Metasploit mailing list archives

Exploit for the DNS cache poisoning vulnerability...

From: one.miguel at gmail.com (Juan Miguel Paredes)
Date: Fri, 25 Jul 2008 06:59:26 +0200

Thanks for the feedback.  It seems that sending the DNS request that reveals
the information required to send spoofed packets is not really that
difficult after all.  The only other issue I can forsee is if there are
multiple internet facing resolvers, an attacker would need to know all of
them and send spoofed packets to all of them.  Of course if the internet
facing DNS server is patched, attacking the unpatched internal caching DNS
servers would be next to impossible, unless the attacker is lucky enough to
be inside the network and can sniff packets between the caching servers and
the internet facing servers in order to get the source port and the
destination IP.

Thanks again for the feedback.

On Thu, Jul 24, 2008 at 5:33 PM, Jose Carlos Luna <Jose.Carlos.Luna at cern.ch>
wrote:


Just an idea that popped to my mind.

In this case I would send as you suggest a link or webpage (there is no
really need for it to be XSS) that makes the internal client to
resolve sequentially:
randomAAAAA.atacker.com
randomAAAAB.atacker.com

All the spoofing part of the attack is launched from ns.atacker.com.
The atacker will answer the above replies as:
randomAAAAA.atacker.com. CNAME randomAAAAA.victim.com.
randomAAAAB.atacker.com. CNAME randomAAAAB.victim.com.

This way I have all the information I need (the address and port of the
caching DNS) and good synchronization with the client part
of the attack as the caching dns will immediately go resolve
randomXXXX.victim.com when I answer with the CNAME data.

In the client started page we could also implement an stopping mechanism
like make it to resolve stop.atacker.com every X tries.

Cheers,

natron escribi?:

Juan, your scenario would be a difficult one to exploit with the current
code.  An external attacker would be able to send spoofed responses to your
DNS server, but would not be able to send requests to the server for
randomAAAAA.domain.com <http://randomAAAAA.domain.com>.  An external
attacker could, in theory, modify the request generating side of the msf
exploit to use one of the ideas Jarrod mentioned in the earlier email (e.g.
XSS forcing an internal browser to fire off DNS requests for you), then send
the spoofed responses to wherever the DNS server pops them out.

Something like:

1) XSS kicks off DNS request to attacker-controlled DNS server, telling
attacker the location of the victim's DNS server doing the internet-facing
resolving as well as what port(s) it's using
2) XSS kicks off AAAA.domain.com <http://AAAA.domain.com> AAAB.domain.com<
http://AAAB.domain.com> etc
3) MSF spoofs responses and poisons the cache.

Nathan

2008/7/24 Juan Miguel Paredes <one.miguel at gmail.com <mailto:
one.miguel at gmail.com>>:

   Thanks HD.

   I'm trying to understand this and get this to work in our lab.

   In our environment, we have internet-facing DNS servers.  The only
   systems allowed to query the internet-facing DNS servers are
   internal DNS caching servers.  All internal users can only query
   the caching servers.  (sorry, I'm not a DNS guy so my terminology
   is wrong, I'm sure).  Attacker can't hit either the
   internet-facing DNS server or the caching servers from outside.    An
attacker would need to be inside the network to begin with.  No
   problem there.  However, the attacker would also be forced to
   target the caching servers. Additionally:

   1.  The attacker would need to know which internet-facing DNS
   server the caching server is working with at the time of the
   attack (or spoof them all).
   2.  Instead of spoofing the authority as in the msf module, the
   attacker would have to spoof the internet-facing DNS servers.

   After that, unpached DNS servers are game.  I'm in the process of
   modifying the .rb modules for our environment, but I thought I
   should ask: am I on the right track here or am I missing something?

   Thanks.


   On Wed, Jul 23, 2008 at 11:20 PM, H D Moore <hdm at metasploit.com
   <mailto:hdm at metasploit.com>> wrote:

       Woops:
       http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
       _______________________________________________
       http://spool.metasploit.com/mailman/listinfo/framework



   _______________________________________________
   http://spool.metasploit.com/mailman/listinfo/framework


------------------------------------------------------------------------

_______________________________________________
http://spool.metasploit.com/mailman/listinfo/framework



--
Jose Carlos Luna Duran @ CERN / luna at aditel.org / dreyer at pandas.es
Dep: IT/CS/NS
Geneve 23 CH-1211

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080725/df78e0d4/attachment.htm>

Current thread:

Exploit for the DNS cache poisoning vulnerability... H D Moore (Jul 23)
- Exploit for the DNS cache poisoning vulnerability... H D Moore (Jul 23)
  - Exploit for the DNS cache poisoning vulnerability... Jarrod Frates (Jul 23)
    - Exploit for the DNS cache poisoning vulnerability... Jaime Blasco (Jul 24)
    - Exploit for the DNS cache poisoning vulnerability... H D Moore (Jul 24)
  - Exploit for the DNS cache poisoning vulnerability... Juan Miguel Paredes (Jul 24)
    - Exploit for the DNS cache poisoning vulnerability... natron (Jul 24)
    - Exploit for the DNS cache poisoning vulnerability... Jose Carlos Luna (Jul 24)
    - Exploit for the DNS cache poisoning vulnerability... Juan Miguel Paredes (Jul 24)