Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Paul Schmehl (pschmehl_liststx.rr.com)
Date: Sun Jul 13 2008 - 15:37:25 CDT
--On July 13, 2008 2:50:26 PM -0500 eugaaagmail.com wrote:
> Can someone clarify what they meant by "non-reversible patch" ?
The patch changes the default behavior of dns so that queries are
responded to from random ports rather than always from the same port
(usually 53.) Reversing the patch merely returns you to the previous
default behavior. It does not get you to the vulnerability that, in
conjunction with non-random port responses, would allow you to spoof dns
queries. (This is speculation on my part. Dan hasn't shared the details
me with.) IOW, there is a separate vulnerability in dns, which Dan has
not yet revealed, that allows you to take advantage of the non-random
nature of query responses.
Readers should note that if you override the patch behavior by specifying
a query response port (the syntax is available to do that), you negate the
> Are these .deb patches automagical?
If you mean, is bind patched after you've followed the directions in the
advisory (i.e. run apt-get update and then apt-get install bind9), then
yes, it "automagical" as you put it.
> *scratches head*
> I'm not interested in discussing the hype or scene-war aspect of this
> Has anyone actually verified the impact of this vulnerability? Any code,
No because the real vulnerability has not yet been released. (Again, this
is my speculation.) The patches will make bind much more resistant to a
spoofing attack that would have been easy to do once the real
vulnerability is revealed publicly.
BTW, if you want to check your name server (so long as it's not doing
forwarding), you can run this command:
# dig yourserver +short porttest.dns-oarc.net TXT
A patched server will respond like this:
# dig ns1.stovebolt.com +short porttest.dns-oarc.net TXT
"188.8.131.52 is GOOD: 26 queries in 1.3 seconds from 26 ports with std
An unpatched server will return POOR: 26 queries in 1.3.seconds from 1
If it isn't already obvious,
my opinions are my own and not
those of my employer.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- application/pkcs7-signature attachment: stored