The audacity of thinking you're not owned

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have to wonder about a strategy that implies that Paul Vixie is not 
owned by lots of different people.

Anyways here is my guess of the day.

There's 4 things that DNS checks, two of which are random in the 
"immune" djbdns code. One is the TXID (16 bits) and one is the source 
port. Assuming the "fix" for broken implementations is to randomize the 
source port, this means the TXID must be easily guessed. Amit's paper 
talks a bit about doing this sort of thing, but doesn't come into "easy" 
range.

So here's what I think the exploit is, which is a slightly advanced 
method of some of Amit's stuff. I'm not a DNS  (or crypto, for that 
matter) expert, so feel free to fill me in on where I'm missing stuff.

1. You can use the TTL to find out when to do your spoofing.
2. Use your own DNS to respond to some requests setting TTL=0 to get a 
long list of TXIDs from the resolver.
3. Map this list of TXIDs into an internal RNG state using a rainbow 
table. This lets you predict the next set of TXID's with just a hash lookup.
4. Make a request for mail.google.com and send your spoofed packets to 
infect the cache.

- -dave
P.S.: Kudos to the thousand people who posted about MOV RAX, RAX.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFIeOwatehAhL0gheoRArf2AJUWsIr+YtCUeNtkglCenHegFqB7AJ4pXm5z
M8td0TvVvWmrxHWN52NNSQ==
=vtaV
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave