Full Disclosure mailing list archives

Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion)

From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Sun, 13 Jul 2008 15:37:25 -0500

--On July 13, 2008 2:50:26 PM -0500 eugaaa () gmail com wrote:

http://blogs.zdnet.com/security/?p=1466
Can someone clarify what they meant by "non-reversible patch" ?

The patch changes the default behavior of dns so that queries areresponded to from random ports rather than always from the same port(usually 53.) Reversing the patch merely returns you to the previousdefault behavior. It does not get you to the vulnerability that, inconjunction with non-random port responses, would allow you to spoof dnsqueries. (This is speculation on my part. Dan hasn't shared the detailsme with.) IOW, there is a separate vulnerability in dns, which Dan hasnot yet revealed, that allows you to take advantage of the non-randomnature of query responses.

Readers should note that if you override the patch behavior by specifyinga query response port (the syntax is available to do that), you negate thepatch.

http://www.debian.org/security/2008/dsa-1603
Are these .deb patches automagical?

If you mean, is bind patched after you've followed the directions in theadvisory (i.e. run apt-get update and then apt-get install bind9), thenyes, it "automagical" as you put it.

*scratches head*
I'm not interested in discussing the hype or scene-war aspect of this
vulnerability.

Has anyone actually verified the impact of this vulnerability? Any code,
anything?
(http://www.milw0rm.com/exploits/4266)

No because the real vulnerability has not yet been released. (Again, thisis my speculation.) The patches will make bind much more resistant to aspoofing attack that would have been easy to do once the realvulnerability is revealed publicly.

BTW, if you want to check your name server (so long as it's not doingforwarding), you can run this command:

# dig @yourserver +short porttest.dns-oarc.net TXT

A patched server will respond like this:
# dig @ns1.stovebolt.com +short porttest.dns-oarc.net TXT
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.

"66.221.101.249 is GOOD: 26 queries in 1.3 seconds from 26 ports with stddev 18347.40"

An unpatched server will return POOR: 26 queries in 1.3.seconds from 1port.


Paul Schmehl
If it isn't already obvious,
my opinions are my own and not
those of my employer.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

DNS Cache Dan Kamikaze (Actual Exploit Discussion) eugaaa () gmail com (Jul 13)
- Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 13)
  - Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) eugaaa () gmail com (Jul 13)
    - Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) coderman (Jul 13)
    - Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) eugaaa () gmail com (Jul 13)
    - Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) coderman (Jul 13)
    - Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) eugaaa () gmail com (Jul 13)
    - Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 13)
    - Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) eugaaa () gmail com (Jul 13)
    - Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) eugaaa () gmail com (Jul 13)
    - Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Valdis . Kletnieks (Jul 13)
    - Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion) Paul Schmehl (Jul 14)

(Thread continues...)