[REVS] OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 13 Feb 2008 12:24:18 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID
Vulnerability
------------------------------------------------------------------------
SUMMARY
A serious weakness has been discovered in OpenBSD's PRNG, which allows an
attacker to predict the next transaction ID (typically up to 8-10 guesses)
given a series of consecutive 12-15 transaction IDs.
DETAILS
Recently Amit'has been looking at the OpenBSD PRNG implementation for DNS
transaction ID (OpenBSD ported BIND 9 into their code tree, but rolled
their own PRNG for the DNS transaction ID field). Amit discovered a
serious weakness in OpenBSD's PRNG, which allows an attacker to predict
the next transaction ID (typically up to 8-10 guesses) given a series of
consecutive 12-15 transaction IDs. As you may appreciate, this enables DNS
cache poisoning for OpenBSD much like my earlier attacks on BIND 9, BIND 8
and Microsoft Windows DNS server.
Interestingly enough, OpenBSD uses a flavor of this PRNG for another
field, this time the IP fragmentation ID, part of the OpenBSD kernel
network stack. The analysis carries out quite similarly to show that
OpenBSD's IP ID is predictable as well, which gives way to O/S
fingerprinting, idle-scanning, host alias detection, traffic analysis, and
in some cases, even to TCP blind data injection.
But it gets more interesting. Several other BSD operating systems copied
the OpenBSD code for their own IP ID PRNG, so they're
vulnerable too. This is particularly so with Apple's Mac OS X, Mac OS X
Server and Darwin, but also with NetBSD, FreeBSD and DragonFlyBSD (the 3
latter O/S however only use this PRNG when the kernel flag
net.inet.ip.random_id is set to 1; it is 0 by default, resulting in a
sequential counter to be used instead...). OpenBSD, NetBSD and FreeBSD
also use this PRNG for IP fragmentation ID normalization feature (e.g.
"scrub out random-id") in the packet filter module.
Somewhat more distant flavors are used for various IPv6 fields across many
BSD operating systems, which may be affected, and
some other O/S not mentioned here, including possibly non-BSD O/S may be
affected, since this code seems to have been extensively copied and
modified.
All the above mentioned vendors were contacted November 2007. FreeBSD,
NetBSD and DragonFlyBSD committed a fix to their
respective source code trees. OpenBSD decided not to fix, and Apple
refused to provide any schedule for such fix.
The impact per O/S is summarized below:
* OpenBSD 3.3-4.2
o DNS server cache poisoning (predictable DNS transaction ID).
* OpenBSD 2.6-4.2
o Idle-scanning, O/S fingerprinting, host alias detection, traffic
analysis, TCP blind data injection, etc. (predictable IP fragmentation ID)
in "regular" IP packets and raw IP packets.
o Predictable IP fragmentation ID in Ethernet-inside-IP encapsulation,
IP-inside-IP encapsulation, the CARP protocol, IP multicast routing,
pfsync interface protocol, packet filter (IP packet normalization), and
network bridge (ICMP error packets).
* OpenBSD 2.5-4.2
o libc resolver predictable DNS transaction ID (the source UDP port is
random though).
* Mac OS X 10.0-10.5.1, Mac OS X Server 10.0-10.5.1, Darwin 1.0-9.1
o Idle-scanning, O/S fingerprinting, host alias detection, traffic
analysis, TCP blind data injection, etc. (predictable IP fragmentation ID)
in "regular" IP packets and raw IP packets.
o Predictable IP fragmentation ID in DHCP, IP multicast routing and
IPsec encapsulation in IP.
* NetBSD 1.6.2-4.0
o Idle-scanning, O/S fingerprinting, host alias detection, traffic
analysis, TCP blind data injection, etc. when the packet filter is used to
normalize outbound IP packets (predictable IP fragmentation ID).
o Predictable IP fragmentation ID in the CARP protocol.
* NetBSD 1.6.2-4.0 (if the kernel flag net.inet.ip.random_id is 1)
o Idle-scanning, O/S fingerprinting, host alias detection, traffic
analysis, TCP blind data injection, etc. (predictable IP fragmentation ID)
in "regular" IP packets and raw IP packets.
o Predictable IP fragmentation ID in IP multicast routing, IP-inside-IP
encapsulation and IPsec encapsulation in IP.
* FreeBSD 4.4-7.0
o Idle-scanning, O/S fingerprinting, host alias detection, traffic
analysis, TCP blind data injection, etc. when the packet filter is used to
normalize outbound IP packets (predictable IP fragmentation ID).
o Predictable IP fragmentation ID in the pfsync interface protocol.
* FreeBSD 4.4-7.0 (if the kernel flag net.inet.ip.random_id is 1)
o Idle-scanning, O/S fingerprinting, host alias detection, traffic
analysis, TCP blind data injection, etc. (predictable IP fragmentation ID)
in "regular" IP packets and raw IP packets.
o Predictable IP fragmentation ID in the CARP protocol, IP multicast
routing, SCTP, IP-inside-IP encapsulation and IPv6 over GRE.
* DragonFlyBSD 1.0-1.10.1 (if the kernel flag net.inet.ip.random_id is 1)
o Idle-scanning, O/S fingerprinting, host alias detection, traffic
analysis, TCP blind data injection, etc. (predictable IP fragmentation ID)
in "regular" IP packets and raw IP packets.
o Predictable IP fragmentation ID in the CARP protocol, IP multicast
routing, and IP-inside-IP encapsulation.
ADDITIONAL INFORMATION
The information has been provided by <mailto:amit.klein@xxxxxxxxxxxx>
Amit Klein.
The original article can be found at:
<http://www.trusteer.com/docs/dnsopenbsd.html>
http://www.trusteer.com/docs/dnsopenbsd.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Novell Client NWSPOOL.DLL EnumPrinters Stack Overflow Vulnerability
- Next by Date: [UNIX] Apache mod_negotiation XSS and Http Response Splitting
- Previous by thread: [NT] Novell Client NWSPOOL.DLL EnumPrinters Stack Overflow Vulnerability
- Next by thread: [UNIX] Apache mod_negotiation XSS and Http Response Splitting
- Index(es):
Relevant Pages
|
