DNS spoofing vulnerability
robert at linuxfromscratch.org
Fri Jul 11 17:43:55 PDT 2008
On Friday July 11 2008 07:11:25 pm Chris Buxton wrote:
> I assume most of you have heard about the recent BIND/MS DNS updates
> to somewhat address a new DNS spoofing attack vector discovered by Dan
> What you may not have heard is that the Unix stub resolver, part of
> glibc, is also vulnerable.
> Does anyone know if/when glibc will be patched against this? Until it
> is, you should disable nscd (the stub resolver's caching daemon) if
> you're using it. (Also disable any other DNS caching routine you have
> running until the problem is addressed by the vendor - too bad Mac
> users really can't do this.) This will reduce your exposure, although
> not as much as using a patched stub resolver would.
> Chris Buxton
> Professional Services
> Men & Mice
The Glibc arc4 patch adds arc4random() to res_init.c and res_mkquery.c for the
resolver, and to bindrsvprt.c to randomize the port numbers. I haven't
checked it out, but I would love to know if this addresses the dns
vulnerability. These modifications were taken from Owl Linux, and I added
arc4random() for better entropy (and were sent to Glibc's bugzilla).
More specifically, the arc4 patch modifies glibc-2.5.1/resolv/res_init.c to
use arc4random() instead of getpid() in the res_randomid() function. In
glibc-2.5.1/resolv/res_mkquery.c arc4random() replaces gettimeofday(). In
glibc-2.5.1/sunrpc/bindrsvprt.c arc4random() replaces getpid().
I hope one of you can find the time to test out this vulnerability in hlfs,
but the credit for this patch goes to Owl Linux.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: not available
More information about the hlfs-dev