Bugtraq mailing list archives

Re: NT DNS hacked ... ?

From: bobk () SINISTER COM (bobk)
Date: Fri, 13 Nov 1998 18:24:30 -0500


On Fri, 13 Nov 1998, Marc Slemko wrote:

On Thu, 12 Nov 1998, John Fraizer wrote:

You weren't hacked.  It was NetSol/InterNIC showing us just how lame they
are again by corrupting root servers.

http://www.news.com/News/Item/0,4,28664,00.html?st.ne.fd.mdh


The above is unrelated to the below, AFAIK.

At 11:47 AM 11/11/98 -0500, you wrote:

Anyone running MS's DNS notice, overnite or so, their cache files
(specifically the root name servers) replaced with a handful of entries for
allegro.net ... ?



The only thing that the Internic being idiots would have done, as far as I
have any evidence of, is claim that .com domains do not exist.

If your nameserver's cache was corrupted to think that allegro.net is
authoritative for .com (or .), then that is NOT related.  While I would
need exact output from sample queries to the server to tell for sure, it
would appear that, if what the poster above said is true, the software
they are running is vulnerable to cache pollution, just like old versions
of BIND are.  This is quite bad, both because someone with malicious
intent can do evil things and because there are an increasing number of
accidental situations where people somehow misconfigure their servers to
claim false authority.


For some reason, my first message on this topic was not accepted by
Aleph1. Hence, I will attempt to repeat what I sent upon the first report
of this problem to this list:

Microsoft's DNS server is vulnerable to two different types of
cache-poisoning attacks, while the latest versions of BIND are only known
to be vulnerable to one type:

"cache corruption through attachment of unrelated additional records" is
the simpler of the two methods, and is the one most likely used to corrupt
your server. As far as I know, there is no Microsoft fix for this. BIND
used to be vulnerable to this, but the latest versions of it are not.

"cache corruption through sequence ID prediction" is a more complex
attack. Both Microsoft and BIND are vulnerable to this. Luckily, there
aren't many crackers attempting to use this, as far as I can tell. There
is no complete protection for this attack, even though vendors of DNS
software have known about the vulnerability for years.

Current thread:

NT DNS hacked ... ? Sam R. Akhtar (Nov 11)
- Re: NT DNS hacked ... ? Roberto Jung Drebes (Nov 14)
- <Possible follow-ups>
- Re: NT DNS hacked ... ? Fowler, James (Nov 12)
- Re: NT DNS hacked ... ? John Fraizer (Nov 12)
  - Security hole found in junkbuster program. (fwd) condor () SEKURE ORG (Nov 13)
  - Re: NT DNS hacked ... ? Marc Slemko (Nov 13)
    - Re: NT DNS hacked ... ? bobk (Nov 13)
- Re: NT DNS hacked ... ? Don Lewis (Nov 13)