Slashdot Mirror
Apple Clients Still Vulnerable After DNS Patch
Glenn Fleishman sends word that SANS Institute testing indicates that, even after installing Apple's latest patch for the DNS vulnerability, Leopard desktops (not servers) are still vulnerable — or at least perpetuate risky behavior that makes exploitation easier. This matters because "With servers rapidly being patched worldwide, it's likely that the low-hanging fruit disappears, and vectors [will be] designed to attack massive numbers of clients on ISP networks."
... the title is the start of the second paragraph. Perhaps Glen didn't read TFA...
From later on in TFA...
[sigh] even the article title is "DNS Clients Have Small Vector of Risk after Patch" ,,, where is the word 'small' in the /. title... ?
Simon.
Physicists get Hadrons!
I think one of the reasons MaraDNS (my own DNS server) is as good as it is is because I paid attention to DJB's writings. You know, a lot of people don't like DJB and his software is very polarizing. His confrontational behavior towards BIND and Sendmail was, at best, very unprofessional. I also don't like his dishonesty about the security issues both DjbDNS and Qmail have, pretending that these programs have no security problems. That is also fanboy behavior and not behavior a responsible software developer should have. The license was an issue for years, also; when the license was finally made reasonable late 2007 it has been too long to really develop a community of developers around either DjbDNS or Qmail (or Publicfile or...).
That said, he had some good ideas. The idea of randomizing both the query ID and the source port came from DJB and I implemented it in MaraDNS because I took the time to read what he had to say about DNS before implementing MaraDNS.
It is unfortunate that the bad blood between DJB and the BIND developers made it so BIND didn't implement source port randomization back in, say, 2001. It was known and a good idea then; it's essential today.
- Sam
Because it's the desktop they're trying to make this patch as pretty as possible, without sacrificing the innate beauty and usability of the system.
Really ? Troll ? For pointing out that content *within* the article counters the sensationalism of the /. submission ?
Or is that one of those 'I hate Apple' moderations, or perhaps 'I disagree with your point of view' moderations ?
Hmm. Let me think...
Simon
Physicists get Hadrons!
Unless lookupd is doing something really weird, this is a non-issue.
Lookupd only talks to the nameservers specified by the settings in netinfo, provided by DHCP, and possibly flat files. Unless your immediate upstream nameserver isn't recursive (which is really stupid) or it is compromised there's no mechanism to get lookupd to query any other nameservers.
Which means that unless the attacker is on the local LAN there's no mechanism to see the queries.
And if he is then this is the least of your worries.
.. with the low hanging fruit disappearing, we should be wary of giraffe hackers. So if you see someone with an exceptionally long neckbeard, you should inform your local police.
The title is completely true, the clients are still vulnerable; regardless of the reduced risk, there is the possibility of an attack. I don't really find the submission to be very sensationalist, simply stating that there is still a risk. Thanks for informing the /.ers that don't RTFA.
I don't understand how I can be vulnerable to this if I'm not running a DNS server. No open ports means no one can get in, unless I connect to them. If the DNS server I connect to is secured, how can anyone compromise my machine this way?
Give me Classic Slashdot or give me death!
I already submitted this; unfortunately, since I was using a Mac, I submitted it to Paypal instead of slashdot.
So basically, you are saying that using a protocol which tells you the port you are supposed to respond to requests on, it's possible to "guess" the port on which responses are expected?
Uh, if you are close enough to see the request, why do you not just use the response port in the request instead of guessing it from the last request?
I'm not understanding how this is any more vulnerable, unless you can predict requests.
Also, what do Windows and Linux boxes do?
-- Terry
Apple clearly stated that they only patched the BIND name server, not the client libraries.
Since Apple themselves stated the patch was for BIND, and that only people running Mac OS X Server would likely benefit from it, I am not surprised that it didn't change the workings of the client.
Ironically, the word ironically is often used incorrectly.
Um...I wrote the article, Space Cowboy? This article was revised after initially being posted as I received more information. Dan Kaminsky is the only one who currently knows the full scope of client weakness, but it's out there, so we revised our article to be clearer about the known knowns and the known unknowns!
Freelance tech journalist for the Economist, MIT Technology Review, Macworld, and others
So this is a patch. Sort of. It fixes some things, on some versions of the OS... but nothing significant.
I'm not sure I 'get' it!
I take exception to the assertion that Apple's patch was installed.
What was installed was not a patch. If it were a patch, the problem it was supposed to fix would not be there.
I assert the following:
What was installed was [redundant] code to allegedly act as a patch to the vulnerability. Of course it worked as expected after all it was and still is redundant code. Let's get our English right.
What it comes down to was Apple reported this patched fixed a problem that it did not fix. This means either they did not test the patch, incompetence, or they knew it didn't address the problem but told everyone it did, lies. All this defence of the indefensible makes people look like blithering idiots. If any company releases a patch that claims to patch something, then does not, that company deserves scorn, not this weak defence (oh it's not that bad!).
Putting bad cache entries in a DNS server is bad for lots of people.
Apple fixed BIND (if a bit tardy).
End of story.
If you are in the position to spoof DNS responses, you don't have to wait for the SECOND request to feeding bad results, so whether or not the client ports are predictable isn't important. But there's no way you can make the client start asking your server for DNS results, and that's the known part of the vulnerability: Injecting foreign servers into the DNS system and giving them responsibility for things they shouldn't have.
This is an absolute disgrace for Apple. Admittedly the details of the hack were leaked out in the most stupid manner possible and the person who did it deserves to have their mousing hand cut off to prevent future such offenses, but there's simply no way for Apple to come out of this looking good and I'm very surprised at their laggardly ways regarding this issue.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Also, by default, BIND is disabled in OS X clients.
From Apple's security advisory:
"The Berkeley Internet Name Domain (BIND) server is distributed with Mac OS X, and is not enabled by default. When enabled, the BIND server provides translation between host names and IP addresses. A weakness in the DNS protocol may allow remote attackers to perform DNS cache poisoning attacks. As a result, systems that rely on the BIND server for DNS may receive forged information. This update addresses the issue by implementing source port randomization to improve resilience against cache poisoning attacks. For Mac OS X v10.4.11 systems, BIND is updated to version 9.3.5-P1. For Mac OS X v10.5.4 systems, BIND is updated to version 9.4.2-P1. Credit to Dan Kaminsky of IOActive for reporting this issue."
The original \. article (http://it.slashdot.org/article.pl?sid=08/08/01/1215209&tid=172) neglected to include the first few sentences of the above.
I already had to go to my data center at 4 a.m. to patch all my servers thanks to this exploit. Slow news day..good to know I'm not part of the 'low hanging fruit' too bad my MacBook Pro is still "at risk", such...deep....fear... yawn..
It's from Apple, it's secure from day four hundred eighty-One.
Holy hell, is this a funny thread or what :)
I'm no Apple fanboy (never had a Mac and likely never will), but I feel that I have to stand up for them here.
The author seems to have a personal vendetta against Apple here, since I'd guess most Linux clients are at least as vulnerable.
Let's see what's going on here: If your DNS server recurses and caches, then it will accept glue records and you really need to patch your server.
m
However, stub resolvers which ost clients use simply ask your local DNS server directly, which does all the recursing. As a result they will only accept responses from the local DNS server (which is probably harder to spoof in practice) and further more they probably won't (at least the Linux libc resolver doesn't) accept any additional records. In particular this means that the attack as currently described can't work - you only get one chance to spoof a response to a DNS query rather than as many as you like (and in practice you can't trigger a DNS query from a client whenever you like - they'd have to visit your website or similar). Essentially this new attack gives you nothing new when it comes to attacking clients (and as has been pointed out if you're on the same local network segment as your victim, then there are many other attacks to try). That said of course, we may not know the full extent of the attack found by Dan Kaminsky and he may also have found an awesome attack on stub resolvers. But he wants his glory at the BlackHat conference, so the rest of us have to sit in the dark hoping there isn't more to come!! Of course it's still recommended that stub resolvers are patched, although they don't need to be so urgently, so yes indeed Apple should release a complete patch as we don't know what other attacks may be possible, and we're better safe than sorry. But certainly it's not something to panic about. Panic about the large number of unpatched servers still out there!
But what really annoys my about this article is that it also applies to Linux. Take Debian Stable - a quick test shows that it actually uses a fixed port for its queries! They fully admit they haven't yet patched the glibc stub resolver yet (look up DSA 1605-1). In newer kernels (>=2.6.24) the glibc resolver uses an unspecified port, so it's essentially chosen by the kernel, so it is fixed. But any Linux system prior to this is probably still vulnerable.
I can't actually quite believe I'm posting this as a Debian fan, and Apple hater, but this sort of shoddy journalism really annoys me.
Yes Apple have been slow to patch this. Yes they should have done a complete job. But much as we might despise them, lets at least be fair about this!
Since Apple did patch the BIND server that comes with OS X client by default, but is disabled, you could work around this issue by enabling BIND and using localhost as the only DNS server.
To enable BIND, simply edit /System/Library/LaunchDaemons/org.isc.named.plist and change the 'Disabled' key from true to false (file is owned by root:wheel)
Generate the rndc key the default configuration is looking for and cannot start up without via 'rndc-confgen -a' with root privileges.
Follow the hint at http://www.macosxhints.com/article.php?story=20080725172011439 to configure the system to ignore all DNS settings handed out to it via DHCP, and statically configure 127.0.0.1 as a DNS source.
The resolver logic in glibc has the same problem. Full Disclosure: [SECURITY] [DSA 1605-1] DNS vulnerability impact on the libc stub resolver
The only way around it is to configure a local caching DNS server.
Some privacy policy Slashdot.
Spoof the IP, brute force the transaction number, and get the client to perform lookups for names you already know, and you can convince it that YOU are the upstream server.
If you're in a position to read any transaction number from the client so you can brute-force the next one, you have to be able to sniff it anyway, and you don't NEED to brute-force it, you just need to be able to respond faster than the actual name server.
And since you're on the same LAN or at least closer to the nameserver than the client is, you're in a good position to do that.
The reason that this class of attack works against nameservers is that with a recursive nameserver you can get the nameserver to send you a packet that you can use to guess the sequence from. You can't do that with a client-only nameserver.
So you're saying that on Leopard the resolver ignores the DNS server settings you give it (regardless of how you give them to it, or what database it stores them in) and goes groveling around doing name resolution starting at a.root-servers.net and working down?
Because unless the client resolver does something daft like that (and, yes, that would be daft, and a bug in Leopard) the result is the same as if it was still using lookupd: the requests would have to be sniffed for a potential attacker to get a transaction or port number to use in the attack, and if the attacker is in a position to do that they don't need to predict the numbers, they just have to respond quicker than the real nameserver.
If there's an attacker on the public wifi with you who can use this attack on you, then they have already used something like an ICMP redirect spoofing attack to get you using them as the upstream router, and they can see and modify every packet you send and receive... so they don't need to *guess* the magic numbers you're using: you're giving them to them anyway.
comment to remove accidental upmod
Don't call me back. Give me a call back. Bye. So yeah. But bye our, well, but alright we are on a shirt this chill.
Agreed. I was afraid I might make it past more than 4 or 5 posts without the word Kaminsky in them. But I think a better title would have been "Kaminsky DNS Flaws Still Plague Apple".
Even though most of the affected servers have been patched, DNS is still broken. The patches thus far only make it slightly harder to exploit. Before the patches, you had a 1/(2^16) chance of guessing the sequence number. With the patches the likelihood of guessing the correct combination of port and sequence number has decreased to approximately 1/(2^32). Given there were reports that were reports of successful attacks in as little as 10 seconds, the patches only increase the time needed to approximately 10 minutes. With a fast enough internet connection, a successful attack could still take only minutes to succeed. DNSSEC or some other alternative may be the only way to avoid this issue completely.
Admittedly the details of the hack were leaked out in the most stupid manner possible
That's what you get for waiting for a $1000+ convention to do so. A leak and some code for Metasploit.
Karmic justice for his secrecy.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
...and its not like DNS should be run from a client PC anyway. This is a ISP/corporate WAN/LAN issue - nothing to do with end user machines. Would you use a mac as your gateway/dns? Apple has done the right thing, mostly.
-- NSY - SY OOT - Doric signs on local shop doors.
Both you and the grandparent are misinformed. All clients which are capable of resolving hostnames have a stub .. gasp .. resolver, which is what this is about. It has nothing to do with caching nameservers. The grandparent is wrong because the original attack requires user interaction in the first place.
The core of the vulnerability has been known for years and years, and was always possible. The new bit is just an interesting spin on it: reduce attack time by averaging over a number of sub-domain queries that you control (e.g. through a web page).
tcpdump | grep domain ???
pardon me?
Until then these stories are just one big yawn.
Bad analogies are like waxing a monkey with a rainbow.
m
However, stub resolvers which ost clients use simply ask your local DNS server directly...
I think you just had a hijacked DNS server relocate your "m".
today is spelling optional day.
Relax on Apple
"Apple fixed their server. There are scenarios in which the clients are vulnerable, but it's servers we need to worry about right now, and Apple did right by fixing their server."
DAN KAMINSKY
http://www.doxpara.com/?p=1198
Check your DNS there too.
Your name server, at 001.02.03.04, appears to be safe, but make sure the ports listed below aren't following an obvious pattern (:1001, :1002, :1003, or :30000, :30020, :30100...).
Click on the last period in his post (eggish) :-)
~hylas
As I noted in http://it.slashdot.org/comments.pl?sid=633511&cid=24441397 this is a non-issue. Also see
wkcole's article http://it.slashdot.org/comments.pl?sid=633511&cid=24445481 .
Unless the code is doing a full DNS lookup, rather than requesting a lookup from a recursive nameserver, there is no mechanism for a hostile nameserver to receive any packets from the local resolver to guess at the port and sequence number. It does not seem that the local resolver in Tiger or Leopard behaves that way... nor does the local resolver in Linux, nor does the local resolver in Windows, to address some other comments I have seen here and elsewhere.
How about the brand new, fully patched up-to-date Macbook Air at this year's pwn-to-own contest a couple months ago? Oh noes! It was the first to be compromised. http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture