
on systems running Microsoft DNS Server. The default configuration of this
software allows data from malicious or incorrectly configured servers to
be cached in the DNS server. This corruption can result in erroneous DNS
information later being returned to any clients that use this server.

DETAILS

Vulnerable systems:
 * Microsoft Windows NT 4.0 and Windows 2000 systems running Microsoft DNS
Server

In the default configuration, Microsoft DNS server will accept bogus glue
records from non-delegated servers. These bogus records will be added to
the cache when a client attempts to resolve a particular hostname served
by a malicious or incorrectly configured DNS server. The client can be
coerced to request such a hostname because of an otherwise non-malicious
piece of HTML email (such as spam) or in banner advertisements on
websites, to give some examples.

Based on information contained in reports of this activity, there are
sites actively engaged in this deceptive DNS resolution. These reports
indicate that malicious DNS servers are providing bogus glue records for
the generic top-level domain servers (gtld-servers.net) potentially
resulting in erroneous results (e.g., failed resolution or redirection)
for any DNS request.

Impact:
Clients resolving hostnames against the corrupted cache can be unknowingly
redirected to illegitimate sites. Additionally, applications that rely on
DNS information for authentication or access control can potentially be
manipulated by erroneous information stored in the cache.

Solutions:
Apply the workarounds supplied by Microsoft at
 <http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP>
http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP

ADDITIONAL INFORMATION

The information has been provided by
<mailto:cert@cert.org?subject=IN-2001-11%20Feedback> Chad Dougherty, Roman
Danyliw of CERT.

More information about the problem can be found at:
 <http://www.kb.cert.org/vuls/id/109475> VU#109475 - Microsoft Windows NT
and 2000 Domain Name Servers allow non-authoritative RRs to be cached by
default

Secure server cache against names pollution
 
<http://www.microsoft.com/WINDOWS2000/en/server/help/sag_DNS_pro_SecureCachePollutedNames.htm> http://www.microsoft.com/WINDOWS2000/en/server/help/sag_DNS_pro_SecureCachePollutedNames.htm

How to Prevent DNS Cache Pollution (Q241352)
 <http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP>
http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP
 <http://msdn.microsoft.com/library/en-us/regentry/46753.asp>
http://msdn.microsoft.com/library/en-us/regentry/46753.asp

References:
Internet Engineering Task Force (IETF) Request for Comments (RFCs):
 <http://www.ietf.org/rfc/rfc1034> IETF RFC 1034: DOMAIN NAMES - CONCEPTS
AND FACILITIES
 <http://www.ietf.org/rfc/rfc1035> IETF RFC 1035: DOMAIN NAMES -
IMPLEMENTATION AND SPECIFICATION
 <http://www.ietf.org/rfc/rfc1912> IETF RFC 1912: Common DNS Operational
and Configuration Errors
 <http://www.ietf.org/rfc/rfc2181> IETF RFC 2181: Clarifications to the
DNS Specification

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: Replication issues
    ... I wanted to say Zone Transfers not Zone Forwarding. ... AD-Integrated DNS does not do zone transfers between the ... your DNS server will bypass ...
    (microsoft.public.windows.server.active_directory)
  • Re: how to make a dns server
    ... >> I would like to make a dns server inside LAN pointing to ... By default MS DNS can cache these records in its cache for up to one day. ... You have to add this entry to increase the maximum cache TTL for MS DNS. ...
    (microsoft.public.windows.server.dns)
  • Re: Servers hang on boot
    ... The last DC at that site (not a DNS server). ... EventID: 0x00000457 ... (Event String could not be retrieved) ...
    (microsoft.public.windows.server.networking)
  • Re: DNS Redesign Issue
    ... set the new child domain DNS server as primary for the domain controllers? ... -If you are going to create a new AD Integrated Zone in each child domain, ...
    (microsoft.public.windows.server.dns)
  • Re: "DNS Client" service: What are the correct parameters?
    ... >> Disabling the cache for POSITIVE results is sometimes ... > for a successful DNS lookup). ... > address (as it got updated in the DNS server). ... > NegativeCacheTime ...
    (microsoft.public.windows.server.dns)
Quantcast