Apache Traffic Server远程DNS缓存投毒漏洞

受影响系统:

Apache Group Traffic Server < 2.0.1

不受影响系统:

Apache Group Traffic Server 2.0.1

描述:

Apache Traffic Server是高效、可扩展的缓存代理服务器。

Traffic Server根据DNS服务器使用了静态的源端口执行出站DNS查询。在运行时使用了iocore/dns/DNSConnection.cc中的DNSConnection::connect()方式来选择端口:

struct sockaddr_in bind_sa;
memset(&sa, 0, sizeof(bind_sa));
bind_sa.sin_family = AF_INET;
bind_sa.sin_addr.s_addr = INADDR_ANY;
int p = time(NULL) + offset;
p = (p % (LAST_RANDOM_PORT – FIRST_RANDOM_PORT)) + FIRST_RANDOM_PORT;
bind_sa.sin_port = htons(p);
Debug("dns", "random port = %d\n", p);
if ((res = socketManager.ink_bind(fd, (struct sockaddr *) &bind_sa, sizeof(bind_sa), Proto)) < 0) {
    offset += 101;
    continue;
}

由于FIRST_RANDOM_PORT设置为了16000,LAST_RANDOM_PORT定义为32000,且基础算法是可预测的,因此可以猜测到源端口。

Traffic Server对查询使用了顺序的DNS事务处理ID,在运行时使用了iocore/dns/DNS.cc中的DNSProcessor::dns_init()来设置基准号:

if (cval > 0) {
    dns_sequence_number = (unsigned int) (cval + DNS_SEQUENCE_NUMBER_RESTART_OFFSET);
    Debug("dns", "initial dns_sequence_number (cval) = %d\n", (u_short) dns_sequence_number);
} else {                    // select a sequence number at random
    dns_sequence_number = (unsigned int) (ink_get_hrtime() / HRTIME_MSECOND);
    Debug("dns", "initial dns_sequence_number (time) = %d\n", (u_short) dns_sequence_number);
}

如write_dns_event()函数所示,每一个请求进行一次递增:

++dns_sequence_number;

u_short i = (u_short) dns_sequence_number;
((HEADER *) (buffer))->id = htons(i);

在处理请求时,Traffic Server执行一个包含有每个所尝试请求细节的链表,并将入站ID与该表做比较以确定请求与响应的关联,如iocore/dns/DNS.cc文件中的dns_process()函数所示:

DNSEntry *e = get_dns(handler, (u_short) ntohs(h->id));

inline static DNSEntry *
get_dns(DNSHandler * h, u_short id)
{
    for (DNSEntry * e = h->entries.head; e; e = (DNSEntry *) e->link.next) {
        if (e->once_written_flag)
    for (int j = 0; j < MAX_DNS_RETRIES; j++)
        if (e->id[j] == id)
            return e;
        else if (e->id[j] < 0)
            goto Lnext;
        Lnext:;
    }
    return NULL;
}

由于Traffic Server没有验证DNS请求已确保其关联到正确的出站请求,而仅是依赖于事务处理ID来验证响应,这极大的增加了向内部DNS缓存投毒的概率。

<*来源:Tim Brown (securityfocus@machine.org.uk
  
  链接:
http://secunia.com/advisories/41356/
        http://www.nth-dimension.org.uk/pub/NDSA20100830.txt.asc
*>

建议:

厂商补丁:

Apache Group
————
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

https://issues.apache.org/jira/si/jira.issueviews:issue-html/TS-425/TS-425.html

发表评论?

0 条评论。

发表评论