lwip-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #42987] lwIP is vulnerable to DNS cache poisoning due


From: Todd Lewellen
Subject: [lwip-devel] [bug #42987] lwIP is vulnerable to DNS cache poisoning due to non-randomized TXIDs
Date: Thu, 14 Aug 2014 14:54:07 +0000
User-agent: Mozilla/5.0 (X11; U; CrOS i686 0.13.507; rv:6.0a2) Gecko/20110613 Firefox/6.0a2

URL:
  <http://savannah.nongnu.org/bugs/?42987>

                 Summary: lwIP is vulnerable to DNS cache poisoning due to
non-randomized TXIDs
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: tblewellen
            Submitted on: Thu 14 Aug 2014 02:54:05 PM GMT
                Category: DNS
                Severity: 3 - Normal
              Item Group: Faulty Behaviour
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: 
            lwIP version: git head

    _______________________________________________________

Details:

Subject: [VU#210620] lwIP vulnerability

Greetings,

While reviewing our vulnerability reports we were notified of a vulnerability
in lwIP.  We are tracking this issue as VU#210620. Our policy is to publish a
public vulnerability note within 45 days depending on the circumstances. An
example of our documents can be found here:

    <http://www.kb.cert.org/vuls>

Allen Householder (address@hidden) discovered this issue.

A copy of the original report is included at the bottom of this message.
Please be sure to include VU#210620 in the subject when emailing us
(address@hidden) about this issue. 

If you have any questions or concerns, please let us know.

Best Regards,
Vulnerability Analysis Team
======================================================================
CERT Coordination Center
www.cert.org / address@hidden / Hotline: 1-412-268-7090
======================================================================

----- BEGIN ORIGINAL VULNERABILITY REPORT -----

*Name: Allen D. Householder
*Organization: CERT
*Email Address: address@hidden
*Telephone Number: 412-927-4653

*Vulnerability Description:
The DNS resolver implemented by lwIP is vulnerable to cache poisoning due to
non-randomized query ids (aka Transaction ID or TXID) and source port reuse.

See related vul note http://www.kb.cert.org/vuls/id/800113

*Affected System Configurations:
lwIP (as of git commit e7f32240917cc912eb6e3e36780ecb3c4a06f264)
http://savannah.nongnu.org/projects/lwip/
source code: git://git.savannah.nongnu.org/lwip.git

lwIP is included in the Philips Hue bridge device sold as part of the Philips
Hue Personal Lighting system.
http://www.meethue.com

*How was this vulnerability found?:
Originally found by sniffing DNS traffic out of a Philips Hue bridge. Saw that
DNS TXIDs were monotonically increasing from 0x0000, 0x0001, 0x0002, etc. The
code below appears to explain that behavior.

Check out git://git.savannah.nongnu.org/lwip.git
In src/core/dns.c:

/**
* Call dns_check_entry for each entry in dns_table - check all entries.
*/
static void
dns_check_entries(void)
{
u8_t i;

for (i = 0; i < DNS_TABLE_SIZE; ++i) {
dns_check_entry(i);
}
}

...
dns_check_entry(u8_t i)
{
...
/* send DNS packet for this entry */
err = dns_send(pEntry->numdns, pEntry->name, i);
...

dns_send(u8_t numdns, const char* name, u8_t id)
{
...
struct dns_hdr *hdr;
...
hdr = (struct dns_hdr*)p->payload;
...
hdr->id = htons(id);

*Vulnerability Impact:
>From VU#800113: An attacker with the ability to conduct a successful cache
poisoning attack can cause a nameserver's clients to contact the incorrect,
and possibly malicious, hosts for particular services. Consequently, web
traffic, email, and other important network data can be redirected to systems
under the attacker's control.

In the case of the Hue system, an attacker could potentially man-in-the-middle
traffic between the Hue bridge device and Philips portal services (including
possibly messing with firmware updates).

*Comments:
I searched https://savannah.nongnu.org/search/?type_of_search=bugs&words=dns
and did not see any related tickets

----- END ORIGINAL VULNERABILITY REPORT -----






    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?42987>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]