Re: DNS Cache Dan Kamikaze (Actual Exploit Discussion)

[Paul Schmehl <pschmehl_lists () tx rr com>]

--On July 13, 2008 9:44:19 PM -0500 eugaaa () gmail com wrote:

> If the nameserver is "down" most likely the resolver is going to try a
> different one. Meaning you're back to square one. Which is why I asked
> what happens if the resolver recv's a response after it's been told
> the nameserver is down. In any case, I'm not even sure how resolvers
> handle dest unreachables. And again, I think that avenue is moot.
>
> As for your question about theory versus practicality. 2^16 seems
> possible. This exact same problem exist with ASLR implementations as
> well as stack protection mechanisms (canary values etc). I think even
> vista's current address space randomization is 16-bits. However with
> these DNS transaction ID's you're not looking at a random number. It's
> scope is limited because you've seen the transaction ID's of each
> request you've made. IE my first request was 125, my second was 133,
> etc. Meaning you pick a number higher up (180) and try to win the
> race.

I think you are fundamentally misunderstanding the problem.  The 
vulnerability we're discussing allows you to *poison* a nameserver's 
cache.  You *want* the nameserver to answer.  You don't want to answer on 
its behalf.  You want it to answer - incorrectly - so that users are 
fooled into thinking they've been taken to the real site when in fact they 
been taken to a "mirror" of the real site, specially prepared for whatever 
nefarious purpose you have in mind.

Paul Schmehl
If it isn't already obvious,
my opinions are my own and not
those of my employer.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/