DNS spoofing vulnerability

Robert Connolly robert at linuxfromscratch.org
Fri Jul 11 17:43:55 PDT 2008


On Friday July 11 2008 07:11:25 pm Chris Buxton wrote:
> I assume most of you have heard about the recent BIND/MS DNS updates
> to somewhat address a new DNS spoofing attack vector discovered by Dan
> Kaminsky.
>
> What you may not have heard is that the Unix stub resolver, part of
> glibc, is also vulnerable.
>
> Does anyone know if/when glibc will be patched against this? Until it
> is, you should disable nscd (the stub resolver's caching daemon) if
> you're using it. (Also disable any other DNS caching routine you have
> running until the problem is addressed by the vendor - too bad Mac
> users really can't do this.) This will reduce your exposure, although
> not as much as using a patched stub resolver would.
>
> Chris Buxton
> Professional Services
> Men & Mice

The Glibc arc4 patch adds arc4random() to res_init.c and res_mkquery.c for the 
resolver, and to bindrsvprt.c to randomize the port numbers. I haven't 
checked it out, but I would love to know if this addresses the dns 
vulnerability. These modifications were taken from Owl Linux, and I added 
arc4random() for better entropy (and were sent to Glibc's bugzilla).

More specifically, the arc4 patch modifies glibc-2.5.1/resolv/res_init.c to 
use arc4random() instead of getpid() in the res_randomid() function. In 
glibc-2.5.1/resolv/res_mkquery.c arc4random() replaces gettimeofday(). In 
glibc-2.5.1/sunrpc/bindrsvprt.c arc4random() replaces getpid().

I hope one of you can find the time to test out this vulnerability in hlfs, 
but the credit for this patch goes to Owl Linux.

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20080711/08ce6eba/attachment.sig>


More information about the hlfs-dev mailing list