In standard SI-Bibliotexes uclibc and uclibc- ng used in many built-in and portable devices, revealed vulnerability (CVE is not assigned), which allows to substitute fictitious data in the DNS cache, which can be used to substitution in the IP address of an arbitrary domain and redirect appeals to the domain On the server of the attacker.
The problem affects various Linux interrogations for routers, access points and Internet-worshiping devices, as well as Linux-displacements for built-in systems, such as OpenWRT and Embeded Gentoo. It is noted that vulnerability is manifested in the devices of many manufacturers (for example, UCLIBC used in firmware Linksys, Netgear and Axis), but since in UCLIBC and UCLIBC-NG vulnerability remains incorporate, detailed information about specific devices and manufacturers whose products are present until the problem is disclosed.
Vulnerability is caused by the use of predictable transaction identifiers in the DNS-stroke code. The identification number of the DNS request was selected by a simple increase in the meter without the use of additional randomization of port numbers, which made it possible to achieve the poisoning of the DNS cache through the proactive sending of UDP packets with fictitious answers (the answer will be accepted if it came earlier than the response of the real server and includes the correct ID). Unlike the Kaminsky method proposed in 2008, the transaction identifier does not even need to be guessed, since it is initially predictable (at first, the value 1 is set, which increases with each request, and not selected randomly).
.
In the specification, to protect against the selection of the identifier, it is recommended to additionally apply the random distribution of numbers of the source network ports from which the DNS queries are sent, which compensates for the insufficiently large size of the identifier. When the ports are turned on, to form a fictitious response, in addition to the selection of 16 bit identifier, it is necessary to choose the number of the network port. In UCLIBC and UCLIBC-H, such a randomization was not explicitly turned on (when calling Bind, the random source UDP port was not indicated) and its use depended on the settings of the operating system.
When you turn off the randomization of the sweat, the determination of the increased request identifier is noted as a trivial task. But even in the case of randomization, the attacker only needs to guess the network port from the range 32768-60999, for which you can use the massive simultaneous sending of fictitious answers to different network ports.
