Exploit for DNS Cache Poisoning - RELEASED
dot at dotat.at
Thu Jul 24 12:21:07 UTC 2008
On Wed, 23 Jul 2008, Kevin Day wrote:
> The new way is slightly more sneaky. You get the victim to try to
> resolve an otherwise invalid and uncached hostname like 00001.gmail.com,
> and try to beat the real response with spoofed replies. Except this time
> your reply comes with an additional record containing the IP for
> www.gmail.com to the one you want to redirect it to. If you win the race
> and the victim accepts your spoof for 00001.gmail.com, it will also
> accept (and overwrite any cached value) for your additional record for
> www.gmail.com as well.
RFC 2181 says the resolver should not overwrite authoritative data with
additional data in this manner.
I believe the Matasano description is wrong.
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
FORTIES CROMARTY FORTH TYNE DOGGER: EAST OR SOUTHEAST 3 OR 4, INCREASING 5 OR
6 LATER. SLIGHT OR MODERATE. FOG PATCHES. GOOD, OCCASIONALLY VERY POOR.
More information about the NANOG