North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

2nd Exploit for DNS Cache Poisoning - RELEASED

  • From: Tuc at T-B-O-H.NET
  • Date: Thu Jul 24 13:55:02 2008

Hi,

	Not sure if anyone has seen yet, but there is a 2nd
exploit being circulated. I just picked it up on metasploits
SVN trunk....

	The first was called "baliwicked_host", and the
description was :

This exploit attacks a fairly ubiquitous flaw in DNS implementations which 
Dan Kaminsky found and disclosed ~Jul 2008.  This exploit caches a single
malicious host entry into the target nameserver by sending random hostname
queries to the target DNS server coupled with spoofed replies to those
queries from the authoritative nameservers for that domain. Eventually, a 
guessed ID will match, the spoofed packet will get accepted, and due to the 
additional hostname entry being within bailiwick constraints of the original
request the malicious host entry will get cached.

	The new one is called "baliwicked_domain" and its described
as :

This exploit attacks a fairly ubiquitous flaw in DNS implementations which 
Dan Kaminsky found and disclosed ~Jul 2008.  This exploit replaces the target
domains nameserver entries in a vulnerable DNS cache server. This attack works
by sending random hostname queries to the target DNS server coupled with spoofed
replies to those queries from the authoritative nameservers for that domain.
Eventually, a guessed ID will match, the spoofed packet will get accepted, and
the nameserver entries for the target domain will be replaced by the server
specified in the NEWDNS option of this exploit.



				Tuc/TBOH