lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <47FBB4C7.2050302@trusteer.com>
Date: Tue, 08 Apr 2008 11:09:11 -0700
From: Amit Klein <amit.klein@...steer.com>
To: bugtraq@...urityfocus.com
Cc: Amit Klein <amit.klein@...steer.com>
Subject: Microsoft Windows DNS Stub Resolver Cache Poisoning (MS08-020)

Hello BugTraq,

The Microsoft Windows DNS stub resolver (the component in Windows
that queries the upstream DNS server for address resolutions on
behalf of most Windows programs, e.g. browsers) sends predictable
DNS queries with respect to DNS transaction ID and source UDP
port. This allows some interesting attacks on DNS clients (i.e.
desktops), including DNS cache poisoning of the client's local
DNS cache (which is maintained by the stub resolver).

Affected products: Windows Vista, Windows XP SP2, Windows 2003
and Windows 2000 SP4.

Microsoft was informed on April 30th, 2007. Microsoft security
bulletin MS08-020 (released today) addresses this issue.

For the full details, please read the paper "Microsoft Windows
DNS Stub Resolver Cache Poisoning" by yours truly, which you can
download in the following URL:

http://www.trusteer.com/docs/windowsresolver.html

Note that the subject of DNS cache poisoning was widely discussed
in the context of caching DNS server. The case of the (caching)
stub resolver was very little discussed though, partly due to the
belief that this problem is limited to the LAN. However, the
paper covers some interesting scenarios which extend beyond the
simple LAN attack - e.g. in some cases, this attack can be used
to actually poison a caching DNS server, and in another example,
multi-homed clients are shown to be particularly vulnerable.


Thanks,

Amit Klein
CTO
Trusteer




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ