North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Question: 2nd Exploit for DNS Cache Poisoning - RELEASED
Tuc at T-B-O-H.NET wrote: The new one is called "baliwicked_domain" and its described as : All this sounds good and dandy, but I'm not sure the guessing is the problem. Why is a resolver replacing an existing cached entry with a new entry? If the entry changes, at most, the resolver should be removing it from cache. In this regards, the exploit would not only have to hit it once, but twice, and they'd have to manage the exploit *BEFORE* the official server returned it's own authority records for caching. While I agree the source port is a good thing (and reduces poisoning issues even when an authoritative server isn't responding), I question if it can actually succeed at beating the authoritative domain's NS reliably, and if it is overwriting a cache, if the more exploitable issue is the cache overwrite versus staling the entry from cache early and letting the next query request from the authoritative server. I'm just curious. It doesn't make much sense. Jack Bates
|