Re: DNS Speculation

[ninjaboy <n0b0dyn1nj4 () gmail com>]

2008/7/23 Cedric Blancher <blancher () cartel-securite fr>:
> Le mardi 22 juillet 2008 à 02:42 -0700, Alexander Sotirov a écrit :
> > Spoofing a A record:
> > Right before step 7, the attacker sends a spoofed response from ns.google.com
> > that includes an A record for www.google.com and points it to 1.2.3.4 (which is
> > an attacker controlled name server). If the attacker does not win the race,
> > they just try again with 1235.google.com and so on.
>
> And, what about spoofing 1234.google.com as described everywhere and add
> an Authority RR stating that NS record for google.com is
> ns.malicious.net, and an Additional one giving A record for
> ns.malicious.net ?
>
> According to RFC 2181, section 5.4.1, authority data from an
> authoritative answer have a better priority than the ones from a
> non-authoritative one. When ns.isp.com is getting NS record from .com
> (step 5), it is done through a non-authoritative answer. Therefore, our
> successful spoofed answer should update google.com NS record(s) in
> ns.isp.com cache

http://www.caughq.org/exploits/CAU-EX-2008-0002.txt


-- 
noone is alone.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave