accept no compromises

Android 4.0.4 DNS Poisoning

Android 4.0.4 DNS Poisoning
Posted Jul 24, 2012
Authored by Roee Hay

Android versions 4.0.4 and below suffer from a DNS poisoning vulnerability.

tags | advisory
advisories | CVE-2012-2808
MD5 | f0e7d1f6cb180eaacaaf0ea77a3c5d79

Android 4.0.4 DNS Poisoning

Change Mirror Download
1 Introduction
===========
Recently we discovered a very interesting vulnerability in Android’s
DNS resolver,
a weakness in its pseudo-random number generator (PRNG), which makes
DNS poisoning
attacks feasible.

The full advisory can be found at http://bit.ly/MkteBx
A blog post can be found at http://bit.ly/MkoU5j
Demo of our PoC can be found at http://youtu.be/ffnF7Jej7l0

2 Vulnerability
============
The PRNG that the DNS resolver uses is
random_id = 0xffff & (time_usec ^ time_sec ^ pid)

where time_sec is the current time in seconds, time_usec is the microseconds
fraction and pid is the process identifier.

Both the TXID and source port are generated by this PRNG.
Since both calls occur subsequently, the values are very much correlated
to each other. This yields a feasible attack expected time as we show
that the number of
random bits is brought down from 32 (ideally) to less than 21.

Check our advisory for full details.

3 Vulnerable versions
================
Android 4.0.4 and below.

4 Vendor Response
===============
Android 4.1.1 has been released, and patches are available on AOSP. The random
sample is now pulled from /dev/urandom, which should have adequate entropy by
the time network activity occurs.

5 Identifier
========
CVE-2012-2808

6 Discovered by
============
Roee Hay & Roi Saltzman
IBM Application Security Research Group

7 Disclosure timeline
================
07/24/2012 Public disclosure
06/05/2012 Issue confirmed by Android Security Team and patch provided
to partners.
05/21/2012 Disclosed to Android Security Team.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close