Bugtraq mailing list archives
Re: glibc resolver weakness
From: atatat () ATATDOT NET (Andrew Brown)
Date: Wed, 3 May 2000 17:08:02 -0400
u_int res_randomid() { struct timeval now; __gettimeofday(&now, NULL); return (0xffff & (now.tv_sec ^ now.tv_usec ^ __getpid())); } A only-16-bit ID is weak "per-se", but this predictable algorithm is even worse. The glibc discards the replies with bad ID and wait for the reply with an ID that matchs, so if the target has ntpd or similar we are able to sync (using the rtt and so) and send spoofed queries with IDs in the range of our tv_usec guess (I assume that the pid and tv_sec are really a minor problem). Also if some query go in timeout the new id is computed as previuos_id++ but seems better to get a new ID for every query. The fix may be a simple LCG, few entropy bits and some math like a^x (mod N) (see the OpenBSD ip->id fix).
the resolver is generally not exploitable, although theoretical exploits have been posted for snoop, which has a buffer overrun in its dns routines. recursive name servers, on the other hand, can be exploited due to this weakness. modern versions of bind (8.2-rel and above) have support for a random id query pool that guards against this vulnerability. -- |-----< "CODE WARRIOR" >-----| codewarrior () daemon org * "ah! i see you have the internet twofsonet () graffiti com (Andrew Brown) that goes *ping*!" andrew () crossbar com * "information is power -- share the wealth."
Current thread:
- Re: Denial of service attack against tcpdump, (continued)
- Re: Denial of service attack against tcpdump antirez (May 03)
- Re: Denial of service attack against tcpdump Sebastian (May 03)
- Re: Denial of service attack against tcpdump Dragos Ruiu (May 03)
- Re: Denial of service attack against tcpdump Gerald Combs (May 03)
- "ILOVEYOU" virus analysis Steve Wolfe (May 04)
- 2.2.14 Kernel exec/open bug (?) The Cr0W (May 05)
- Re: Denial of service attack against tcpdump Hugo.van.der.Kooij () CAIW NL (May 09)
- glibc resolver weakness antirez (May 02)
- Re: glibc resolver weakness Bennett Todd (May 03)
- Re: glibc resolver weakness Valdis.Kletnieks () VT EDU (May 03)
- Re: glibc resolver weakness Andrew Brown (May 03)
- Cayman 3220-H DSL Router DOS cassius () HUSHMAIL COM (May 05)
- Fun with UltraBoard V1.6X rudi carell (May 03)
- Fwd: tcpdump workaround against dnsloop exploit. THE INFAMOUS (May 03)
- Re: tcpdump workaround against dnsloop exploit. David Schwartz (May 06)
- NetBSD Security Advisory 2000-002 Daniel Carosone (May 06)
- [NHC20000504a.0: NetBSD Panics when sent unaligned IP options] NHC Research (May 06)
- Re: Fwd: tcpdump workaround against dnsloop exploit. Sebastian (May 07)
- Re: Fun with UltraBoard V1.6X Juan M. Bello Rivas (May 05)
- Fwd: tcpdump workaround against dnsloop exploit. THE INFAMOUS (May 03)