Exploit for DNS Cache Poisoning - RELEASED

Joe Greco jgreco at ns.sol.net
Thu Jul 24 12:01:46 UTC 2008


> On Wed, Jul 23, 2008 at 9:44 PM, Joe Greco <jgreco at ns.sol.net> wrote:
> >> Except this time your reply comes with an additional record
> >> containing the IP for www.gmail.com to the one you want to redirect it
> >> to.
> >
> > Thought that was the normal technique for cache poisoning.  I'm pretty
> > sure that at some point, code was added to BIND to actually implement
> > this whole bailiwick system, rather than just accepting arbitrary out-
> > of-scope data, which it ... used to do (sigh, hi BIND4).
> 
> Joe,
> 
> I think that's the beauty of this attack: the data ISN'T out of scope.
> The resolver is expecting to receive one or more answers to
> 00001.gmail.com, one or more authority records (gmail.com NS
> www.gmail.com) and additional records providing addresses for the
> authority records (www.gmail.com A 127.0.0.1).

I think the response to that is best summarized as **YAWN**.

One of the basic tenets of attacking security is that it works best to
attack the things that you know a remote system will allow.  The 
bailiwick system is *OLD* tech at this point, but is pretty much
universally deployed (in whatever forms across various products), so 
it stands to reason that a successful attack is likely to involve 
either in-scope data, or a bug in the system.

The fact that this was known to be a cross-platform vulnerability
would have suggested an in-scope data attack.  I thought that part was
obvious, sorry for any confusion.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list