Da-Chief
07-24-2008, 23:06
http://i.dslr.net/urls/10/2010.gif (http://www.dslreports.com/shownews/Major-DNS-Flaw-Finally-Publicized-96385)
Security researcher Dan Kaminsky recently discovered a serious design flaw in DNS. That flaw, according to US-CERT (http://www.kb.cert.org/vuls/id/800113), involves a new implementation of DNS poisoning, a trick that allows a hacker to redirect unwitting surfers to alternate addresses (that's not good news for the technically daft and easily swindled). Kaminsky's discovery was significant enough to get thirty-some vendors to release a simultaneous general patch earlier this month, though Kaminsky had stayed vague enough about the nature of the flaw to prevent exploits from being developed.
He had also asked security analysts not to publicly speculate on the nature of the flaw. That's a steep request in a sector packed with highly intelligent, curious, and frequently egocentric researchers. On Monday of this week, one security expert managed to accurately guess (http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html) the precise DNS flaw mechanics. This quickly resulted in the development of two (http://www.caughq.org/exploits/CAU-EX-2008-0002.txt) working (http://www.caughq.org/exploits/CAU-EX-2008-0003.txt) exploits. The Register offers one of several layman breakdowns (http://www.theregister.co.uk/2008/07/24/dns_exploit_goes_wild/):1. Bad Guy probes the target DNS to see if it's vulnerable (a couple free services can do this)
2. Bad Guy picks a domain they want to hijack for users of that DNS Server
3. Bad Guy runs the bailiwicked_domain module and takes control of that domain in the cache of that server
Anyone who then uses that vulnerable DNS server is going to see the wrong DNS server record for the poisoned domain. According to several researchers, a significant number of large ISPs (http://www.hackerfactor.com/blog/index.php?/archives/204-Poor-DNS.html) (including AT&T, Comcast and Verizon) and an an even greater number of large organizations have yet to fully patch their systems. Kaminsky's website offers a tool (http://www.doxpara.com/?p=1176) that allows users to test whether their ISP and network is vulnerable (another test is here (http://entropy.dns-oarc.net/test/)).
Update: Comcast insists to me they received the patch and had their systems patched last week.
read comment(s) (http://www.dslreports.com/shownews/Major-DNS-Flaw-Finally-Publicized-96385)
More...
Security researcher Dan Kaminsky recently discovered a serious design flaw in DNS. That flaw, according to US-CERT (http://www.kb.cert.org/vuls/id/800113), involves a new implementation of DNS poisoning, a trick that allows a hacker to redirect unwitting surfers to alternate addresses (that's not good news for the technically daft and easily swindled). Kaminsky's discovery was significant enough to get thirty-some vendors to release a simultaneous general patch earlier this month, though Kaminsky had stayed vague enough about the nature of the flaw to prevent exploits from being developed.
He had also asked security analysts not to publicly speculate on the nature of the flaw. That's a steep request in a sector packed with highly intelligent, curious, and frequently egocentric researchers. On Monday of this week, one security expert managed to accurately guess (http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html) the precise DNS flaw mechanics. This quickly resulted in the development of two (http://www.caughq.org/exploits/CAU-EX-2008-0002.txt) working (http://www.caughq.org/exploits/CAU-EX-2008-0003.txt) exploits. The Register offers one of several layman breakdowns (http://www.theregister.co.uk/2008/07/24/dns_exploit_goes_wild/):1. Bad Guy probes the target DNS to see if it's vulnerable (a couple free services can do this)
2. Bad Guy picks a domain they want to hijack for users of that DNS Server
3. Bad Guy runs the bailiwicked_domain module and takes control of that domain in the cache of that server
Anyone who then uses that vulnerable DNS server is going to see the wrong DNS server record for the poisoned domain. According to several researchers, a significant number of large ISPs (http://www.hackerfactor.com/blog/index.php?/archives/204-Poor-DNS.html) (including AT&T, Comcast and Verizon) and an an even greater number of large organizations have yet to fully patch their systems. Kaminsky's website offers a tool (http://www.doxpara.com/?p=1176) that allows users to test whether their ISP and network is vulnerable (another test is here (http://entropy.dns-oarc.net/test/)).
Update: Comcast insists to me they received the patch and had their systems patched last week.
read comment(s) (http://www.dslreports.com/shownews/Major-DNS-Flaw-Finally-Publicized-96385)
More...