Jump to content

US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

Guest MEB

By Guest MEB
in Windows 98

 Share

Recommended Posts

Guest MEB

Guest MEB

Posted
Posted

Here's a complimentary alert to the others I have recently posted in here,

explaining another Internet/network vulnerability.

 

DNS is an integral part of networking [the Internet is a network],

networking doesn't occur without it, yet its inherent qualities and features

are also its vulnerability.

Make sure to look at the links and references.

 

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

National Cyber Alert System

 

Technical Cyber Security Alert TA08-190B

 

 

Multiple DNS implementations vulnerable to cache poisoning

 

Original release date: July 08, 2008

Last revised: --

Source: US-CERT

 

 

Systems Affected

 

Systems implementing:

* Caching DNS resolvers

* DNS stub resolvers

 

Affected systems include both client and server systems, and any other

networked systems that include this functionality.

 

 

Overview

 

Deficiencies in the DNS protocol and common DNS implementations

facilitate

DNS cache poisoning attacks. Effective attack techniques against these

vulnerabilities have been demonstrated.

 

 

I. Description

 

DNS cache poisoning (sometimes referred to as cache pollution) is an

attack

technique that allows an attacker to introduce forged DNS information

into

the cache of a caching nameserver. The general concept has been known for

some time, and a number of inherent deficiencies in the DNS protocol and

defects in common DNS implementations that facilitate DNS cache poisoning

have previously been identified and described in public literature.

Examples

of these vulnerabilities can be found in Vulnerability Note VU#800113.

 

Recent research into these and other related vulnerabilities has produced

extremely effective exploitation methods to achieve cache poisoning.

Tools

and techniques have been developed that can reliably poison a domain of

the

attacker's choosing on most current implementations. As a result, the

consensus of DNS software implementers is to implement source port

randomization in their resolvers as a mitigation.

 

US-CERT is tracking this issue as VU#800113. This reference number

corresponds to CVE-2008-1447.

 

 

II. Impact

 

An attacker with the ability to conduct a successful cache poisoning

attack

can cause a nameserver's clients to contact the incorrect, and possibly

malicious, hosts for particular services. Consequently, web traffic,

email,

and other important network data can be redirected to systems under the

attacker's control.

 

 

III. Solution

 

Apply a patch from your vendor

 

Patches have been released by a number of vendors to implement source

port

randomization in the nameserver. This change significantly reduces the

practicality of cache poisoning attacks. Please see the Systems Affected

section of Vulnerability Note VU#800113 for additional details for

specific

vendors.

 

As mentioned above, stub resolvers are also vulnerable to these attacks.

Stub resolvers that will issue queries in response to attacker behavior,

and

may receive packets from an attacker, should be patched. System

administrators should be alert for patches to client operating systems

that

implement port randomization in the stub resolver.

 

Workarounds

 

Restrict access

Administrators, particularly those who are unable to apply a patch, can

limit exposure to this vulnerability by restricting sources that can ask

for

recursion. Note that restricting access will still allow attackers with

access to authorized hosts to exploit this vulnerability.

 

Filter traffic at network perimeters

Because the ability to spoof IP addresses is necessary to conduct these

attacks, administrators should take care to filter spoofed addresses at

the

network perimeter. IETF Request for Comments (RFC) documents RFC 2827,

RFC

3704, and RFC 3013 describe best current practices (BCPs) for

implementing

this defense. It is important to understand your network's configuration

and

service requirements before deciding what changes are appropriate.

 

Run a local DNS cache

In lieu of strong port randomization characteristics in a stub resolver,

administrators can protect their systems by using local caching

full-service

resolvers, both on the client systems and on servers that are

topologically

close on the network to the client systems. This should be done in

conjunction with the network segmentation and filtering strategies

mentioned

above.

 

Disable recursion

Disable recursion on any nameserver responding to DNS requests made by

untrusted systems.

 

Implement source port randomization

Vendors that implement DNS software are encouraged to review IETF

Internet

Draft, "Measures for making DNS more resilient against forged answers,"

for

additional information about implementing mitigations in their products.

This document is a work in progress and may change prior to its

publication

as an RFC, if it is approved.

 

 

IV. References

 

* US-CERT Vulnerability Note VU#800113 -

<http://www.kb.cert.org/vuls/id/800113>

* US-CERT Vulnerability Note VU#484649 -

<http://www.kb.cert.org/vuls/id/484649>

* US-CERT Vulnerability Note VU#252735 -

<http://www.kb.cert.org/vuls/id/252735>

* US-CERT Vulnerability Note VU#927905 -

<http://www.kb.cert.org/vuls/id/927905>

* US-CERT Vulnerability Note VU#457875 -

<http://www.kb.cert.org/vuls/id/457875>

* Internet Draft: Measures for making DNS more resilient against forged

answers -

<http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience>

* RFC 3833 - <http://tools.ietf.org/html/rfc3833>

* RFC 2827 - <http://tools.ietf.org/html/rfc2827>

* RFC 3704 - <http://tools.ietf.org/html/rfc3704>

* RFC 3013 - <http://tools.ietf.org/html/rfc3013>

* Microsoft Security Bulletin MS08-037 -

<http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx>

* Internet Systems Consortium BIND Vulnerabilities -

<http://www.isc.org/sw/bind/bind-security.php>

 

____________________________________________________________________

 

US-CERT thanks Dan Kaminsky of IOActive and Paul Vixie of Internet

Systems

Consortium (ISC) for notifying us about this problem and for helping us

to

construct this advisory.

____________________________________________________________________

 

The most recent version of this document can be found at:

 

<http://www.us-cert.gov/cas/techalerts/TA08-190B.html>

____________________________________________________________________

 

Feedback can be directed to US-CERT Technical Staff. Please send

email to <cert@cert.org> with "TA08-190B Feedback VU#800113" in the

subject.

____________________________________________________________________

 

For instructions on subscribing to or unsubscribing from this

mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

____________________________________________________________________

 

Produced 2008 by US-CERT, a government organization.

 

Terms of use:

 

<http://www.us-cert.gov/legal.html>

____________________________________________________________________

 

 

Revision History

 

July 8, 2008: Initial release

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.5 (GNU/Linux)

 

iQEVAwUBSHPRlXIHljM+H4irAQLzsgf/SHKWDnJ+/OI42x+gbgKTXCjKffPOYicl

Sruqe4kCR3k0OuEZS90VsvhaSuiWV1GvASbwLDGTjfh1Q7jZU3g4GMY/DEcZXerF

vGC/NiOuaoWfjLkQsOkJKIReKqcDZEOVQD7PIIxVYYZJn8u99X/JSGQ/KMe8h5x+

CzBVepk06FvRnT3+y21YECnMRoTzxTmqbLqm1lH9OnyRZ+ORoE4QBUJvN69EB4fO

15JF+y8ZKcGJaczMM+mdNOfaQcQAHZ1B8zTQlBfm1L35gtjnjhvZAwHtde/E0sl6

vGaDtbGJ/IPRS5b5y/mXReOl1ExrMb0VyWneM3Ddcdo7X5iB892AUg==

=22We

-----END PGP SIGNATURE-----

  • Replies 14
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Franc Zabkar

Guest Franc Zabkar

Posted
Posted

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

On Wed, 9 Jul 2008 11:51:31 -0400, "MEB" <meb@not here@hotmail.com>

put finger to keyboard and composed:

> An attacker with the ability to conduct a successful cache poisoning

>attack

> can cause a nameserver's clients to contact the incorrect, and possibly

> malicious, hosts for particular services. Consequently, web traffic,

>email,

> and other important network data can be redirected to systems under the

> attacker's control.

 

To find out if the DNS server you use is vulnerable, click the "Check

My DNS" button at this URL:

http://www.doxpara.com/

 

BTW, I was directed to the above site by the following Murdoch

publication, so I'm reasonably confident that it's safe ;-)

http://www.news.com.au/technology/story/0,25642,23992662-5014108,00.html

 

- Franc Zabkar

--

Please remove one 'i' from my address when replying by email.

Guest smith

Guest smith

Posted
Posted

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Franc Zabkar <fzabkar@iinternode.on.net> wrote in

news:aq8a745mtvoaph87pmieq7o2cuslhja5es@4ax.com:

> On Wed, 9 Jul 2008 11:51:31 -0400, "MEB" <meb@not

> here@hotmail.com> put finger to keyboard and composed:

>

>> An attacker with the ability to conduct a successful

>> cache poisoning

>>attack

>> can cause a nameserver's clients to contact the

>> incorrect, and possibly malicious, hosts for particular

>> services. Consequently, web traffic,

>>email,

>> and other important network data can be redirected to

>> systems under the attacker's control.

>

> To find out if the DNS server you use is vulnerable, click

> the "Check My DNS" button at this URL:

> http://www.doxpara.com/

>

> BTW, I was directed to the above site by the following

> Murdoch publication, so I'm reasonably confident that it's

> safe ;-)

> http://www.news.com.au/technology/story/0,25642,23992662-501

> 4108,00.html

>

 

 

 

> - Franc Zabkar

 

I tried this and got a "your name server appears vulnerable

message."

 

However I noticed that the ip address in the message did not

match the address for my DNS server in winipcfg.

 

Is this normal that these two addresses would differ?

Guest Franc Zabkar

Guest Franc Zabkar

Posted
Posted

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

On Wed, 09 Jul 2008 15:55:09 -0700, smith <smith@smith.com> put finger

to keyboard and composed:

>Franc Zabkar <fzabkar@iinternode.on.net> wrote in

>news:aq8a745mtvoaph87pmieq7o2cuslhja5es@4ax.com:

>> To find out if the DNS server you use is vulnerable, click

>> the "Check My DNS" button at this URL:

>> http://www.doxpara.com/

>I tried this and got a "your name server appears vulnerable

>message."

>

>However I noticed that the ip address in the message did not

>match the address for my DNS server in winipcfg.

>

>Is this normal that these two addresses would differ?

 

I don't know, but in my case I've configured my router to use DNS

Relay. This means that winipcfg shows my router's LAN IP as the DNS

server address, and any DNS requests sent to it are relayed to one of

two DNS servers whose addresses the router has learned from my ISP via

PPP. Is it possible that your router is configured like mine, ie is

your DNS IP, as reported by winipcfg, a LAN or WAN IP?

 

- Franc Zabkar

--

Please remove one 'i' from my address when replying by email.

Guest smith

Guest smith

Posted
Posted

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Franc Zabkar <fzabkar@iinternode.on.net> wrote in

news:9pja74d5hu7v0f7guqae1j39r2qkje00h8@4ax.com:

> On Wed, 09 Jul 2008 15:55:09 -0700, smith <smith@smith.com>

> put finger to keyboard and composed:

>

>>Franc Zabkar <fzabkar@iinternode.on.net> wrote in

>>news:aq8a745mtvoaph87pmieq7o2cuslhja5es@4ax.com:

>

>>> To find out if the DNS server you use is vulnerable,

>>> click the "Check My DNS" button at this URL:

>>> http://www.doxpara.com/

>

>>I tried this and got a "your name server appears

>>vulnerable message."

>>

>>However I noticed that the ip address in the message did

>>not match the address for my DNS server in winipcfg.

>>

>>Is this normal that these two addresses would differ?

>

> I don't know, but in my case I've configured my router to

> use DNS Relay. This means that winipcfg shows my router's

> LAN IP as the DNS server address, and any DNS requests sent

> to it are relayed to one of two DNS servers whose addresses

> the router has learned from my ISP via PPP. Is it possible

> that your router is configured like mine, ie is your DNS

> IP, as reported by winipcfg, a LAN or WAN IP?

>

> - Franc Zabkar

 

Beats me.

 

I don't have a router that I know of.

 

I plug my computer directly into a cable modem, and heaven only

knows what the cable company does.

 

I intended to get one but have never got around to it.

 

I always assumed that the winipcfg address was the cable

company's real dns server.

Guest Dan

Guest Dan

Posted
Posted

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnera

 

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnera

 

I am going to jump in at this point and ask which router is best. I do not

want a router with wireless capabilities. This router will be strictly wired

only for security reasons, since I do not want to broadcast any signal that

someone could detect. Thanks in advance for your opinion.

 

"smith" wrote:

> Franc Zabkar <fzabkar@iinternode.on.net> wrote in

> news:9pja74d5hu7v0f7guqae1j39r2qkje00h8@4ax.com:

>

> > On Wed, 09 Jul 2008 15:55:09 -0700, smith <smith@smith.com>

> > put finger to keyboard and composed:

> >

> >>Franc Zabkar <fzabkar@iinternode.on.net> wrote in

> >>news:aq8a745mtvoaph87pmieq7o2cuslhja5es@4ax.com:

> >

> >>> To find out if the DNS server you use is vulnerable,

> >>> click the "Check My DNS" button at this URL:

> >>> http://www.doxpara.com/

> >

> >>I tried this and got a "your name server appears

> >>vulnerable message."

> >>

> >>However I noticed that the ip address in the message did

> >>not match the address for my DNS server in winipcfg.

> >>

> >>Is this normal that these two addresses would differ?

> >

> > I don't know, but in my case I've configured my router to

> > use DNS Relay. This means that winipcfg shows my router's

> > LAN IP as the DNS server address, and any DNS requests sent

> > to it are relayed to one of two DNS servers whose addresses

> > the router has learned from my ISP via PPP. Is it possible

> > that your router is configured like mine, ie is your DNS

> > IP, as reported by winipcfg, a LAN or WAN IP?

> >

> > - Franc Zabkar

>

> Beats me.

>

> I don't have a router that I know of.

>

> I plug my computer directly into a cable modem, and heaven only

> knows what the cable company does.

>

> I intended to get one but have never got around to it.

>

> I always assumed that the winipcfg address was the cable

> company's real dns server.

>

Guest Vince

Guest Vince

Posted
Posted

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

On Wed, 9 Jul 2008 11:51:31 -0400, "MEB" <meb@not here@hotmail.com>

wrote:

>III. Solution

>

>Apply a patch from your vendor

 

There's nothing like reading multiple articles on something you know

absolutely nothing about to make you feel dumber than a box of rocks.

 

So . . . no patch will ever be forthcoming from Microsoft for

Windows 9x, as it's well beyond its end of life. Is Win9x vulnerable

to this problem?

Guest Franc Zabkar

Guest Franc Zabkar

Posted
Posted

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

On Thu, 10 Jul 2008 01:39:44 -0700, smith <smith@smith.com> put finger

to keyboard and composed:

>Franc Zabkar <fzabkar@iinternode.on.net> wrote in

>news:9pja74d5hu7v0f7guqae1j39r2qkje00h8@4ax.com:

>

>> On Wed, 09 Jul 2008 15:55:09 -0700, smith <smith@smith.com>

>> put finger to keyboard and composed:

>>

>>>Franc Zabkar <fzabkar@iinternode.on.net> wrote in

>>>news:aq8a745mtvoaph87pmieq7o2cuslhja5es@4ax.com:

>>

>>>> To find out if the DNS server you use is vulnerable,

>>>> click the "Check My DNS" button at this URL:

>>>> http://www.doxpara.com/

>>

>>>I tried this and got a "your name server appears

>>>vulnerable message."

>>>

>>>However I noticed that the ip address in the message did

>>>not match the address for my DNS server in winipcfg.

>>>

>>>Is this normal that these two addresses would differ?

>>

>> I don't know, but in my case I've configured my router to

>> use DNS Relay. This means that winipcfg shows my router's

>> LAN IP as the DNS server address, and any DNS requests sent

>> to it are relayed to one of two DNS servers whose addresses

>> the router has learned from my ISP via PPP. Is it possible

>> that your router is configured like mine, ie is your DNS

>> IP, as reported by winipcfg, a LAN or WAN IP?

>>

>> - Franc Zabkar

>

>Beats me.

>

>I don't have a router that I know of.

>

>I plug my computer directly into a cable modem, and heaven only

>knows what the cable company does.

>

>I intended to get one but have never got around to it.

>

>I always assumed that the winipcfg address was the cable

>company's real dns server.

 

Type your DNS address into the search box at this URL:

http://ws.arin.net/whois

 

If you get something like this ...

 

OrgName: Internet Assigned Numbers Authority

OrgID: IANA

 

.... then it's a LAN address. Otherwise it's the WAN address of an

external DNS server.

 

- Franc Zabkar

--

Please remove one 'i' from my address when replying by email.

Guest MEB

Guest MEB

Posted
Posted

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

In news:vivc74djui7cfmnngra10d3petrn0ei9h1@4ax.com at ,

Vince contemplated and posted:

| On Wed, 9 Jul 2008 11:51:31 -0400, "MEB" <meb@not here@hotmail.com>

| wrote:

|

|>III. Solution

|>

|>Apply a patch from your vendor

|

| There's nothing like reading multiple articles on something you know

| absolutely nothing about to make you feel dumber than a box of rocks.

|

| So . . . no patch will ever be forthcoming from Microsoft for

| Windows 9x, as it's well beyond its end of life. Is Win9x vulnerable

| to this problem?

 

WEEEEELLL, no exactly true, there will be no patch from Microsoft, but that

certainly doesn't mean 9X is left defenseless.

 

Might try MSFN and other un-official sites for a patch IF you need one,

however, the issue affects your ISP more than you initially, and the sites

you visit e.g., Apache, IIS, Server 2003/2008, Solaris, etc., will be

receiving the patches. 9X will be vulnerable via the DNS activity pending

whatever work-arounds/fixes are provided, though HOW your DNS is handled

will determine the effect and extent of your vulnerability. For instance:

AOL just issued a work-around/patch, whether this is the final fix or not is

unknown at this point.

 

--

MEB

http://peoplescounsel.orgfree.com

--

_________

Guest MEB

Guest MEB

Posted
Posted

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

ADDENDUM

 

In news:OKmg%23Pv4IHA.2072@TK2MSFTNGP04.phx.gbl at ,

MEB contemplated and posted:

| In news:vivc74djui7cfmnngra10d3petrn0ei9h1@4ax.com at ,

| Vince contemplated and posted:

|| On Wed, 9 Jul 2008 11:51:31 -0400, "MEB" <meb@not here@hotmail.com>

|| wrote:

||

||>III. Solution

||>

||>Apply a patch from your vendor

||

|| There's nothing like reading multiple articles on something you know

|| absolutely nothing about to make you feel dumber than a box of rocks.

||

|| So . . . no patch will ever be forthcoming from Microsoft for

|| Windows 9x, as it's well beyond its end of life. Is Win9x vulnerable

|| to this problem?

|

| WEEEEELLL, no exactly true, there will be no patch from Microsoft,

| but that certainly doesn't mean 9X is left defenseless.

|

| Might try MSFN and other un-official sites for a patch IF you need

| one, however, the issue affects your ISP more than you initially, and

| the sites you visit e.g., Apache, IIS, Server 2003/2008, Solaris,

| etc., will be receiving the patches. 9X will be vulnerable via the

| DNS activity pending whatever work-arounds/fixes are provided, though

| HOW your DNS is handled will determine the effect and extent of your

| vulnerability. For instance: AOL just issued a work-around/patch,

| whether this is the final fix or not is unknown at this point.

|

| --

| MEB

 

Of course the above does not mean that unsavory/malicious sites or their

linked ADS and other links, can not be used against ANY system. So, as

usual, you must make a effort to address the issue locally, first by your

activities, and with whatever you think you need.

 

If you're paranoid or wish more security [which some label paranoia], there

are/were DNS and web server/proxy services/applications for 9X which would

intercept these activities, and your HOSTS, firewall, script/scripting, and

TCP/IP setup can, once again, be used to help negate the issue.

 

*NOTE:*

This isn't something new to the hacker/cracker world, the reason its now of

deeper concern is the extended use on the Internet and against business and

commercial sites [which of course then affects the Internet user].

 

By Spacefox, spacefox@securesphere.net

Secure Sphere Crew - January 23rd, 2002

http://www.securesphere.net/download/papers/dnsspoof.htm

 

http://www.google.com/search?hl=en&q=DNS+cache+poisoning&btnG=Google+Search

 

 

--

MEB

http://peoplescounsel.orgfree.com

--

_________

Guest Gary S. Terhune

Guest Gary S. Terhune

Posted
Posted

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Always knew you were an idiot.

 

--

Gary S. Terhune

MS-MVP Shell/User

http://grystmill.com

 

"smith" <smith@smith.com> wrote in message

news:ePxBCim4IHA.1056@TK2MSFTNGP05.phx.gbl...

> Franc Zabkar <fzabkar@iinternode.on.net> wrote in

> news:9pja74d5hu7v0f7guqae1j39r2qkje00h8@4ax.com:

>

>> On Wed, 09 Jul 2008 15:55:09 -0700, smith <smith@smith.com>

>> put finger to keyboard and composed:

>>

>>>Franc Zabkar <fzabkar@iinternode.on.net> wrote in

>>>news:aq8a745mtvoaph87pmieq7o2cuslhja5es@4ax.com:

>>

>>>> To find out if the DNS server you use is vulnerable,

>>>> click the "Check My DNS" button at this URL:

>>>> http://www.doxpara.com/

>>

>>>I tried this and got a "your name server appears

>>>vulnerable message."

>>>

>>>However I noticed that the ip address in the message did

>>>not match the address for my DNS server in winipcfg.

>>>

>>>Is this normal that these two addresses would differ?

>>

>> I don't know, but in my case I've configured my router to

>> use DNS Relay. This means that winipcfg shows my router's

>> LAN IP as the DNS server address, and any DNS requests sent

>> to it are relayed to one of two DNS servers whose addresses

>> the router has learned from my ISP via PPP. Is it possible

>> that your router is configured like mine, ie is your DNS

>> IP, as reported by winipcfg, a LAN or WAN IP?

>>

>> - Franc Zabkar

>

> Beats me.

>

> I don't have a router that I know of.

>

> I plug my computer directly into a cable modem, and heaven only

> knows what the cable company does.

>

> I intended to get one but have never got around to it.

>

> I always assumed that the winipcfg address was the cable

> company's real dns server.

Guest Gary S. Terhune

Guest Gary S. Terhune

Posted
Posted

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

You should stop reading things you don't understand. If the fix involves

patching your desktop OS, you're right, Windows 98 won't be patched.

 

--

Gary S. Terhune

MS-MVP Shell/User

http://grystmill.com

 

"Vince" <nobody@home.invalid> wrote in message

news:vivc74djui7cfmnngra10d3petrn0ei9h1@4ax.com...

> On Wed, 9 Jul 2008 11:51:31 -0400, "MEB" <meb@not here@hotmail.com>

> wrote:

>

>>III. Solution

>>

>>Apply a patch from your vendor

>

> There's nothing like reading multiple articles on something you know

> absolutely nothing about to make you feel dumber than a box of rocks.

>

> So . . . no patch will ever be forthcoming from Microsoft for

> Windows 9x, as it's well beyond its end of life. Is Win9x vulnerable

> to this problem?

Guest smith

Guest smith

Posted
Posted

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Franc Zabkar <fzabkar@iinternode.on.net> wrote in

news:s44d74l329asemkcacob1tmfib13rdhss1@4ax.com:

> On Thu, 10 Jul 2008 01:39:44 -0700, smith <smith@smith.com>

> put finger to keyboard and composed:

>

>>Franc Zabkar <fzabkar@iinternode.on.net> wrote in

>>news:9pja74d5hu7v0f7guqae1j39r2qkje00h8@4ax.com:

>>

>>> On Wed, 09 Jul 2008 15:55:09 -0700, smith

>>> <smith@smith.com> put finger to keyboard and composed:

>>>

>>>>Franc Zabkar <fzabkar@iinternode.on.net> wrote in

>>>>news:aq8a745mtvoaph87pmieq7o2cuslhja5es@4ax.com:

>>>

>>>>> To find out if the DNS server you use is vulnerable,

>>>>> click the "Check My DNS" button at this URL:

>>>>> http://www.doxpara.com/

>>>

>>>>I tried this and got a "your name server appears

>>>>vulnerable message."

>>>>

>>>>However I noticed that the ip address in the message did

>>>>not match the address for my DNS server in winipcfg.

>>>>

>>>>Is this normal that these two addresses would differ?

>>>

>>> I don't know, but in my case I've configured my router to

>>> use DNS Relay. This means that winipcfg shows my router's

>>> LAN IP as the DNS server address, and any DNS requests

>>> sent to it are relayed to one of two DNS servers whose

>>> addresses the router has learned from my ISP via PPP. Is

>>> it possible that your router is configured like mine, ie

>>> is your DNS IP, as reported by winipcfg, a LAN or WAN IP?

>>>

>>> - Franc Zabkar

>>

>>Beats me.

>>

>>I don't have a router that I know of.

>>

>>I plug my computer directly into a cable modem, and heaven

>>only knows what the cable company does.

>>

>>I intended to get one but have never got around to it.

>>

>>I always assumed that the winipcfg address was the cable

>>company's real dns server.

>

> Type your DNS address into the search box at this URL:

> http://ws.arin.net/whois

>

> If you get something like this ...

>

> OrgName: Internet Assigned Numbers Authority

> OrgID: IANA

>

> ... then it's a LAN address. Otherwise it's the WAN address

> of an external DNS server.

>

> - Franc Zabkar

 

It was a WAN. The two DNS addresses in my winipcfg belong to my

ISP and the address I see in the check dns box at

http://www.doxpara.com/ appears safe message is 68.166.125.227,

which belongs Covad Communications

Guest Franc Zabkar

Guest Franc Zabkar

Posted
Posted

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning

 

On Thu, 10 Jul 2008 22:48:04 -0700, smith <smith@smith.com> put finger

to keyboard and composed:

>It was a WAN. The two DNS addresses in my winipcfg belong to my

>ISP and the address I see in the check dns box at

>http://www.doxpara.com/ appears safe message is 68.166.125.227,

>which belongs Covad Communications

 

http://en.wikipedia.org/wiki/Covad_Communications

 

"The company offers DSL, Voice over IP, T1, Web hosting, managed

security, IP and dial-up, and bundled voice and data services directly

through Covad's network and through Internet Service Providers,

value-added resellers, telecommunications carriers and affinity groups

to small and medium-sized businesses and home users."

 

I suspect that your ISP resells Covad's services and relays your DNS

requests to Covad's DNS server.

 

Having said that, the IP address you have given us equates to

"smtp.cotse.net" which looks like your ISP's mail server ???

 

My own ISP's addresses, as reported by my router, are 192.231.203.3

and 192.231.203.132. However, just as in your case, Doxpara reports a

different DNS address, namely 150.101.120.5, but all three addresses

still belong to my ISP.

 

FWIW, the following is what I see when I perform traceroutes to your

address and to my own ISP's DNS addresses.

 

C:\WIN98SE>tracert 68.166.125.227

 

Tracing route to smtp.cotse.net [68.166.125.227]

over a maximum of 30 hops:

 

1 * * * Request timed out.

2 30 ms 26 ms 25 ms lns10.syd6.internode.on.net

[150.101.197.88]

 

<snip>

 

15 260 ms 264 ms 264 ms COVAD.car1.Boston1.Level3.net

[63.211.168.26]

16 * * * Request timed out.

17 * * * Request timed out.

18 294 ms 298 ms 298 ms smtp.cotse.net [68.166.125.227]

 

Trace complete.

 

 

C:\WIN98SE>tracert 192.231.203.132

 

Tracing route to resolv.internode.on.net [192.231.203.132]

over a maximum of 30 hops:

 

1 * * * Request timed out.

2 27 ms 26 ms 25 ms lns10.syd6.internode.on.net

[150.101.197.88]

3 30 ms 26 ms 25 ms vl14.cor2.syd6.internode.on.net

[150.101.197.83]

 

4 28 ms 32 ms 25 ms resolv.internode.on.net

[192.231.203.132]

 

Trace complete.

 

 

C:\WIN98SE>tracert 192.231.203.3

 

Tracing route to ns4.on.net [192.231.203.3]

over a maximum of 30 hops:

 

1 * * * Request timed out.

2 26 ms 26 ms 25 ms lns10.syd6.internode.on.net

[150.101.197.88]

3 25 ms 26 ms 25 ms vl14.cor2.syd6.internode.on.net

[150.101.197.83]

 

4 51 ms 52 ms 52 ms gi0-3.bdr1.syd6.internode.on.net

[150.101.199.24

5]

5 55 ms 52 ms 52 ms pos3-2.bdr2.adl2.internode.on.net

[203.16.212.14

1]

6 49 ms 52 ms 52 ms po2.cor3.adl2.internode.on.net

[203.16.212.155]

 

7 47 ms 52 ms 52 ms ns4.on.net [192.231.203.3]

 

Trace complete.

 

 

C:\WIN98SE>tracert 150.101.120.5

 

Tracing route to resolv1.syd6.internode.on.net [150.101.120.5]

over a maximum of 30 hops:

 

1 * * * Request timed out.

2 24 ms 28 ms 26 ms lns10.syd6.internode.on.net

[150.101.197.88]

3 26 ms 25 ms 25 ms vl14.cor2.syd6.internode.on.net

[150.101.197.83]

 

4 26 ms 25 ms 26 ms resolv1.syd6.internode.on.net

[150.101.120.5]

 

Trace complete.

 

- Franc Zabkar

--

Please remove one 'i' from my address when replying by email.

  • 3 weeks later...
Guest Dan

Guest Dan

Posted
Posted

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnera

 

Re: US-CERT TCSA TA08-190B -- Multiple DNS implementations vulnera

 

My Windows 98 Second Edition system is not vulnerable according to doxpara.com.

Here are the results for public benefit for those who are interested.

 

Your ISP's name server, 68.87.85.101, has other protections above and beyond

port randomization against the recently discovered DNS flaws. There is no

reason to be concerned about the results seen below.

--------------------------------------------------------------------------------

Requests seen for 8f63238a336e.toorrr.com:

68.87.85.101:17812 TXID=12982

68.87.85.101:18266 TXID=3941

68.87.85.101:17548 TXID=7778

68.87.85.101:17715 TXID=50436

68.87.85.101:17765 TXID=35677

ISNOM:ISNOM TXID=ISNOM

 

I am using Comcast Cable.

 

 

"Gary S. Terhune" wrote:

> You should stop reading things you don't understand. If the fix involves

> patching your desktop OS, you're right, Windows 98 won't be patched.

>

> --

> Gary S. Terhune

> MS-MVP Shell/User

> http://grystmill.com

>

> "Vince" <nobody@home.invalid> wrote in message

> news:vivc74djui7cfmnngra10d3petrn0ei9h1@4ax.com...

> > On Wed, 9 Jul 2008 11:51:31 -0400, "MEB" <meb@not here@hotmail.com>

> > wrote:

> >

> >>III. Solution

> >>

> >>Apply a patch from your vendor

> >

> > There's nothing like reading multiple articles on something you know

> > absolutely nothing about to make you feel dumber than a box of rocks.

> >

> > So . . . no patch will ever be forthcoming from Microsoft for

> > Windows 9x, as it's well beyond its end of life. Is Win9x vulnerable

> > to this problem?

>

>

>

 Share
Go to topic listing
×
×
  • Create New...