• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Multiple Vendor DNS Cache Corruption Vulnerability

BIND (Berkeley Internet Name Daemon) is the software packge most widely deployed on the Internet to facilitate DNS (Domain Name Service). BIND has a series of utilities that come with it in order to deploy DNS both client (resolver libraries etc.) and server end (named). In this instance we are discussing a bug in the Name Server or named(8) which ships with BIND 4.9.5-P1 or below.

This particular vulnerability is that a name daemon from these distributions will blindly recieve records from other DNS servers and cache them without verifification. Therefore, intruders who control a nameserver on the global internet can force your nameserver to look up data from them and then feed it back additional and corrupt records. These records are typically designed to live in your cache and divert traffic from legitimate sites.

In the referance section to this vulnerability is a message from Johannes Erdfelt (johan@BORG.SVENTECH.COM) detailing this problem, it is suggested reading. it also important to note that while this is the most recent cache corruption attack it is not the only such one. BIND has a long history of security vulnerabilties.