MoinQ:

DNS/毒盛/Guide/議論/7.2について、ここに記述してください。

Kaminsky 型攻撃で民田らが例としてあげたもの Payload 2

(対策が中途半端だったので、 Ghost Domain Names 脆弱性としてその後2012年に指摘されたはず)

いずれもキャッシュにある NS, A RRSet を上書きできることとしている。

7.2 Adding a subdomain under an existing authority

図 4 /payload

This exploit adds a record for a fake subdomain under an existing authority in the victim’s cache. It is modeled by the following property:

As shown in Fig. 4, payloads 1 and 2 can add a new domain name to a BIND cache.

By default, the RRsets in the additional section will be used as the answer to the query. Payloads 2, 3, and 4 can add a new domain name to an Unbound cache, but Unbound’s default policy does not send this information to clients.

This attack is dangerous to clients using BIND resolvers because many Web security policies are vulnerable to attacks from subdomains.

For example, many websites set the path and domain name of cookies as, respectively, ‘/’ and the top two levels of the site’s domain (e.g. , example.com rather than www10.example.com).

An attacker who uses cache poisoning to introduce a fake subdomain can use phishing to lure naive users to this subdomain and then overwrite and/or read cookies set by legitimate subdomains.


Fig. 4 は原著の p. 11 にある。 (Section 6.4)

Fig. 4. All ways to overwrite an existing RRset in the cache.

Each of these properties says that whenever a poisoning event occurs,

If the property cannot be provable, then the model contains at least one path in which the trust level of the forged record is higher than the trust level of the cached record.

Therefore, the cached record can be successfully overwritten by the forgery.

ProVerif analysis shows that in both BIND and Unbound, non-overwritability holds only for trust levels 4 and 6. All cached records whose trust level is 2, or 3 can be overwritten.

For all interesting trust levels of an A or NS record, Fig. 4 shows the (automatically generated) templates for malicious payloads to be used in the forged response. In Fig. 4, we assume that the NS record of abc.com and the A record of www.abc.com are already cached by the victim resolver.

MoinQ: DNS/毒盛/攻撃対象/議論/7.2 (last edited 2021-05-02 10:47:24 by ToshinoriMaeno)