DNS/毒盛/Guide/議論/7.2について、ここに記述してください。
Kaminsky 型攻撃で民田らが例としてあげたもの Payload 2
- 当時の BINDでは毒が入った。
(対策が中途半端だったので、 Ghost Domain Names 脆弱性としてその後2012年に指摘されたはず)
いずれもキャッシュにある NS, A RRSet を上書きできることとしている。
キャッシュになければ、当然キャッシュされる。 (前野の指摘に新規性がないのはこれが理由だ。) -- ToshinoriMaeno 2014-06-16 04:23:59
7.2 Adding a subdomain under an existing authority
図 4 /payload
This exploit adds a record for a fake subdomain under an existing authority in the victim’s cache. It is modeled by the following property:
- query ev: evPoison(At, makeSubName( bad, goodZone ), invalid, tl,goodZone, makeSubName( good, goodZone ), cname) −→ ev: evInitCache( Record( At, makeSubName( good, goodZone ), valid), cachetl )
As shown in Fig. 4, payloads 1 and 2 can add a new domain name to a BIND cache.
By default, the RRsets in the additional section will be used as the answer to the query. Payloads 2, 3, and 4 can add a new domain name to an Unbound cache, but Unbound’s default policy does not send this information to clients.
This attack is dangerous to clients using BIND resolvers because many Web security policies are vulnerable to attacks from subdomains.
For example, many websites set the path and domain name of cookies as, respectively, ‘/’ and the top two levels of the site’s domain (e.g. , example.com rather than www10.example.com).
An attacker who uses cache poisoning to introduce a fake subdomain can use phishing to lure naive users to this subdomain and then overwrite and/or read cookies set by legitimate subdomains.
Fig. 4 は原著の p. 11 にある。 (Section 6.4)
Fig. 4. All ways to overwrite an existing RRset in the cache.
Each of these properties says that whenever a poisoning event occurs,
- the target record is already cached with a certain trust level which is hgher than the trust level of the forged response. If the property holds, the existing record cannot be overwritten.
If the property cannot be provable, then the model contains at least one path in which the trust level of the forged record is higher than the trust level of the cached record.
Therefore, the cached record can be successfully overwritten by the forgery.
ProVerif analysis shows that in both BIND and Unbound, non-overwritability holds only for trust levels 4 and 6. All cached records whose trust level is 2, or 3 can be overwritten.
For all interesting trust levels of an A or NS record, Fig. 4 shows the (automatically generated) templates for malicious payloads to be used in the forged response. In Fig. 4, we assume that the NS record of abc.com and the A record of www.abc.com are already cached by the victim resolver.