Dailydave mailing list archives
The audacity of thinking you're not owned
From: Dave Aitel <dave () immunityinc com>
Date: Sat, 12 Jul 2008 13:38:35 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have to wonder about a strategy that implies that Paul Vixie is not owned by lots of different people. Anyways here is my guess of the day. There's 4 things that DNS checks, two of which are random in the "immune" djbdns code. One is the TXID (16 bits) and one is the source port. Assuming the "fix" for broken implementations is to randomize the source port, this means the TXID must be easily guessed. Amit's paper talks a bit about doing this sort of thing, but doesn't come into "easy" range. So here's what I think the exploit is, which is a slightly advanced method of some of Amit's stuff. I'm not a DNS (or crypto, for that matter) expert, so feel free to fill me in on where I'm missing stuff. 1. You can use the TTL to find out when to do your spoofing. 2. Use your own DNS to respond to some requests setting TTL=0 to get a long list of TXIDs from the resolver. 3. Map this list of TXIDs into an internal RNG state using a rainbow table. This lets you predict the next set of TXID's with just a hash lookup. 4. Make a request for mail.google.com and send your spoofed packets to infect the cache. - -dave P.S.: Kudos to the thousand people who posted about MOV RAX, RAX. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD4DBQFIeOwatehAhL0gheoRArf2AJUWsIr+YtCUeNtkglCenHegFqB7AJ4pXm5z M8td0TvVvWmrxHWN52NNSQ== =vtaV -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The audacity of thinking you're not owned Dave Aitel (Jul 12)
- Re: The audacity of thinking you're not owned Parity (Jul 12)
- Re: The audacity of thinking you're not owned Brandon Enright (Jul 12)
- Re: The audacity of thinking you're not owned Parity (Jul 12)
- Re: The audacity of thinking you're not owned Halvar Flake (Jul 13)
- Re: The audacity of thinking you're not owned Jason Ross (Jul 13)
- Re: The audacity of thinking you're not owned Thomas Pollet (Jul 14)
- Re: The audacity of thinking you're not owned Jon Oberheide (Jul 14)
- Re: The audacity of thinking you're not owned Thomas Pollet (Jul 14)
- Re: The audacity of thinking you're not owned Brandon Enright (Jul 12)
- Re: The audacity of thinking you're not owned Parity (Jul 12)