Re: Cache Corruption on Microsoft DNS Servers

From: Valentin Milev (V.Milev@government.bg)
Date: 10/31/01 

Message-ID: <3BE03851.C3D0C251@government.bg>
Date: Wed, 31 Oct 2001 19:43:45 +0200
From: Valentin Milev <V.Milev@government.bg>
To: Alexandre Freire <afreire@modulo.com.br>
Subject: Re: Cache Corruption on Microsoft DNS Servers

I have a similar problem - the Cache file was replaced with 3 entries ot 1
addres - free domain name registration and popup advertiser. Because I don't
support these gays, I cannot find reason's for this problem (no one can tell me
who was the last people, working on the server). I think that is result of
Trojan or Java applet, but it's not a hack (the computer was behind firewall,
and I support more than 15 NT servers, connected to internet - thew only
affected machine was this).

The problem was resolved by replacing cache file with correct cache file (you
can take it from your master DNS)

Success!!!

Alexandre Freire wrote:

> Hello all ;
>
> I have had a problem in one of the on the companies I'm providing
> consulting. Two of the servers are running WIndows NT 4.0 and someone has
> changed the contents of cache data. For a while (as the time we spent to
> discover the problem), the www was changed to another web site.
>
> Only the secondary DNS Server was affected. The Primary one was not changed.
> I was trying to discover what could be happened when I realized that threre
> is a vulnerability on the Microsoft DNS Servers that could led to Cache
> Corruption.
>
> I've found some documents that explains the vulnerability and all of them
> instructs the creation of the following registry key to avoid the attack ;
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
>
> Value Name: SecureResponses
> Data Type: REG_DWORD
> Value: 1 (To eliminate non-secure data)
>
> Are there any additional procedures I can do in order to avoid this kind of
> attack ? The Server is running SP6a and I've applied the Microsoft Network
> Security Hotfix Checker 3.2 in order to look for post-SP6a fixes I could
> apply to fix the DNS problem and It did not return any hotfix regarding this
> issue.
>
> Thanks for attention.
> Regards
>
> Alex.
>
> The following is a copy of the Incident Note published on CERT :
>
> CERTŪ Incident Note IN-2001-11
> Cache Corruption on Microsoft DNS Servers
>
> Systems Affected
> Microsoft Windows NT 4.0 and Windows 2000 systems running Microsoft DNS
> Server
>
> I - Overview
> The CERT/CC has received reports from sites experiencing cache corruption on
> systems running Microsoft DNS Server. The default configuration of this
> software allows data from malicious or incorrectly configured servers to be
> cached in the DNS server. This corruption can result in erronous DNS
> information later being returned to any clients which use this server.
>
> II. - Description
> In the default configuration, Microsoft DNS server will accept bogus glue
> records from non-delegated servers. These bogus records will be added to the
> cache when a client attempts to resolve a particular hostname served by a
> malicious or incorrectly configured DNS server. The client can be coerced to
> request such a hostname as a result of an otherwise non-malicious piece of
> HTML email (such as spam) or in banner advertisements on websites, to give
> some examples.
> Based on information contained in reports of this activity, there are sites
> actively engaged in this deceptive DNS resolution. These reports indicate
> that malicious DNS servers are providing bogus glue records for the generic
> top-level domain servers (gtld-servers.net) potentially resulting in
> erroneous results (e.g., failed resolution or redirection) for any DNS
> request.
>
> More information about the problem can be found at
> VU#109475 - Microsoft Windows NT and 2000 Domain Name Servers allow
> non-authoritative RRs to be cached by default
> http://www.kb.cert.org/vuls/id/109475
>
> Secure server cache against names pollution
> http://www.microsoft.com/WINDOWS2000/en/server/help/sag_DNS_pro_SecureCacheP
> ollutedNames.htm
>
> How to Prevent DNS Cache Pollution (Q241352)
> http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP
> http://msdn.microsoft.com/library/en-us/regentry/46753.asp
>
> Alex Freire, GCFW - Modulo Security Solutions
> Rio de Janeiro - RJ - Brazil.

Relevant Pages

  • Re: DNS Poisoning, pharming, pollution
    ... > running Windows 2003 and have the "secure cache against pollution" setting ... the next thing to look for would be a malicious program on the server. ... Are you using any forwarders? ... Try to localize the problem first -- client side, DNS server, forwarder, ...
    (microsoft.public.windows.server.dns)
  • Re: Cannot get access to router on SBS server
    ... point the DNS server setting to the IP of the SBS ... calling CNetCommit::ValidateFulltimeConnectionProperties. ... Call to Reading web publishing selection returned ok. ...
    (microsoft.public.windows.server.sbs)
  • Re: Herb Martin...Global Catalog SRV record missing!
    ... Error: Root hints list has invalid root hint server: ... DNS server: 128.63.2.53 ... PTR record query for the ...
    (microsoft.public.windows.server.dns)
  • [UNIX] Hardening the BIND DNS Server
    ... Hardening the BIND DNS Server ... Your Domain Name Service is the road sign to your systems on the Internet. ...
    (Securiteam)
  • Re: NTDS Inbound neighbos removal
    ... There is no primary WINS server defined for this adapter. ... There is no secondary WINS server defined for this adapter. ... PASS - All the DNS entries for DC are registered on DNS server ... Upper Component: NWLink SPX/SPXII Protocol ...
    (microsoft.public.windows.server.active_directory)