- Feb 22, 2007
- 16,240
- 7
- 76
Well it didn't take long for the exploit to start making rounds. This one could be really bad if it isn't patched on servers soon. I just checked my isp servers and they are vulnerable. I won't give out the isp name, its a major one though, with thousands of customers. I emailed them to tip them off, I shouldn't have had to, but hopefully they patch it soon.
Just be careful about sites that you visit that they are indeed the ones that you are supposed to be at. A DNS exploit changes the ip address that the site name is directing you to. So instead of going to google.com, it pulls up a spyware site.
Posted it here rather than in security because it is something everyone needs to know about, not just people that are having security issues.
You can check if the dns server you use is vulnerable here:
http://www.doxpara.com/
Yesterday
http://blog.wired.com/27bstrok...07/details-of-dns.html
Today
http://blog.wired.com/27bstrok...07/dns-exploit-in.html
Just be careful about sites that you visit that they are indeed the ones that you are supposed to be at. A DNS exploit changes the ip address that the site name is directing you to. So instead of going to google.com, it pulls up a spyware site.
Posted it here rather than in security because it is something everyone needs to know about, not just people that are having security issues.
You can check if the dns server you use is vulnerable here:
http://www.doxpara.com/
Yesterday
http://blog.wired.com/27bstrok...07/details-of-dns.html
Details of DNS Flaw Leaked; Exploit Expected by End of Today
Despite Dan Kaminsky's efforts to keep a lid on the details of the critical DNS vulnerability he found, someone at the security firm Matasano leaked the information on its blog yesterday, then quickly pulled the post down. But not before others had grabbed the information and reposted it elsewhere, leading Kaminsky to post an urgent 0-day message on his blog reading, "Patch. Today. Now. Yes, stay late."
Hackers are furiously working on an exploit to attack the vulnerability. HD Moore, creator of the Metasploit tool, says one should be available by the end of the day.
Earlier this month, Kaminsky, a penetration tester with IOActive, went public with information about a serious and fundamental security vulnerability in the Domain Name System that would allow attackers to easily impersonate any website -- banking sites, Google, Gmail and other web mail websites -- to attack unsuspecting users.
Kaminsky announced the vulnerability after working quietly for months with a number of vendors that make DNS software to create a fix for the flaw and patch their software. On July 8, Kaminsky held a press conference announcing a massive multivendor patch among those vendors, and urged everyone who owns a DNS server to update their software.
But Kaminsky broke one of the fundamental rules of disclosure in announcing the bug. He failed to provide details about the flaw so system administrators could understand what it was and determine if it was serious enough to warrant an upgrade to their systems.
Kaminsky promised to reveal those details next month in a presentation he plans to give at the Black Hat security conference in Las Vegas. But he said he wanted to give administrators a 30-day head start to get their systems patched before he provided details that could allow hackers to create an exploit to attack the systems.
Kaminsky asked researchers not to speculate about the bug details in the meantime and to trust that it was a serious issue. Some did as he asked. But many security researchers took his coyness as a challenge to uncover the details Kaminsky was holding back.
Halvar Flake, a German security researcher, was the first to publish details that correctly speculated on the bug (which have since been removed from his blog), though Kaminsky told Threat Level that others figured out the bug many days before Flake published his findings. Flake's post also didn't provide all of the correct details about the bug. But Matasano took care of that issue when it spilled the beans in a post that has garnered heavy criticism from other security researchers who accuse Matasano of irresponsible disclosure and of trying to get publicity by stealing attention from Kaminsky's Black Hat talk next month.
The disclosure was bound to happen, however, since Kaminsky had been forced to provide details of the bug privately to numerous people who balked at patching their systems without knowing the exact nature of the bug. In the absence of these details, some system administrators and security researchers had accused Kaminsky of rehashing an old, known vulnerability in DNS to gain notoriety.
Matasano's founder, Thomas Ptacek, had been one of the researchers who doubted Kaminsky's findings, but he recanted after Kaminsky disclosed details of the bug to him in private. Ptacek wasn't the employee whose name appeared at the bottom of the Matasano post disclosing the information, but the founder apologized today for disclosing the information. In the message he said the company had written the post in anticipation of publishing it as soon as Kaminsky or someone else spilled the details, implying that the early publication had been unintentional.
The DNS flaw that Kaminsky discovered allows a hacker to conduct a "cache poisoning attack" that could be accomplished in about ten seconds, allowing an attacker to fool a DNS server into redirecting web surfers to malicious web sites.
DNS servers do the job of translating a web site's name to its address on the internet -- for example, translating www.amazon.com to 207.171.160.0 -- so a browser can bring up the web site for a user. A cache poisoning attack allows a hacker to subvert a DNS server to surreptitiously translate a website's name to a different address instead of the real address, so that when a user types in "www.amazon.com," his browser is directed to a malicious site instead, where an attacker can download malware to the user's computer or steal user names and passwords that the user enters at the fake site (such as e-mail log-in information), similar to the way phishing attacks work.
"It's a really bad bug that really impacts every web site you use and your readers use," Kaminsky said. "It impacts whether or not readers are even going to see the article you're about to write."
Kaminsky told Threat Level he's not interested right now in slinging mud with Matasano and others over how the information has been disclosed. He just wants people to patch their systems.
He also says he's happy that administrators have had some time, though not as much as he'd hoped, to get their systems patched before the information went public.
"We got thirteen days of a patch being out without the bug being public," he said. "That's unprecedented. I'm pretty proud of at least thirteen days. I would have liked thirty, but I got thirteen."
Today
http://blog.wired.com/27bstrok...07/dns-exploit-in.html
DNS Exploit in the Wild -- Update: 2nd More Serious Exploit Released
Well it took a little longer than expected so it's not quite a zero-day exploit, but the anticipated attack code to exploit the critical Kaminsky DNS cache-poisoning flaw is now in the wild (assuming there wasn't one already out there).
Let's call it a .5-day exploit.
HD Moore, creator of the Metasploit Framework research and hacking tool, pinged me that he's just released the code. System administrators who dragged their feet over updating their DNS servers have lost the race . . . so to speak. But that doesn't mean it's too late to patch your system.
Moore says the code currently has a limitation:
This exploit can't be used to overwrite an existing cache entry, so attackers will have a hard time spoofing common host names on busy DNS servers. The module added to Metasploit will display the expiration date for any pre-cached entries and automatically wait for that amount of time for completing the attack.
No one should take comfort in this, however.
For readers who aren't familiar with it, Metasploit is a penetration testing tool that system administrators use to test their networks with real exploits in order to uncover vulnerabilities and fix them. But in the double-edged world of computer security, any tool used legitimately to test the security of a network can also be used by hackers to attack a network.
The exploit was co-developed with |)ruid from Computer Academic Underground. The two have posted an advisory about the exploit.
UPDATE: Moore has added a second exploit to Metasploit; this one is more serious. Here's his description:
We just added a second exploit which replaces the nameservers of the target domain. This is the bug people should actually care about, since it doesn't matter if anything is already cached.
Regarding the cache situation (of the first exploit) -- it's not possible to do cache overwrites, but it is possibe to look up the cache timeout, wait for it, and then replace it. With the new exploit module, we just change the DNS server for the entire domain (regardless of what is cached), so it's much more effective for wide-scale hijacking.