[dns-operations] Fwd: [Full-disclosure] Android DNS poisoning: Randomness gone bad (CVE-2012-2808)

Dobbins, Roland rdobbins at arbor.net
Tue Jul 24 12:46:36 UTC 2012 


Begin forwarded message:

> From: Roee Hay <roeeh at il.ibm.com>
> Subject: [Full-disclosure] Android DNS poisoning: Randomness gone bad (CVE-2012-2808)
> Date: July 24, 2012 7:35:17 PM GMT+07:00
> To: bugtraq <bugtraq at securityfocus.com>, "full-disclosure at lists.grok.org.uk" <full-disclosure at lists.grok.org.uk>
> 
> 1 Introduction
> ===========
> Recently we discovered a very interesting vulnerability in Android’s
> DNS resolver,
> a weakness in its pseudo-random number generator (PRNG), which makes
> DNS poisoning
> attacks feasible.
> 
> The full advisory can be found at http://bit.ly/MkteBx
> A blog post can be found at http://bit.ly/MkoU5j
> Demo of our PoC can be found at http://youtu.be/ffnF7Jej7l0
> 
> 2 Vulnerability
> ============
> The PRNG that the DNS resolver uses is
> 	random_id = 0xffff & (time_usec ^ time_sec ^ pid)
> 
> where time_sec is the current time in seconds, time_usec is the microseconds
> fraction and pid is the process identifier.
> 
> Both the TXID and source port are generated by this PRNG.
> Since both calls occur subsequently, the values are very much correlated
> to each other. This yields a feasible attack expected time as we show
> that the number of
> random bits is brought down from 32 (ideally) to less than 21.
> 
> Check our advisory for full details.
> 
> 3 Vulnerable versions
> ================
> Android 4.0.4 and below.
> 
> 4 Vendor Response
> ===============
> Android 4.1.1 has been released, and patches are available on AOSP. The random
> sample is now pulled from /dev/urandom, which should have adequate entropy by
> the time network activity occurs.
> 
> 5 Identifier
> ========
> CVE-2012-2808
> 
> 6 Discovered by
> ============
> Roee Hay & Roi Saltzman
> IBM Application Security Research Group
> 
> 7 Disclosure timeline
> ================
> 07/24/2012 Public disclosure
> 06/05/2012 Issue confirmed by Android Security Team and patch provided
> to partners.
> 05/21/2012 Disclosed to Android Security Team.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

More information about the dns-operations mailing list