trickery.net  

Go Back   trickery.net > Technical > Software & Security

Reply
 
Thread Tools
Old 07-Aug-2008, 08:27   #1
Scrobbs
Sunnyvale Supervisor
Scrobbs's Avatar
Join Date: Oct 2003
Location: In the pipe, five by five.
Posts: 16,530
Scrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond repute
DNS vulnerability

Well, as a few of you will be aware, Dan Kiminsky came up with a way to royally fuck over the DNS system as we know it, as if there needed to be any new ways. He didn't relase the exploit, but it gave enough impetus to bad geeks to write one.

If you go to this link, it will tell you how vulnerable your connection is to DNS cache poisoning vulnerabilties.
__________________
http://bit.ly/debatethebill
Scrobbs is offline  
Reply With Quote
Old 07-Aug-2008, 08:51   #2
pHk
lolzipan
pHk's Avatar
Join Date: Jun 2005
Location: Belgium
Posts: 3,458
pHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond repute
How does DNS cache poisoning actually work?
pHk is offline  
Reply With Quote
Old 07-Aug-2008, 09:01   #3
Scrobbs
Sunnyvale Supervisor
Scrobbs's Avatar
Join Date: Oct 2003
Location: In the pipe, five by five.
Posts: 16,530
Scrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond repute
Through exploiting a vulnerability, mainly in how trusting a ('good')DNS server is in another ('evil')DNS, the wrong IPs will be propagated across the DNS network, so when someone types in a legitimate URL, they will be sent to a malicious server rather than the correct one.
__________________
http://bit.ly/debatethebill
Scrobbs is offline  
Reply With Quote
Old 07-Aug-2008, 09:12   #4
pHk
lolzipan
pHk's Avatar
Join Date: Jun 2005
Location: Belgium
Posts: 3,458
pHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond reputepHk has a reputation beyond repute
Aren't DSN providers registered? So you'd have to break into a legitimate, registered DNS provider before you would be able to let your evil IP propagate?
pHk is offline  
Reply With Quote
Old 07-Aug-2008, 09:17   #5
Scrobbs
Sunnyvale Supervisor
Scrobbs's Avatar
Join Date: Oct 2003
Location: In the pipe, five by five.
Posts: 16,530
Scrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond repute
You're right in a way - you can't just fire up a DNS server and expect the network to take notice of the records you are advertising. You have to break BIND to effectively make the next DNS server think that you are a legitimate DNS server. There are heirarchies of importance, so the further up the chain you break into, the more effective and wide reaching your attack will be.
__________________
http://bit.ly/debatethebill
Scrobbs is offline  
Reply With Quote
Old 07-Aug-2008, 09:19   #6
Blunteh
Return of the Colander
Blunteh's Avatar
Join Date: Nov 2003
Posts: 9,002
Blunteh has a reputation beyond reputeBlunteh has a reputation beyond reputeBlunteh has a reputation beyond reputeBlunteh has a reputation beyond reputeBlunteh has a reputation beyond reputeBlunteh has a reputation beyond reputeBlunteh has a reputation beyond reputeBlunteh has a reputation beyond reputeBlunteh has a reputation beyond reputeBlunteh has a reputation beyond reputeBlunteh has a reputation beyond repute
This was fixed a while ago in the code running on DNS servers though right ? (It was in IOS)
Blunteh is offline  
Reply With Quote
Old 07-Aug-2008, 09:22   #7
Scrobbs
Sunnyvale Supervisor
Scrobbs's Avatar
Join Date: Oct 2003
Location: In the pipe, five by five.
Posts: 16,530
Scrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond repute
Interesting you say that - after the news broke about this, there was an internet-wide patch put out from multiple vendors. One of the security sites had an entire list of all the different manufacturers etc. and only about 5 had fixed the problem.

As for DNS, I think the latest version does fix this issue, and with any luck the people who run DNS are likely a bit more switched on that most, so in theory it should get eradicated fairly sharpish.
__________________
http://bit.ly/debatethebill
Scrobbs is offline  
Reply With Quote
Old 07-Aug-2008, 10:08   #8
Bilb
Amazeballs!
Bilb's Avatar
Join Date: Oct 2003
Location: Elite Elevated Equine Division
Posts: 11,283
Bilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond reputeBilb has a reputation beyond repute
My ISP comes back with "GREAT" for everything. \o/
__________________
@TomJJarvis
Bilb is offline  
Send a message via Skype™ to Bilb  jarvthelegend 
Reply With Quote
Old 07-Aug-2008, 10:57   #9
Scrobbs
Sunnyvale Supervisor
Scrobbs's Avatar
Join Date: Oct 2003
Location: In the pipe, five by five.
Posts: 16,530
Scrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond repute
Oh dear.

http://blog.wired.com/27bstroke6/200...aw-much-w.html
__________________
http://bit.ly/debatethebill
Scrobbs is offline  
Reply With Quote
Old 07-Aug-2008, 11:00   #10
Scrobbs
Sunnyvale Supervisor
Scrobbs's Avatar
Join Date: Oct 2003
Location: In the pipe, five by five.
Posts: 16,530
Scrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond repute
...and here are the details.

http://beezari.livejournal.com/141796.html
__________________
http://bit.ly/debatethebill
Scrobbs is offline  
Reply With Quote
Old 07-Aug-2008, 11:12   #11
Scrobbs
Sunnyvale Supervisor
Scrobbs's Avatar
Join Date: Oct 2003
Location: In the pipe, five by five.
Posts: 16,530
Scrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond repute
In fact, to be totally sure your ISP is on the case, go to Kaminsky's website and press the button. The you tube vid is pretty cool too.

http://www.doxpara.com/

..oh and check this from my del.icio.us... I HAD to 'shot it!



I win!
__________________
http://bit.ly/debatethebill

Last edited by Scrobbs; 07-Aug-2008 at 11:59.
Scrobbs is offline  
Reply With Quote
Old 07-Aug-2008, 12:24   #12
Pulse
lock my threads
Pulse's Avatar
Join Date: Feb 2004
Location: Glasgow, Scotland
Posts: 5,318
Pulse has a reputation beyond reputePulse has a reputation beyond reputePulse has a reputation beyond reputePulse has a reputation beyond reputePulse has a reputation beyond reputePulse has a reputation beyond reputePulse has a reputation beyond reputePulse has a reputation beyond reputePulse has a reputation beyond reputePulse has a reputation beyond reputePulse has a reputation beyond repute
Looks like VM's 2 main DNS servers aren't patched :o.

194.168.8.110 (winn-dnsbep-2.server.virginmedia.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

194.168.8.109 (winn-dnsbep-1.server.virginmedia.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

They do seem to have some patched ones though but I think they are further down the network at a more local level for some reason.
__________________
last.fm
Liquor and guns, the sign says quite plain
Pulse is offline  
Reply With Quote
Old 07-Aug-2008, 12:27   #13
Scrobbs
Sunnyvale Supervisor
Scrobbs's Avatar
Join Date: Oct 2003
Location: In the pipe, five by five.
Posts: 16,530
Scrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond reputeScrobbs has a reputation beyond repute
I guess if you're worried, you could put all your important IP's in your locally held hosts file.
__________________
http://bit.ly/debatethebill
Scrobbs is offline  
Reply With Quote
Old 07-Aug-2008, 12:36   #14
Inertiaman
Join Date: Oct 2003
Posts: 39,702
Inertiaman has a reputation beyond reputeInertiaman has a reputation beyond reputeInertiaman has a reputation beyond reputeInertiaman has a reputation beyond reputeInertiaman has a reputation beyond reputeInertiaman has a reputation beyond reputeInertiaman has a reputation beyond reputeInertiaman has a reputation beyond reputeInertiaman has a reputation beyond reputeInertiaman has a reputation beyond reputeInertiaman has a reputation beyond repute
Shockingly BT are rating poor for source port randomness and, despite scoring great for transaction have a nasty range of non-random points in the graph.
Inertiaman is online now  
Reply With Quote
Reply

Go Back   trickery.net > Technical > Software & Security

Tags
sounds like a dns problem

Similar Threads
Thread Thread Starter Forum Replies Last Post
SSL/TLS vulnerability found. Scrobbs Software & Security 0 25-Apr-2006 11:27
Security hole found in Sony BMG's other DRM software EvilGrin Current Affairs 7 08-Dec-2005 21:55
M$ to release 13 patches in next round of updates mick3ymous3 Software & Security 19 09-Feb-2005 13:54
Windows Update time again GroovYF Software & Security 4 14-Apr-2004 10:12

Users Viewing Thread: 1 (0 members and 1 guests)
 

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT +1. The time now is 19:14.


Powered by vBulletin® Version 3.7.0 Release Candidate 3
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Copyright 2003 - 2013, trickery.net