Last Updated: 2007-09-06 13:41:54 UTC
by Johannes Ullrich (Version: 1)
Amit Klein wrote about a paper he just released with details about a BIND 9 cache poisoning issue. This is one of the problems addressed by the latest version of BIND 9.
The very brief summary: BIND prior to version 9.4.1-P1 did not use a strong algorithm to create DNS transaction IDs. As a result, one can derive the next transaction ID BIND will use by knowning the last few transaction IDs. In this case, up to 15 queries are used.
Once the attacker knows the "state" of the targets BIND install, it is possible to forge a response. DNS uses UDP by default. Each query sent by the DNS server includes a random transaction ID. The server responding to the query will include this transaction ID so the querying DNS server knows what query is answered by this particular response. BIND always uses the same source port for its queries.
The attack appears to be quite feasible. Probably the main difficulty will be to get the spoofed packet routed. But unless the attackers network implements strict egress filtering, this is very much a feasible attack. Best to patch your BIND server soon.
Versions affected: BIND 9.0 (all versions)
BIND 9.1 (all versions)
BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8
BIND 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4
BIND 9.4.0, 9.4.1
BIND 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5
Not vulnerable: BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6
For details, see www.trusteer.com/docs/bind9dns.html
ISC.org link: www.isc.org/index.pl?/sw/bind/bind-security.php
Last Updated: 2007-07-24 22:15:22 UTC
by Deborah Hale (Version: 1)
We have received several reports today from people that are getting flooded with SPIM on their IM accounts. These messages are providing a link to various web sites. These sites all seem to point to one site www dot messenger-tips dot com. This site purports to check your IM friends/contacts and report back to you which of them have blocked you. All you have to do is give them your login and password information. You also have to agree to their terms and conditions. Ok so we read their Terms and Conditions page and what do we find, first
They will NOT be responsible for any misuse of the information you provide. They also have no liability for content, views, advice or guidance because they provide a service that is for entertainment purposes only. (Huh? what entertainment). You provide them with the id and password, of course they won't store the information with anyone without your consent. (And if you believe that I have a bridge I will sell you.) Now here is the real catch-22. By agreeing to the terms and conditions you agree to allow them to SPIM all of your friends and contacts. Wonderful.
I am not sure if this program installs any malware or sets up any hole in your computer for them to crawl through. I don't have a sacrificial lamb here that I can test it with. We have not been able to determine if it is anything more than ad-ware. Bottom line folks, DO NOT CLICK ON LINKS.
Last Updated: 2007-07-24 15:50:15 UTC
by Deborah Hale (Version: 1)
The data that is being submitted indicates that we have gone from less than 100 targets a day to over 50,000 . We would like to know what you are seeing. Take a look at your network to determine if you are seeing this activity and let us know. It would be helpful if we could get some data captures so that we can take a look at the data and see what is generating the traffic to port 57886. You can upload the captures to our website at isc.sans.org/contact.html