Slashdot Mirror
Attack Code Published For DNS Vulnerability
get_Rootin writes "That didn't take long. ZDNet is reporting that HD Moore has released exploit code for Dan Kaminsky's DNS cache poisioning vulnerability into the point-and-click Metasploit attack tool. From the article: 'This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.' Here's our previous Slashdot coverage."
This has to be the worst time ever to be a web surfer. How long until we see the major networks broadcasting the legit IP quads of sites we want to reach?
And here I am, thinking I was on Google.
And lo, all unpatched websites were rendered unto Goatse.
%> /usr/bin/treaceroute fruity.stuff
traceroute to fruity.stuff (1.2.3.4), 30 hops max, 42 byte packets ...
evil bit detected. re-routing
Caesar si viveret, ad remum dareris.
Welp, thats it. Might as well give up. They've won.
It doesn't work that way. DNS local servers are either run by a corporation or by your ISP. Either one could be hacked now. So it's not if the website is patched. It is if the DNS server your computer is using is patched.
unpatched websites
Have you been following this story. It's not sites that need the patch, it's DNS servers. Site owners are powerless if the ISPs fail to protect their domain name from the an entry leading to the spoof site's IP address.
I exploited this and let a huge cache of people visit my site(127.0.0.1) in stead of the site they wanted to go. It was kickass.
Knowledge is power. Knowledge shared is power lost.
And do please forgive me if I'm under the impression that the supposed "fix" really isn't one.
The interesting thing, DNS glue (additional) poisoning WAS known, just not widely. EG, the SECOND hit for "dns glue poison" in Google gets http://lists.oarci.net/pipermail/dns-operations/2006-May/000537.html.
Quoting Emin Gun Sirer:
Incidentally, the client should be wary of trusting glue records unconditionally, as they are non-authoritative. A well-known cache poisoning attack works by tricking clients to believe glue records for all time and for all queries. Glue should be trusted for only the lookup in question for only the duration of that lookup. We'll assume that the clients treat glue properly (even though many do not).
Thus it was already known, two years ago, that trusting Glue records is "well-known cache poisoning attack". Just apparently, not well known enough by the authors of Bind, Microsoft's DNS server, Cisco, etc.
Test your net with Netalyzr
Slip of the digital tongue while attempting to make a quick funny. Please don't hurt me!
Now if your windoze box doesn't do its own resolution, it forwards all requests to a caching resolver (e.g. at your ISP) then your ISP's resolver needs to be patched. Or if they run DJB's dnscache, it's not vulnerable because DJB recognised the problem years ago.
If you use Verizons DNS you wont be able to tell the difference anyways. Seriously, I don't know if Verizon is paid to redirect DNS request or they just have really crappy security/maintinance on them.
The preceding post was not a Slashvertisement.
is it related?
For fuck's sake, whoever is DDoSing 4chan needs to stop already! The tards have spread out and are trolling the whole internet. At least the 4chan cesspool kept them all mostly in one place. Now they're left with nowhere to go and are taking their idiocy all over the internet!
Oh noes, the world is going to crash down around us! Just saying, why overreact? If it isn't one thing, it's going to be something else, and as usual, I'm fairly sure the best solution is to grin and bear it, or to round up a digital posse and fix the little tards.
Never disregard the raw power inherent to stupidity... they call it "dumb luck" for a reason...
There's a tool on the site below that apparently checks if the DNS you're currently using is vulnerable to such an attack. I checked my work DNS and my home DNS - both were fine. Apparently OpenDNS is secure as well, so there's probably nothing to worry about.
http://www.doxpara.com/
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
to watch the Black Hat DNS vulnerability webcast tomorrow. My only question is, what took so long?
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
Prepare to enter teh suck.
Um... even if you run your own caching server, if your ISP runs a "transparent" web proxy it will do its own dns. You may in fact run DJB which is immune from this bug, but if your ISP runs an unpatched dns server you'll still be scrod despite running your own caching server.
Slick huh?
They need to take the dns lookup out of the web proxies.
Need Mercedes parts ?
Cédric Blancher's annotated command-line exploration of the “in-bailiwick” DNS vulnerability
Even though it is not as popular as BIND but djbdns doesn't have this vulnerability. Remember Dan J Bernstein had the original idea in 2002 about this issue and Dan Kaminsky and Paul Vixie looked into this and found these vulnerabilities.
They need to take the dns lookup out of the web proxies.
The problem with doing that would be that it would then be impossible (at least using current DNS software, as far as I know) to allow clients on an internal network to have limited internet access without allowing them to perform DNS tunneling (and thereby upgrade their internet access to "full").
Once someone (anyone?) releases a DNS package that allows firewall-style rules (e.g. "client on this range of IPs may only resolve subdomains of the following domains...", "clients may only look up X distinct subdomains each of Y domains every Z hours" then the picture would probably change.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
it's an acronym for "Berkeley Internet Name Daemon"
Actually, BIND stands for "Berkeley Internet Name Domain". Berkeley did the seminal work for the original DNS implementation, and that's what they called their idea. BIND is a suite which includes a stub resolver, some utilities, and named (name daemon). (Along with some other stuff, now.)
If you want to get fancy, "ISC BIND named" is the proper name of the software we're talking about. ISC is the company, BIND is the product, named is the program.
See: http://www.isc.org/sw/bind/index.php
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
I assume you've never heard of Woz either
Once someone (anyone?) releases a DNS package that allows firewall-style rules (e.g. "client on this range of IPs may only resolve subdomains of the following domains..."
I think you might be able to do that with the "views" feature of ISC BIND v9 named, although I've never tried. I know you can define ACLs for clients and control how they see the DNS using the ACL. You should be able to define forwarding zones for the domains you want to work, and blackhole everything else. I think.
http://www.isc.org/sw/bind/arm93/Bv9ARM.ch06.html#view_statement_grammar
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Given that's a vulnerability in the DNS protocol I really wonder if the dnscache (djbdns) is affected by this one. Because it's said that djb's dns suite is immune to any type of cache poisoning attack. I better test it.
Oh noes, the world is going to crash down around us! Just saying, why overreact?
A problem you ignore will have full impact. A problem you prepare for and take counter-measures against is prevented from having a serious impact. That's the whole point.
We spent great effort fixing Y2K bus, thus prevented the bugs from causing serious damage. Therefore, you conclude, we should not have fixed the Y2K bugs.
I guess, since seat belts have saved lives, we should not wear them.
Get it now? :-)
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
... what a fucking douche bag
The fix is DNSSEC.
DNSSEC won't solve the present problem. Almost nobody has deployed it. In particular, the root zone does not use it, and I haven't seen mention of any GTLD or ccTLD zone doing so, either. Certainly not the big three (.COM, .NET, .ORG).
I am not saying cryptographically securing DNS is not a good idea. It is, and indeed, is the only viable long-term fix. I'm just saying that DNSSEC is not magic dust.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Hey all, I see lots of comments re: OpenDNS as a good solution if your ISP sucks (as mine does) and has not patched.
But I can't trust my DNS to resolve correctly to OpenDNS.com or whatever.
Anyone got dotted quads for me?
Looking for a Rails developer in Chapel Hill?
DNS Cache poisons you.
Sorry, I had to.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
I used one of the tests below and found that my ISP's DNS servers were vulnerable. Now I am using the OpenDNS servers on all of my clients instead:
208.67.222.222
208.67.220.220
Their servers are not vulnerable, and you can create an account to enable things like antiphishing at the DNS level (much better idea then a browser plug-in).
If you find that your ISP's routers are vulnerable, your best bet is switch to OpenDNS...or just run your own caching server.
ÕÕ
In case anyone is dumb enough to use a Microsoft DNS server as a authoritative internet DNS server -
MS has released two lovely patches -
KB951746 and KB951748
The problem with this fix is that it turns the DNS.EXE daemon into a UDP socket grubbing whore.
After the patch, the DNS.EXE daemon grabs no less than 2500 freaking UDP sockets.
This wreaks havoc on anything that - you know - needs UDP sockets on the same server.
So far Zonealarm, Blackberry BES and Sphericall VOIP software all break with this "patch"
Stay tuned for more fun to come ...
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
so, there are a lot of us in the following position, no doubt: we run a router (linksys, whatever) that gets DNS from our ISP. lets assume that the ISP is patched. our local machines use the router for DNS. do we need to patch the router? are its DNS request services even accessible to the external network? can it be compromised in the same way that the ISP DNS could be? i have been wondering this ever since news of this problem broke, and i have still not seen a clear answer.
Yes, DJB "recognized" the problem by lobotomizing DNS, and he refuses to consider what will solve the problem once and for all, DNSSEC. Right...
If you want to support verisign forever, go with dnssec.
Need Mercedes parts ?
"The problem with doing that would be that it would then be impossible (at least using current DNS software, as far as I know) to allow clients on an internal network to have limited internet access without allowing them to perform DNS tunneling "
You've lost me toally. I'm not talking about expolicit web proxies, but the "transparent" ones that ISPs use.
I can connect with ssh and ftp to free.tibet, but not via port 80 ("web") service. It's all in the wrist action of (the screw you I'm doing my own dns lookup of) the "transparent" web proxy the upstream has.
This has nothing to do with "dns tunnelling" whatever that is on internal networks or what have you. I dunno about where you are but around here every provider of dialup, broadband, wireless and sat uses these dumb "transparent" web proxies. They're also a vixieism, iroically.
Need Mercedes parts ?
Simply patching your DNS server may not be enough.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
It works tolerably well for X.509. What's your proposed alternative?
You're like those environmentalists who say "no" to nuclear, coal, wind (birds), dams (fish), solar (semiconductor manufacturing), and everything else, but who say "yes" to nothing.
Sorry, but I'm pretty certain that this is needed. It needs to use random UDP ports for each reply. If it's just 2500 ports, that's bad. It should use around 64K ports.
One chosen at random, for each reply it is sending.
Or is it something I do not understand in the problem you're describing? Or is it you to that do not understand the problem?
"Rune Kristian Viken" - http://www.nwo.no - arca
The only proper response to /b/ on Slashdot can be GNAA in Habbo.
Contrary to the popular belief, there indeed is no God.
The terminal session excerpts in Cédric's article are intelligible to a great many more Unix-speaking geeks than script kiddie-ready Ruby; therefore, regardless of the popularity of the French language, the link I provided is still probably more illuminating for most geeks than the self-congratulatory sploit TFA links to. And, in any case, if you had bothered to read past the article title and meta-info, you might have noticed the link to a suitable machine translation right there, above the article text.
Your reply does a great disservice to people who might otherwise have clicked through and learned something. But I guess that, to you, getting a measly karma point is more important than educating people w.r.t. network security issues. You had better hope that black-hat hackers have the same linguistic scruples as you; otherwise, one of these times, the ones who are undeterred by French and Russian and [whatever else] are going to have a field day pounding your... NIC.
A Google search revealed this way to test specific DNS servers from the command line (in case you're using a DNS server other than the one that's authoritative for the netblock you're in):
Good:
$ dig +short @208.67.222.222 porttest.dns-oarc.net txt
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"208.67.222.222 is GOOD: 26 queries in 0.1 seconds from 26 ports with std dev 17746.18
Poor:
$ dig +short @206.13.28.12 porttest.dns-oarc.net txt
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"206.13.28.13 is POOR: 26 queries in 0.2 seconds from 1 ports with std dev 0.00"
More discussion on this method here:
http://www.dslreports.com/forum/r20759262-CERT-VU800113-DNS-Cache-Poisoning-Issue~start=20
He objected to one thing. Sheesh. You're like those Fox News morons who pretend to be level-headed and objective.
The idea of /b/ spreading outside of 4chan terrifies me more than the thought that my DNS might get hijacked, TBH.
If you set up your own caching server and point it to the ISP-caching server, yes. But that would kinda defeat the point of using your own caching server. If you were doing it for your security.
New things are always on the horizon
Isn't there a simple solution to this ?
Current situation:
1) DNS server receives request to resolve x.com
2) DNS server ask for it to be resolved by root server
3) poison DNS server responds first, poisoning the DNS server
4) connection closed
5) root server responds, response is ignored
Why can't we just:
1) DNS server receives request to resolve x.com
2) DNS server ask for it to be resolved by root server
3) poison DNS server responds first (with correct id etc), poisoning the DNS server
4) After first response is received (DNS server assumes it *could* be false) it keeps the port open for a time (say 5 seconds) waiting for a second response
5) If no other response is received then it assumes the first response is genuine and uses it.
6) If a second response is received it discards both as 'potentially bad' and trys again.
Obviously this will mean any DNS request will take as long as we wait in step 4 above (5 seconds in this example), but this is on the initial query which can then be cached so the performance hit should not as bad as it first seems.
Or have I missed something ?
we spent great effort fixing Y2K bugs, which would not have caused serious damage (even if we had not fixed them). Therefore, we should not have fixed the Y2K bugs.
I was involved or exposed to a number of Y2K bugs which would have led to serious problems in one field or another. (For appropriate definitions of "serious".) I don't know if planes would have fallen out of the sky, but billing statements being calculated wrong, schedules being planned wrong, phone systems crashing, etc., are pretty serious to the people actually using those systems.
Understand that one of the biggest myths about Y2K was that the problems would manifest at 12:00 AM on 1 January 2000. Y2K problems started well before then. For example, banks, railroads, airlines, and similar started having to worry about Y2K back in the 1980's -- they routinely work on schedules spanning decades.
I won't deny that a lot of people turned legitimate Y2K concerns into marketing opportunities, but that doesn't mean it wasn't an issue.
For example, fans of djbdns are having a field day with this DNS thing, since djbdns doesn't have this flaw. Marketing opportunity. Not that I blame them. :-)
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Say pieces on a board, make each piece a pair with another piece.
like...
|55|33|66|
|44|66|55|
|33|44|22|
|22|11|11|
a piece can only be figured out to move one way...
pick any piece, try to move it somewhere...
have the chosen piece move to another piece, it moves there and makes the other piece have to move too.
when a piece is moved to another piece, it becomes a pair with the piece it moves to.
any piece that is moved has to have it's pair move at the same time.
any piece to move to another piece is a piece that moved at the same time as it's pair, and moved to another piece that
moved at the same time as it's pair too. A piece that moves to another piece becomes a pair with it, and the other of the pair
has moved to become a pair with another piece.
try anyway, works in one way where a piece can move back to the piece to move first.
A common type of problem, I forget what it's called.
A piece always goes where a piece leaves, the first piece has the last piece go where it left.
You can't move a piece that moves where the piece came from.
There is no such thing as a free space, a piece always moves to another piece.
A pair never moves to a pair.
A piece works out to move where another piece can get back to where a piece moves from.
The last move has to be known for the first move to be made, because the first move can't be understood until
the last move is. That's because the first move is where a piece moves to and it works around to the last move, and the
last move is where a piece can work getting to from the first move.
so try this...
draw starting at each piece a line that shows the piece it moves to, and each piece to move for how a piece moves back
where it starts.
see this as a machine diagram.
move a piece then figure the machine diagram again, it's the same machine though...
see how every other piece moves another way now?
what happened for how the machine moved?
I am so happy I have no idea what you're talking about.
The ISP's dns server may not be the same as the dns server the transparent web proxy cache uses. Unless THAT buger points to a djbdns or patched dns server it doesn't matter what you or your isp does for dns service.
Sneaky huh? I have a sense some poeple are gonna be phuqued by this.
Need Mercedes parts ?
FWIW, CAU has also posted a second sploit script that implements Cédric Blanchard's proof-of-concept.
If only we could persuade some of the botnets to launch a huge DDoS attack against him! :)
Ohh, sorry, I misread the parent post.
I guess there is only one solution, pay for your bandwidth double or tripple, by getting an account on a server somewhere.
New things are always on the horizon
Any idea what the "Open" part in their name is supposed to mean?
THE CANCER!!
This has nothing to do with "dns tunnelling" whatever that is on internal networks or what have you. I dunno about where you are but around here every provider of dialup, broadband, wireless and sat uses these dumb "transparent" web proxies. They're also a vixieism, iroically.
DNS tunneling is essentially the ability to set up a VPN tunnel using only DNS queries. It's a very interesting topic if you haven't read about it before - I only just found out about it a couple of months ago. The upshot is that if a machine has the ability to directly query DNS for arbitrary public domains, and the person using it has a public domain name and the ability to set up a pseudo-DNS server, then they can set up a VPN tunnel from that machine to their pseudo-DNS server on the public internet even if the client machine does not have internet access otherwise.
I'm not really familiar with transparent proxies, but I would guess that they're not actually doing the DNS lookup for you, but reading the host header and possibly doing a DNS lookup on that. I mean, if you don't tell your browser/OS to use an explicit proxy, how is it going to know to hand off DNS resolution to a transparent proxy that it doesn't even know about?
Anyway, if I'm right, then it can't really be "turned off", since you have to send a host header to get to basically every website now. And it's not as if the owners of the transparent proxies would choose to turn it off if it were optional, since presumably the reason they set them up was to intercept traffic.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
I have never seen panic as a reasonable means to solve problems, only to exacerbate them. I find it much simpler to let the people who need to deal with the problems do so, and avoid mass hysteria.
Ahhh, I see, now. No argument there! :)
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.