Kaminsky DNS vulnerability now in metasploit module form

By
Don Ankney
on July 24, 2008 7:44 PM | | Comments (0) | TrackBacks (2)

It looks like Dan Kaminsky's DNS vulnerability has been released as a pair of metasploit modules, which means the script kiddies are about to unleash it on the unpatched (so patch already).

From the Metasploit Blog:

So, on to our new modules. There's no reason to rehash the deep tech regarding packet formats and spoofing techniques, as most of the speculation linked above was correct, and the original leak has been mirrored just about everywhere. In short, the way this flaw works is that it combines two previously known but somewhat mitigated flaws to achieve success. The first flaw is that since DNS (over UDP) is connectionless, it can easily be spoofed. The original mitigation for this was to make use of a transaction ID to correlate requests and replies that the attacker would have to guess. This makes spoofing harder, but not an insurmountable task. The second flaw was that additional records would be inserted into the cache which were included in replies from another nameserver during a recursive lookup. This original problem was somewhat mitigated by creating the in-bailiwick constraints that essentially limits the domain space for additional records that could be sent in the replies to hostnames from a given domain. Sounds reasonable; this prevents nameservers from doing malicious things to domains that they aren't authoritative for, while still allowing nameservers who are authoritative for a domain to update the records they need to. When you combine attacks for these two flaws however, an attacker can essentially pretend to be the authoritative nameserver, and update the nameserver record for a domain to point to a malicious nameserver address. Because the nameserver's name doesn't change, the update is in-bailiwick. You can also use this trick to inject cache entries for individual hostnames as long as those hostnames are not already cached, and also in-bailiwick.
The two Metasploit modules which implement these attacks are "DNS BailiWicked Host Attack" for injecting individual uncached host records into the target nameserver's cache, and "DNS BailiWicked Domain Attack" for replacing a target domain's nameserver records in a target nameserver's cache. Currently these must be run from the trunk development branch, as they rely on Net::DNS and raw sockets functionality which currently only exists in the development branch for MSF. The raw sockets code also currently only works when running MSF under Linux. [From BailiWicked]

For those who haven't been following the news this month, here is an executive overview, a recording of the press conference is available here, and on a more authoritative note, here is the US-CERT vulnerability note.


UPDATE: The modules have been updated for automatic tuning.

Categories:

Tags:

2 TrackBacks

Listed below are links to blogs that reference this entry: Kaminsky DNS vulnerability now in metasploit module form.

TrackBack URL for this entry: http://snackfin.com/mt/mt-tb.cgi/64

BailiWicked Metasploit modules updated for automatic tuning from SNACKFIN.COM on July 28, 2008 1:55 PM

The Metasploit BailiWicked modules for Kaminsky's DNS vulnerabilities have been updated for automatic tuning. From the Metasploit blog: The bailiwicked modules (host and domain) were updated today to include the ability to predict the time window betwe... Read More

Metasploit author hacked by metasploit DNS tools from SNACKFIN.COM on July 30, 2008 9:03 AM

In an interesting turn of events, the controversial release of the BailWicked Metasploit modules has led to BreakingPoint research director and Metasploit author HD Moore getting hacked. We he targeted? Coincidence? Or is it karma? From NetworkWorld: H... Read More

Leave a comment

Search

Categories

Tag Cloud

Pages

Monthly Archives

Powered by Movable Type 4.12