Good reading here:

http://www.sans.org/infosecFAQ/firewall/DNS_spoof.htm

Deji
----- Original Message -----
From: "Alexandre Freire" <afreiremodulo.com.br>
To: <focus-mssecurityfocus.com>
Sent: Tuesday, October 30, 2001 12:02 AM
Subject: Cache Corruption on Microsoft DNS Servers

> Hello all ;
>
> I have had a problem in one of the on the companies I'm providing
> consulting. Two of the servers are running WIndows NT 4.0 and someone has
> changed the contents of cache data. For a while (as the time we spent to
> discover the problem), the www was changed to another web site.
>
> Only the secondary DNS Server was affected. The Primary one was not
changed.
> I was trying to discover what could be happened when I realized that
threre
> is a vulnerability on the Microsoft DNS Servers that could led to Cache
> Corruption.
>
> I've found some documents that explains the vulnerability and all of them
> instructs the creation of the following registry key to avoid the attack ;
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
>
> Value Name: SecureResponses
> Data Type: REG_DWORD
> Value: 1 (To eliminate non-secure data)
>
> Are there any additional procedures I can do in order to avoid this kind
of
> attack ? The Server is running SP6a and I've applied the Microsoft
Network
> Security Hotfix Checker 3.2 in order to look for post-SP6a fixes I could
> apply to fix the DNS problem and It did not return any hotfix regarding
this
> issue.
>
> Thanks for attention.
> Regards
>
> Alex.
>
>
> The following is a copy of the Incident Note published on CERT :
>
>
> CERT® Incident Note IN-2001-11
> Cache Corruption on Microsoft DNS Servers
>
> Systems Affected
> Microsoft Windows NT 4.0 and Windows 2000 systems running Microsoft DNS
> Server
>
> I - Overview
> The CERT/CC has received reports from sites experiencing cache corruption
on
> systems running Microsoft DNS Server. The default configuration of this
> software allows data from malicious or incorrectly configured servers to
be
> cached in the DNS server. This corruption can result in erronous DNS
> information later being returned to any clients which use this server.
>
> II. - Description
> In the default configuration, Microsoft DNS server will accept bogus glue
> records from non-delegated servers. These bogus records will be added to
the
> cache when a client attempts to resolve a particular hostname served by a
> malicious or incorrectly configured DNS server. The client can be coerced
to
> request such a hostname as a result of an otherwise non-malicious piece of
> HTML email (such as spam) or in banner advertisements on websites, to give
> some examples.
> Based on information contained in reports of this activity, there are
sites
> actively engaged in this deceptive DNS resolution. These reports indicate
> that malicious DNS servers are providing bogus glue records for the
generic
> top-level domain servers (gtld-servers.net) potentially resulting in
> erroneous results (e.g., failed resolution or redirection) for any DNS
> request.
>
> More information about the problem can be found at
> VU#109475 - Microsoft Windows NT and 2000 Domain Name Servers allow
> non-authoritative RRs to be cached by default
> http://www.kb.cert.org/vuls/id/109475
>
> Secure server cache against names pollution
>
http://www.microsoft.com/WINDOWS2000/en/server/help/sag_DNS_pro_SecureCacheP
> ollutedNames.htm
>
> How to Prevent DNS Cache Pollution (Q241352)
> http://support.microsoft.com/support/kb/articles/Q241/3/52.ASP
> http://msdn.microsoft.com/library/en-us/regentry/46753.asp
>
> Alex Freire, GCFW - Modulo Security Solutions
> Rio de Janeiro - RJ - Brazil.
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]