Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Subscribe

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Security Vulnerability

Vigil@nce - DNS, ISC BIND: no expiry of revoked names

February 2012 by Vigil@nce

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

When a domain name was revoked, an attacker can periodically query
a recursive DNS server, in order to continuously renew data in the
cache, which never expire.

Severity: 2/4

Creation date: 08/02/2012

Revision date: 09/02/2012

IMPACTED PRODUCTS

 ISC BIND
 Microsoft Windows 2008
 Protocol DNS

DESCRIPTION OF THE VULNERABILITY

A DNS recursive server keeps previous replies in its cache. For
example, if a user requests "www.phishing.com":
 his DNS server queries a server which is authoritative for
".com" : who is the DNS server of "phishing.com" ?
 it receives the reply "ns.phishing.com" with the IP address
10.0.0.1, and a TTL (expiration time) of one day
 it keeps it in its cache
 it queries 10.0.0.1 : what is the address of "www.phishing.com"
?
 it receives the reply, and keeps it in its cache, and then
sends it back to the user
When another user queries "www.phishing.com", the values cached
during one day are returned

If an authority decides to disable "phishing.com", the cached
value is still used one day. After this date, the DNS server will
query an authoritative server for ".com", which will reply that
the domain does not exist.

However, an attacker can ensure that the "phishing.com" domain
never expires from the cache of the DNS server. In order to do so,
before the expiration of the TTL, the attacker has to:
 add in his DNS server (ns.phishing.com) a reverse resolution
for 10.0.0.1, indicating for example "ns1.phishing.com", which
is also an authoritative DNS server for "phishing.com"
 query the victim’s recursive DNS server, for an inverse
resolution of 10.0.0.1 (the reply will be ns1.phishing.com),
which will be cached as the new DNS server of "phishing.com",
with a TTL of one day
The "phishing.com" domain is thus valid during one more day.

When a domain name was revoked, an attacker can therefore
periodically query a recursive DNS server, in order to
continuously renew data in the cache, which never expire.

This vulnerability is due to a conception error in the DNS
protocol.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/DNS-ISC-BIND-no-expiry-of-revoked-names-11344


See previous articles

    

See next articles


Security Vulnerability

All our news in english

Alle unsere News auf deutsch

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts

 
News Files Cyber Security Security Vulnerability Malware Update Diary Guide & Podcast TRAINING Jobs CONTACTS Contact About Mentions légales identifier ADMIN

Global Security Mag Copyright 2011