lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20080709220410.C81848BE68@mail.fjaunet.com.br>
Date: Wed, 9 Jul 2008 19:04:10 -0000
From: "Rodrigo Rubira Branco (BSDaemon)" <rodrigo@...nelhacking.com>
To: "imipak" <imipak@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DNS and Checkpoint

Hello,

SmartDefense includes protection for this attack since 2005 scrambling the
source port and query ID of each DNS request (just activate the DNS spoofing
protection in SD).


cya,


Rodrigo (BSDaemon).

--
http://www.kernelhacking.com/rodrigo

Kernel Hacking: If i really know, i can hack

GPG KeyID: 1FCEDEA1


--------- Mensagem Original --------
De: imipak <imipak@...il.com>
Para: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Assunto: [Full-disclosure] DNS and Checkpoint
Data: 09/07/08 10:52

>
> Hello everyone,
>
> I've had a report from someone with clue (and tcpdump) that a properly
> functioning DNS resolver that correctly uses randomised source ports
> magically becomes vulnerable once the traffic's passed through a
> Checkpoint firewall, where Dan Kaminsky's tool shows:
>
>     x.y.z.155:56978 TXID=712
>     x.y.z.155:56979 TXID=45713
>     x.y.z.155:56980 TXID=63532
>     x.y.z.155:56981 TXID=7243
>     x.y.z.155:56982 TXID=17620
>
> (note the incrementing port numbers.)
>
> Can anyone else confirm this behaviour?
>
> Checkpoint are one of the dozens of vendors listed on the CERT
> advisory as &quot;Status: Unknown&quot;
> http://www.kb.cert.org/vuls/id/MIMG-7ECL6B
>
> They do have an advisory up:
>    
http://www.checkpoint.com/defense/advisories/public/2008/cpai-01-Jul.html
>
> I don't have the login needed to read the whole thing, but the front
> page just says:
>
> &quot;Protection provided by:
>  	 VPN-1:    * NGX R65
>                        * NGX R62
>                        * NGX R61
>                        * NGX R60
>         [...etc, etc...] &quot;
>
>
> cheers
>
> =i
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ