Hello all ;

I have had a problem in one of the on the companies I'm providing
consulting. Two of the servers are running WIndows NT 4.0 and someone has
changed the contents of cache data. For a while (as the time we spent to
discover the problem), the www was changed to another web site.

Only the secondary DNS Server was affected. The Primary one was not changed.
I was trying to discover what could be happened when I realized that threre
is a vulnerability on the Microsoft DNS Servers that could led to Cache
Corruption.

I've found some documents that explains the vulnerability and all of them
instructs the creation of the following registry key to avoid the attack ;

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters

Value Name: SecureResponses
Data Type: REG_DWORD
Value: 1 (To eliminate non-secure data)

Are there any additional procedures I can do in order to avoid this kind of
attack ? The Server is running SP6a and I've applied the Microsoft Network
Security Hotfix Checker 3.2 in order to look for post-SP6a fixes I could
apply to fix the DNS problem and It did not return any hotfix regarding this
issue.

Thanks for attention.
Regards

Alex.

The following is a copy of the Incident Note published on CERT :

CERT® Incident Note IN-2001-11
Cache Corruption on Microsoft DNS Servers

Systems Affected
Microsoft Windows NT 4.0 and Windows 2000 systems running Microsoft DNS
Server

I - Overview
The CERT/CC has received reports from sites experiencing cache corruption on
systems running Microsoft DNS Server. The default configuration of this
software allows data from malicious or incorrectly configured servers to be
cached in the DNS server. This corruption can result in erronous DNS
information later being returned to any clients which use this server.

II. - Description
In the default configuration, Microsoft DNS server will accept bogus glue
records from non-delegated servers. These bogus records will be added to the
cache when a client attempts to resolve a particular hostname served by a
malicious or incorrectly configured DNS server. The client can be coerced to
request such a hostname as a result of an otherwise non-malicious piece of
HTML email (such as spam) or in banner advertisements on websites, to give
some examples.
Based on information contained in reports of this activity, there are sites
actively engaged in this deceptive DNS resolution. These reports indicate
that malicious DNS servers are providing bogus glue records for the generic
top-level domain servers (gtld-servers.net) potentially resulting in
erroneous results (e.g., failed resolution or redirection) for any DNS
request.

More information about the problem can be found at
VU#109475 - Microsoft Windows NT and 2000 Domain Name Servers allow
non-authoritative RRs to be cached by default
http://www.kb.cert.org/vuls/id/109475

Secure server cache against names pollution
http://www.microsoft.com/WINDOWS2000/en/server/help/sag_DNS_pro_SecureCacheP
ollutedNames.htm

How to Prevent DNS Cache Pollution (Q241352)
http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP
http://msdn.microsoft.com/library/en-us/regentry/46753.asp

Alex Freire, GCFW - Modulo Security Solutions
Rio de Janeiro - RJ - Brazil.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]