Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS "leak"

From: Parity <pty.err () gmail com>
Date: Fri, 25 Jul 2008 14:20:56 -0400
When Halvar's post went up, it was unclear -- even to Halvar -- whether he
had found a viable attack.  Moreover, even after the bailiwick angle came to
light, nobody except Dan & his trustees had any way of knowing whether
Halvar had found the same attack, or a different one.

But even if Halvar had nailed the attack with 100% accuracy, Matasano was
particularly obliged *not* to confirm or deny.  Unlike the rest of the
public, Matasano was bound by an agreement Thomas made with Dan.

I appreciate that Matasano owned up to their mistake, but it *was* a
mistake.  Confirmation should have come from anywhere - Dan, you, me, even
n3td3v ;) - except Matasano.

pty

On Fri, Jul 25, 2008 at 2:00 AM, Alexander Sotirov <alex () sotirov net> wrote:


Why are people (including Dan) referring to the Matasano post as a leak?
Halvar
got 95% of the attack right in his blog post. He figured out that:

1) sending an A records for ns.victim.com in the spoofed response will
poison the cache
2) doing multiple queries for non-existant domains gives us an unlimited
number of
  opportunities to spoof a response
3) using a different domain in each query avoids the problems with cached
responses

The only mistake in his attack is that he's sending queries for xxx.cominstead
of xxx.victim.com. It wouldn't have taken long for somebody who knows what
'in
bailiwick' means to realize out that the fake ns.victim.com RR needs to be
in a
response for a .victim.com domain and then they'll have the full attack
figured
out.

When 95% of the vulnerability are public information and remaining 5% are
easy
to guess, you have to treat the bug as public. How can Matasano leak
something
that's public?

Alex

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: