Paper by Amit Klein (Trusteer): "PowerDNS Recursor DNS Cache Poisoning [pharming]"

From: Amit Klein <amit.klein@xxxxxxxxxxxx>
Date: Mon, 31 Mar 2008 15:07:19 +0300

Hello BugTraq

Once again, a DNS cache poisoning against a popular DNS cache
server. This time, it's PowerDNS (the third most popular DNS
server, servicing over 40 million users). The vendor coded
several impressive security measures against DNS spoofing (e.g.
UDP source port randomization and spoofed response detection),
but relied on the standard C randomization facility (the rand()
and srand() functions in <stdlib.h>). The two popular stdlib
implementations analyzed, glibc (used with GNU C++ for Linux/
Unix-like systems) and MSVCRT (used with Microsoft's MSVC for
Windows) are shown to be easily predictable, thus enabling an
attacker to predict the DNS queries sent by PowerDNS Recursor,
and in turn mount an efficient and effective DNS cache poisoning
attack (or a pharming attack, as it is often called today).

PowerDNS's security contact, Bert Hubert, responded in a quick
and professional manner - an immediate fix was silently
incorporated (with my blessing) in Recursor 3.1.5-snapshot5 which
was released less than 6 hours after the initial report. A stable
version, Recursor 3.1.5, that "officially" includes the fix, is
announced today, and is available for immediate download (see
http://doc.powerdns.com/powerdns-advisory-2008-01.html).

The full analysis can be found in the following link:

http://www.trusteer.com/docs/powerdnsrecursor.html

Thanks,
-Amit
CTO, Trusteer

Prev by Date: [SECURITY] [DSA 1535-1] New iceweasel packages fix several vulnerabilities
Next by Date: iDefense Security Advisory 03.31.08: Macrovision InstallShield InstallScript One-Click Install Untrusted Library Loading Vulnerability
Previous by thread: [SECURITY] [DSA 1535-1] New iceweasel packages fix several vulnerabilities
Next by thread: iDefense Security Advisory 03.31.08: Macrovision InstallShield InstallScript One-Click Install Untrusted Library Loading Vulnerability
Index(es):
- Date
- Thread

Relevant Pages

Re: DHCP and print servers
... I noticed that the DHCP server says it is not connected when I first go into ... It is SBC 2003 SP1. ... Clear the DNS cache on the two affected machines. ...
(microsoft.public.windows.server.setup)
Re: custom local web opening to server default page
... The DNS cache must have been the cause since it was happening on just ... I restarted DNS on the server after I ... noticed the problem but didn't restart the workstations! ...
(microsoft.public.windows.server.sbs)
Re: Web Services DNS Round Robin
... So would any software load balancing scheme and you wouldn't need the ... That is, either server could ... >> This is used to allow a DNS Cache to choose who to call. ... >>> How to balance load among many web servers ...
(microsoft.public.dotnet.languages.csharp)
Re: DNS cache corruption
... >>server redirects to jothan.com. ... If I simply clear the DNS cache, it is not fixed and the cache ... >>The second worry I have is that this issue started first thing the morning ... > Have you enabled DNS Cache Pollution protection? ...
(microsoft.public.win2000.dns)
Re: SBCore shutdown event 1012
... No flushing the DNS cache did not remove the callouts regarding multiple DNS ... There are no other servers on the network. ... from the SBS server, all connected through the server to a T1 line. ...
(microsoft.public.windows.server.sbs)