受影响系统:
Apache Group Traffic Server < 2.0.1
不受影响系统:
Apache Group Traffic Server 2.0.1
描述:
Apache Traffic Server是高效、可扩展的缓存代理服务器。
Traffic Server根据DNS服务器使用了静态的源端口执行出站DNS查询。在运行时使用了iocore/dns/DNSConnection.cc中的DNSConnection::connect()方式来选择端口:
struct sockaddr_in bind_sa;
memset(&sa, 0, sizeof(bind_sa));
bind_sa.sin_family = AF_INET;
bind_sa.sin_addr.s_addr = INADDR_ANY;
int p = time(NULL) + offset;
p = (p % (LAST_RANDOM_PORT – FIRST_RANDOM_PORT)) + FIRST_RANDOM_PORT;
bind_sa.sin_port = htons(p);
Debug("dns", "random port = %d\n", p);
if ((res = socketManager.ink_bind(fd, (struct sockaddr *) &bind_sa, sizeof(bind_sa), Proto)) < 0) {
offset += 101;
continue;
}
由于FIRST_RANDOM_PORT设置为了16000,LAST_RANDOM_PORT定义为32000,且基础算法是可预测的,因此可以猜测到源端口。
Traffic Server对查询使用了顺序的DNS事务处理ID,在运行时使用了iocore/dns/DNS.cc中的DNSProcessor::dns_init()来设置基准号:
if (cval > 0) {
dns_sequence_number = (unsigned int) (cval + DNS_SEQUENCE_NUMBER_RESTART_OFFSET);
Debug("dns", "initial dns_sequence_number (cval) = %d\n", (u_short) dns_sequence_number);
} else { // select a sequence number at random
dns_sequence_number = (unsigned int) (ink_get_hrtime() / HRTIME_MSECOND);
Debug("dns", "initial dns_sequence_number (time) = %d\n", (u_short) dns_sequence_number);
}
如write_dns_event()函数所示,每一个请求进行一次递增:
++dns_sequence_number;
…
u_short i = (u_short) dns_sequence_number;
((HEADER *) (buffer))->id = htons(i);
在处理请求时,Traffic Server执行一个包含有每个所尝试请求细节的链表,并将入站ID与该表做比较以确定请求与响应的关联,如iocore/dns/DNS.cc文件中的dns_process()函数所示:
DNSEntry *e = get_dns(handler, (u_short) ntohs(h->id));
…
inline static DNSEntry *
get_dns(DNSHandler * h, u_short id)
{
for (DNSEntry * e = h->entries.head; e; e = (DNSEntry *) e->link.next) {
if (e->once_written_flag)
for (int j = 0; j < MAX_DNS_RETRIES; j++)
if (e->id[j] == id)
return e;
else if (e->id[j] < 0)
goto Lnext;
Lnext:;
}
return NULL;
}
由于Traffic Server没有验证DNS请求已确保其关联到正确的出站请求,而仅是依赖于事务处理ID来验证响应,这极大的增加了向内部DNS缓存投毒的概率。
<*来源:Tim Brown (securityfocus@machine.org.uk)
链接:http://secunia.com/advisories/41356/
http://www.nth-dimension.org.uk/pub/NDSA20100830.txt.asc
*>
建议:
厂商补丁:
Apache Group
————
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
https://issues.apache.org/jira/si/jira.issueviews:issue-html/TS-425/TS-425.html
0 条评论。