DNS Forgery Pharming

Jul 25 2007

By Amit Klein, CTO Trusteer

Berkeley Internet Name Domain (BIND) is the de facto DNS server for more than 20 years.

I’ve recently discovered a new weakness in BIND which enables “DNS Forgery Pharming”. An attacker can remotely poison the cache of any BIND 9 caching DNS server and force users who use this DNS server to reach fraudulent websites each time they try to access real websites.

This weakness can be turned into a mass attack in the following way: (1) the attacker lures a single user that uses the target DNS server to click on a link. No further action other than clicking the link is required (2) by clicking the link the user starts a chain reaction that eventually poisons the DNS server’s cache (subject to some standard conditions) and associates fraudulent IP addresses with real website domains. (3) All users that use this DNS server will now reach the fraudulent website each time they try to reach the real website.

Full paper: http://www.trusteer.com/docs/bind9dns.html

Executive version: http://www.trusteer.com/docs/bind9dns_s.html

A patch for this vulnerability is available and can be downloaded from the ISC website. I advise enterprises and ISPs to patch their BIND servers.

Admin (Kurt Seifried) note: Ahh the rich taste of irony:

  • I upgraded Bind on the servers today (running CentOS 5) and it promptly failed upon restarting; complaining all the zone files were gone (eeek!). It turns out that the CentOS bind-chroot package assumes that /var/named/data/ is a real directory and not a symbolic link to /var/named/chroot/var/named/data/. If it is a symbolic link to the directory /var/named/chroot/var/named/data/ then all the files within this directory are wiped out upon the package update. How delightful. Thank goodness for backups.
  • I used to run Bind on OpenBSD (but then consolidated on CentOS to reduce the amount of admin work), in which case I would not have had to upgrade Bind to address this vulnerability. The OpenBSD security team audited Bind 9 and found the PRNG to be weak, they replaced it with a stronger one, and thus the default Bind 9 on OpenBSD is not vulnerable to this issue. For more information please see this article.
Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Slashdot
  • Digg
  • del.icio.us
  • Reddit
  • digg
  • Technorati
  • StumbleUpon

Related posts:

  1. Bind 9.4.0 to address DNS reflection/amplification attacks by default
  2. Take Compliance Survey, Win an iPod or Zune
  3. Looking for things to worry about?
  4. “It’s getting hot in here” - so turn off all your servers
  5. Common Vulnerabilities and Exposures Vulnerability Type Distributions

Posted by Amit.Klein on Wednesday, July 25th, 2007, at 12:41 am, and filed under Articles.

Follow any responses to this entry with the RSS 2.0 feed.

You can post a comment, or trackback from your site.