Bug#490217: python-dns vulnerable to CVE-2008-1447 DNS source port guessable

Thu, 10 Jul 2008 18:32:49 -0700 

Package: python-dns
Version: 2.3.0-5.1
Severity: grave
Tags: security
Justification: user security hole

CVE-2008-1447, which deals with DNS reply poisoning that
is possible due to DNS clients sending DNS requests on
predictable UDP source ports, is a security issue that
also applies to python-dns, as it does not implement the
recommended UDP port randomization... example:

Note lack of port randomization in code:
    def sendUDPRequest(self, server):
        "refactor me"
        self.response=None
        self.socketInit(socket.AF_INET, socket.SOCK_DGRAM)
        for self.ns in server:
            try:
                # TODO. Handle timeouts &c correctly (RFC)
                #self.s.connect((self.ns, self.port))
                self.conn()
                self.time_start=time.time()
                if not self.async:
                    self.s.send(self.request)
                    self.response=self.processUDPReply()
            #except socket.error:
            except None:
                continue
            break
        if not self.response:
            if not self.async:
                raise DNSError,'no working nameservers found'

In [25]: import DNS
In [26]: d=DNS.DnsRequest(name='www.google.com', server='208.80.142.5', 
port=53)
In [27]: r=d.req() 
In [28]: r=d.req()

In [29]: r=d.req()

In [30]: r=d.req()
(etc)

Yields, with "tcpdump udp port 53":
15:27:15.912894 IP baekdudaegan.metacarta.com.43661 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:17.224843 IP baekdudaegan.metacarta.com.43662 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:18.344731 IP baekdudaegan.metacarta.com.43663 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:18.952729 IP baekdudaegan.metacarta.com.43664 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:19.384802 IP baekdudaegan.metacarta.com.43665 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:19.752853 IP baekdudaegan.metacarta.com.43666 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:20.120819 IP baekdudaegan.metacarta.com.43667 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:22.680866 IP baekdudaegan.metacarta.com.43668 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)
15:27:23.416775 IP baekdudaegan.metacarta.com.43669 > 
eiger.metacarta.com.domain:  0+ A? www.google.com. (32)


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages python-dns depends on:
ii  python                        2.4.4-2    An interactive high-level object-o
ii  python-support                0.5.6      automated rebuilding support for p

python-dns recommends no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to