Cisco Network Registrar DNS server vulnerability
Author
Alla BezroutchkoSummary
Affected software: Cisco Network Registrar 6.1 and 5.5Vendor URL: http://www.cisco.com/ , http://www.cisco.com/en/US/products/sw/netmgtsw/ps1982/index.html
Severity: Medium
Vulnerability Description
Cisco CNS Network Registrar is a full-featured DNS/DHCP system. The DNS server by default allows recursive queries and caches the replies. It is possible to insert fake records in the DNS cache (DNS cache poisoning) because CNR uses predictable DNS transaction IDs. To do so an attacker needs to control a DNS server that is authoritative for some domain and to be able to send a recursive query to CNR caching DNS server.When an attacker sends a recursive query to a caching name server, the caching server will find a server authoritative for a zone and send a request to the authoritative name server. If an attacker can predict the transaction ID of the request that the caching server sends, he can generate spoofed replies. The caching server will accept spoofed reply as coming from authoritative name server and cache the fake data.
CNR version 6.1 and 5.5 both generate sequential transaction IDs. Here is a sample of transaction IDs generated by CNR 6.1.0.1:
5277
5279
5281
5283
5285
Cnr-spoofer.pl perl script demonstrates inserting a fake reply into a victim cache. It must be run on a server authoritative for some domain (in this example cache-poisoning.net). First the script sends several queries to the victim name server and listens for queries originating from the victim. Once it has received a query, it remembers the transaction ID generated by the victim. Then it queries the victim name server for A record for the host it wants to spoof (in this example www.hotmail.com). At the same time it starts sending replies with spoofed source IP addresses of hotmail.com name servers and transaction IDs greater than the one it received in the beginning. If the reply generated by the script will come before the reply from the real name server, the victim cache will cache the fake record.
A similar vulnerability used to exist in older versions of ISC BIND.
This attack can be used to redirect browsers to fake web sites (by inserting a fake IP address of the web site into the DNS cache), intercept emails (by faking MX records), etc.
Verification
dnstxid.pl perl script will query the specified DNS server and print out the transaction IDs that the server used. The script must be run on the server that is authoritative for some domain.Solution
The vulnerability was fixed in CNR versions 006.000(005.002) and 006.001(001)Time Table
2004/04/15 Vendor was informed2004/06/04 Vendor releases fixed version
2007/07/30 Scanit publishes advisory