绿盟科技NSFOCUS安全漏洞系统

安全研究

安全漏洞

Ruby resolv.rb可预测事件ID和源端口DNS欺骗漏洞

发布日期：2008-10-10
更新日期：2009-01-05

受影响系统：

Yukihiro Matsumoto Ruby 1.8.x

不受影响系统：

Yukihiro Matsumoto Ruby 1.8.7-p72
Yukihiro Matsumoto Ruby 1.8.6-p287

描述：

BUGTRAQ  ID: 31699
CVE(CAN) ID: CVE-2008-3905

Ruby是一种功能强大的面向对象的脚本语言。

Ruby的resolv.rb对DNS请求使用了固定的源端口和顺序排列的事件ID，这允许远程攻击者相对容易的伪造DNS响应，扮演成中间人执行网络钓鱼等各种攻击。

<*来源：Tanaka Akira

  链接：http://www.openwall.com/lists/oss-security/2008/09/03/3
        http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
        http://secunia.com/advisories/31430/
        https://www.redhat.com/support/errata/RHSA-2008-0896.html
        https://www.redhat.com/support/errata/RHSA-2008-0897.html
        http://security.gentoo.org/glsa/glsa-200812-17.xml
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

14:41:43.917837 IP *.*.*.*.32852 > *.*.*.*.domain:  0+ A? www.ruby-lang.org. (35)
14:41:43.918776 IP *.*.*.*.domain > *.*.*.*.32852:  0 2/2/4 CNAME carbon.ruby-lang.org., A 221.186.184.68 (211)
14:41:43.920715 IP *.*.*.*.32853 > *.*.*.*.domain:  3787+ PTR? rev.dns.rec.some.name.of.the.host.in-addr.arpa. (43)
14:41:43.921029 IP *.*.*.*.domain > *.*.*.*.32853:  3787* 1/3/4 PTR some.name.of.the.host. (217)
14:41:43.925438 IP *.*.*.*.32852 > *.*.*.*.domain:  1+ A? www.ruby-lang.org. (35)
14:41:43.925745 IP *.*.*.*.domain > *.*.*.*.32852:  1 2/2/4 CNAME carbon.ruby-lang.org., A 221.186.184.68 (211)
14:41:43.926152 IP *.*.*.*.32853 > *.*.*.*.domain:  27846+ PTR? rev.dns.rec.some.name.of.the.host.in-addr.arpa. (43)
14:41:43.926440 IP *.*.*.*.domain > *.*.*.*.32853:  27846* 1/3/4 PTR some.name.of.the.host. (217)
14:41:43.930274 IP *.*.*.*.32852 > *.*.*.*.domain:  2+ A? www.ruby-lang.org. (35)
14:41:43.930571 IP *.*.*.*.domain > *.*.*.*.32852:  2 2/2/4 CNAME carbon.ruby-lang.org., A 221.186.184.68 (211)
14:41:43.930988 IP *.*.*.*.32853 > *.*.*.*.domain:  49648+ PTR? rev.dns.rec.some.name.of.the.host.in-addr.arpa. (43)
14:41:43.931266 IP *.*.*.*.domain > *.*.*.*.32853:  49648* 1/3/4 PTR some.name.of.the.host. (217)
14:41:43.935016 IP *.*.*.*.32852 > *.*.*.*.domain:  3+ A? www.ruby-lang.org. (35)
14:41:43.935295 IP *.*.*.*.domain > *.*.*.*.32852:  3 2/2/4 CNAME carbon.ruby-lang.org., A 221.186.184.68 (211)
14:41:43.935697 IP *.*.*.*.32853 > *.*.*.*.domain:  4479+ PTR? rev.dns.rec.some.name.of.the.host.in-addr.arpa. (43)
14:41:43.935971 IP *.*.*.*.domain > *.*.*.*.32853:  4479* 1/3/4 PTR some.name.of.the.host. (217)
14:41:43.939750 IP *.*.*.*.32852 > *.*.*.*.domain:  4+ A? www.ruby-lang.org. (35)
14:41:43.940020 IP *.*.*.*.domain > *.*.*.*.32852:  4 2/2/4 CNAME carbon.ruby-lang.org., A 221.186.184.68 (211)
14:41:43.940422 IP *.*.*.*.32853 > *.*.*.*.domain:  45762+ PTR? rev.dns.rec.some.name.of.the.host.in-addr.arpa. (43)
14:41:43.940705 IP *.*.*.*.domain > *.*.*.*.32853:  45762* 1/3/4 PTR some.name.of.the.host. (217)
14:41:43.944454 IP *.*.*.*.32852 > *.*.*.*.domain:  5+ A? www.ruby-lang.org. (35)
14:41:43.944734 IP *.*.*.*.domain > *.*.*.*.32852:  5 2/2/4 CNAME carbon.ruby-lang.org., A 221.186.184.68 (211)
14:41:43.945129 IP *.*.*.*.32853 > *.*.*.*.domain:  13583+ PTR? rev.dns.rec.some.name.of.the.host.in-addr.arpa. (43)
14:41:43.945392 IP *.*.*.*.domain > *.*.*.*.32853:  13583* 1/3/4 PTR some.name.of.the.host. (217)
14:41:43.949186 IP *.*.*.*.32852 > *.*.*.*.domain:  6+ A? www.ruby-lang.org. (35)
14:41:43.949446 IP *.*.*.*.domain > *.*.*.*.32852:  6 2/2/4 CNAME carbon.ruby-lang.org., A 221.186.184.68 (211)
14:41:43.949890 IP *.*.*.*.32853 > *.*.*.*.domain:  45038+ PTR? rev.dns.rec.some.name.of.the.host.in-addr.arpa. (43)
14:41:43.950163 IP *.*.*.*.domain > *.*.*.*.32853:  45038* 1/3/4 PTR some.name.of.the.host. (217)
14:41:43.953937 IP *.*.*.*.32852 > *.*.*.*.domain:  7+ A? www.ruby-lang.org. (35)
14:41:43.954225 IP *.*.*.*.domain > *.*.*.*.32852:  7 2/2/4 CNAME carbon.ruby-lang.org., A 221.186.184.68 (211)
14:41:43.954593 IP *.*.*.*.32853 > *.*.*.*.domain:  27150+ PTR? rev.dns.rec.some.name.of.the.host.in-addr.arpa. (43)
14:41:43.954859 IP *.*.*.*.domain > *.*.*.*.32853:  27150* 1/3/4 PTR some.name.of.the.host. (217)
14:41:43.958667 IP *.*.*.*.32852 > *.*.*.*.domain:  8+ A? www.ruby-lang.org. (35)
14:41:43.958943 IP *.*.*.*.domain > *.*.*.*.32852:  8 2/2/4 CNAME carbon.ruby-lang.org., A 221.186.184.68 (211)
14:41:43.959335 IP *.*.*.*.32853 > *.*.*.*.domain:  27956+ PTR? rev.dns.rec.some.name.of.the.host.in-addr.arpa. (43)
14:41:43.959613 IP *.*.*.*.domain > *.*.*.*.32853:  27956* 1/3/4 PTR some.name.of.the.host. (217)
14:41:43.963347 IP *.*.*.*.32852 > *.*.*.*.domain:  9+ A? www.ruby-lang.org. (35)
14:41:43.963632 IP *.*.*.*.domain > *.*.*.*.32852:  9 2/2/4 CNAME carbon.ruby-lang.org., A 221.186.184.68 (211)
14:41:43.964015 IP *.*.*.*.32853 > *.*.*.*.domain:  19992+ PTR? rev.dns.rec.some.name.of.the.host.in-addr.arpa. (43)
14:41:43.964282 IP *.*.*.*.domain > *.*.*.*.32853:  19992* 1/3/4 PTR some.name.of.the.host. (217)

建议：

厂商补丁：

RedHat
------
RedHat已经为此发布了一个安全公告（RHSA-2008:0897-01）以及相应补丁:
RHSA-2008:0897-01：Moderate: ruby security update
链接：https://www.redhat.com/support/errata/RHSA-2008-0897.html

Gentoo
------
Gentoo已经为此发布了一个安全公告（GLSA-200812-17）以及相应补丁:
GLSA-200812-17：Ruby: Multiple vulnerabilities
链接：http://security.gentoo.org/glsa/glsa-200812-17.xml

所有Ruby用户都应升级到最新版本：

# emerge --sync
# emerge --ask --oneshot --verbose ">=3Ddev-lang/ruby-1.8.6_p287-r1"

Yukihiro Matsumoto
------------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.tar.gz
ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p287.tar.gz

浏览次数：2686
严重程度：0（网友投票）

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客