Metasploit mailing list archives
Exploit for the DNS cache poisoning vulnerability...
From: jaime.blasco at aitsec.com (Jaime Blasco)
Date: Thu, 24 Jul 2008 11:30:23 +0200
I?m implementing some tests for the DNS flaw to several organizations, do you know a patched DNS server (internet present) to test the issues. Regards Jarrod Frates escribi?:
On Wed, Jul 23, 2008 at 2:20 PM, H D Moore <hdm at metasploit.com> wrote:Woops: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt _______________________________________________ http://spool.metasploit.com/mailman/listinfo/frameworkI've been pondering the effects of this vulnerability for much of the day, and it keeps getting better and better for me (management thinks its worse and worse, especially with this module release, but therein lies the difference between management and the trenches). I've seen a couple of mailing lists that have pointed out that direct DNS queries are not the only way to get this to work. Purely internal DNS servers that are hidden behind NATs or firewalls are protected to some degree from this. However, what about a XSS attack that runs down a long list of domains, triggering lookups? A loop that causes it to periodically request a record from an attacker-controlled server could provide needed input for an attacker to start sending spoofed responses as well predict source ports, if from a vulnerable implementation, or else provide enough information to show that the system is patched and therefore requires a slightly less elegant solution. Other suggestions included mail servers (send to someone at aaaaaa.yahoo.com, someone at aaaaab.yahoo.com, etc.) or possibly FTP servers that will perform server-to-server transfers (getting very rare but still around). These would be slower, but still possibly effective, and possibly also more likely to fly in under the radar. I'm also wondering about whether there's some way to force this attack to affect lookups to TLDs, as owning an entire TLD presents some very ominous possibilities. Does the bailiwick mechanism compare only against subdomains of TLDs, or might TLDs themselves also be subject to this attack?
--
Current thread:
- Exploit for the DNS cache poisoning vulnerability... H D Moore (Jul 23)
- Exploit for the DNS cache poisoning vulnerability... H D Moore (Jul 23)
- Exploit for the DNS cache poisoning vulnerability... Jarrod Frates (Jul 23)
- Exploit for the DNS cache poisoning vulnerability... Jaime Blasco (Jul 24)
- Exploit for the DNS cache poisoning vulnerability... H D Moore (Jul 24)
- Exploit for the DNS cache poisoning vulnerability... Jarrod Frates (Jul 23)
- Exploit for the DNS cache poisoning vulnerability... Juan Miguel Paredes (Jul 24)
- Exploit for the DNS cache poisoning vulnerability... natron (Jul 24)
- Exploit for the DNS cache poisoning vulnerability... Jose Carlos Luna (Jul 24)
- Exploit for the DNS cache poisoning vulnerability... Juan Miguel Paredes (Jul 24)
- Exploit for the DNS cache poisoning vulnerability... H D Moore (Jul 23)