Home
Monday, May 29, 2017
4:43:44 AM
Users online: 0   You are here >> Home > Security

Forums | Security Forums search
Forum FAQ
   
  1  
ALL UR DNS R BELONG TO US -- Critical flaw rocks the internet
fatalerror323 
10/7/08 4:44:33 PM
Guru

http://www.smh.com.au/news/security/critical-flaw-rocks-the-internet/2008/07/09/1215282882891.htm

Computer industry heavyweights are hustling to fix a flaw in the foundation of the internet that would let hackers control traffic on the World Wide Web.

Major software and hardware makers worked in secret for months to create a software "patch" released on Tuesday to repair the problem, which is in the way computers are routed to web page addresses.

"It's a very fundamental issue with how the entire addressing scheme of the internet works," Securosis analyst Rich Mogul said in a media conference call.

"You'd have the Internet, but it wouldn't be the internet you expect. (Hackers) would control everything."

The flaw would be a boon for "phishing" cons that involve leading people to imitation web pages of businesses such as bank or credit card companies to trick them into disclosing account numbers, passwords and other information.

Attackers could use the vulnerability to route internet users wherever they wanted no matter what website address is typed into a web browser.

Security researcher Dan Kaminsky of IOActive stumbled upon the Domain Name System (DNS) vulnerability about six months ago and reached out to industry giants including Microsoft, Sun and Cisco to collaborate on a solution.

DNS is used by every computer that links to the Internet and works similar to a telephone system routing calls to proper numbers, in this case the online numerical addresses of websites.

"People should be concerned but they should not be panicking," Kaminsky said. "We have bought you as much time as possible to test and apply the patch. Something of this scale has not happened before."

Kaminsky built a web page, http://www.doxpara.com, where people can find out whether their computers have the DNS vulnerability.

Kaminsky was among about 16 researchers from around the world who met in March at Microsoft's campus in Redmond, Washington, to figure out what to do about the flaw.

"I found it completely by accident," Kaminsky said. "I was looking at something that had nothing to do with security. This one issue affected not just Microsoft and Cisco, but everybody."

The cadre of software wizards charted an unprecedented course, creating a patch to release simultaneously across all computer software platforms.

"This hasn't been done before and it is a massive undertaking," Kaminsky said.

"A lot of people really stepped up and showed how collaboration can protect customers."

Automated updating should protect most personal computers. Microsoft released the fix in a software update package Tuesday.

A push is on to make sure company networks and Internet service providers make certain their computer servers are impervious to web traffic hijackings using the DNS attack.

The patch can't be "reverse engineered" by hackers interested in figuring out how to take advantage of the flaw, technical details of which are being kept secret for a month to give companies time to update computers.

"This is a pretty important day," said Jeff Moss, founder of a premier Black Hat computer security conference held annually in Las Vegas.

"We are seeing a massive multi-vendor patch for the entire addressing scheme for the internet - the kind of a flaw that would let someone trying to go to Google.com be directed to whereever an attacker wanted."




Wow, that looks pretty heavy duty!

Now has anyone else heard of this? I'm thinking all our router's firmwares will need updating if the problem is as widespread as they make it out in that article.

Time to hunt down the latest version of DD-WRT methinks.

-----
154732585158615937090784767660371633524

Antraman 
10/7/08 10:18:24 PM
Champion

yeah, but *WHAT* are they actually patching?

I call BS on this. How can you patch the internet?

Whats really going on is they are looking to implement a massive policing program that controls all net activity.


Edited by Antraman: 10/7/2008 10:20:29 PM

-----
Mischievious 89.22%, Slacker 75.46%, Troublemaker 99.98%, Jokester 49.85% (The Bart Simpson Test)

elvenwhore 
10/7/08 10:43:25 PM
SuperHero
Titan


hmmmm, not the best article, I'm afraid. If this advisory recently posted to SANS is the same incident referred to in the SMH article, then it looks like basic poisoning, and that has been a known vulnerability in DNS since... forever, and bollocks to the 6 months figure while I'm here :-) A new permutation on an old trick, however, that is significant. Mebbe a new iteration of tools or sumfink, because the exploit itself ain't new. edit: in the SANS incidents link, it explains that this latest problem is the pool of ports a DNS server might use to source the query. Check the linkage, it's better 'splained there :-)

Multiple Vendors DNS Spoofing Vulnerability

The Problem

The root cause is a fundamental, well known, weakness in the DNS protocol. DNS uses UDP, a stateless protocol. A DNS server will send a request in a single UDP packet, then wait for a response to come back. In order to match request and response, a number of parameters are checked... Only if all [the parameters] matches, the response is accepted. The first valid response wins. If an attacker is able to guess the query id and the source port, the attacker is able to send a fake response, which will be cached by the DNS server.

How likely is it to "guess" the query id and the source port? One would think, its not that easy. The query ID is 16 bits long, allowing for 65536 options. The source port could be anything above 1024 which again would allow for another 64512 options. It is easy to guess which DNS server is expected to reply, as it has to be a valid DNS server for the respective domain. A reasonable DNS server should respond in less then a second, allowing for about 1 second to send the spoofed response...

Ideally, one would think that it would take millions of packets per second to successfully spoof the response. However, the problem is in the details. A DNS server can not use any port to source the query. It may not use a port commonly used by outbound connections, or a port reserved by a server. This is an issue attacked by today's patches. As of today, DNS servers used a rather small set of ports to source requests. This is the actual new finding. The patch will increase the pool of source ports available to DNS queries. To make things worse: the real DNS server may be silenced using DDoS attacks.



More details can be found at the full article: http://www.incidents.org/diary.html?storyid=4687

Still, patch your [caching DNS server] shit, yo.

edit: aah yep, DNS cache poisoning. From Secunia:

A vulnerability has been reported in ISC BIND, which can be exploited by malicious people to poison the DNS cache.

The vulnerability is caused due to the DNS servers not sufficiently randomising the DNS query port number, which can be exploited to poison the DNS cache.

The vulnerability is reported in all BIND 8 and 9 versions when running as caching resolver.


More details: http://secunia.com/advisories/30973/

edit:
Quote by fatalerror323
I'm thinking all our router's firmwares will need updating if the problem is as widespread as they make it out in that article.


I wouldn't worry about that too much, unless your routers are running DNS cache servers :-)


Edited by elvenwhore: 10/7/2008 11:36:57 PM

-----
The morning glows cobalt through a gauze of steam and fog that carries Death & Ash from a thousand trees. Crows from miles around are lurking. This won’t hurt a bit. This is the martyrdom of the chaos whore virgin. This is her final dawn.

segger 
10/7/08 11:36:17 PM
Champion

What the tittyshit is this dogsbollocks reporter on about?

And why is this being reported everywhere?

The various elements of DNS cache poisoning attacks have been around pretty much forever and have always been a risk due to fixed source port addressing on some servers and a number of other factors.

Why is this being treated as though it's some massive, new issue? (has someone finally thought to exploit these flaws on a widespread basis or something?)

-----
Random spam line #7:
Give her womb a good massage with your newly augmented pole

TheSecret 
11/7/08 5:13:28 PM
Disciple
Quote by segger
What the tittyshit is this dogsbollocks reporter on about?

And why is this being reported everywhere?

The various elements of DNS cache poisoning attacks have been around pretty much forever and have always been a risk due to fixed source port addressing on some servers and a number of other factors.

Why is this being treated as though it's some massive, new issue? (has someone finally thought to exploit these flaws on a widespread basis or something?)



It is a slight variation, and is more critical, deserving enough for a story, but not the associated fud.

This attack allows for the attacker to generically attack everyone using a given ISP, a fairly valuable proposition.
Also, vulnerable implementations may generate transaction IDs in a predictable way, so the attacker can obtain the current state of the PRNG by generating a recursive DNS query to DNS zone under attacker's control.

Such an attack cannot be performed from a typical home broadband connection, as most ISPs will not route packets originating from IP addresses not allocated by the ISP. The attacker needs to be in control over the routing/egress filtering within his AS (e.g. an enterprise-level Internet service).


Edited by TheSecret: 11/7/2008 5:17:19 PM

-----

segger 
12/7/08 1:02:19 PM
Champion

So it's basically the newly added detail of dodgy transaction ID generation? (I don't recall whether that was already known - maybe it wasn't)

Such an attack cannot be performed from a typical home broadband connection, as most ISPs will not route packets originating from IP addresses not allocated by the ISP.


You can bet your balls there'll be crappy ISPs out there who don't correctly filter such traffic though :-/

-----
Random spam line #7:
Give her womb a good massage with your newly augmented pole

elvenwhore 
14/7/08 7:53:15 AM
SuperHero
Titan


Quote by segger
So it's basically the newly added detail of dodgy transaction ID generation? (I don't recall whether that was already known - maybe it wasn't)


Yeah, there are rumblings about it being a known issue for some time: "we've known that the ID field was too small for something like 15 years and some folks like Dan Bernstein have been recommending using random source ports for about 10 years."
Source: http://www.incidents.org/diary.html?storyid=4720


Edited by elvenwhore: 14/7/2008 8:05:23 AM

-----
The morning glows cobalt through a gauze of steam and fog that carries Death & Ash from a thousand trees. Crows from miles around are lurking. This won’t hurt a bit. This is the martyrdom of the chaos whore virgin. This is her final dawn.

TheSecret 
15/7/08 3:28:09 AM
Master
Yeah, in fact they credit Dan Bernstein in the advisory, for the work he did 15 years ago. That alone say a lot. We need to switch to DNSSEC asap, hopefully the problems it has will be worked out soon enough.

-----

white rabbit 
25/7/08 8:27:27 AM
Disciple
http://www.caughq.org/exploits/CAU-EX-2008-0002.txt

A tasty metasploit for your hunger. I might have to setup a DNS server at home and test this...

-----

segger 
25/7/08 8:30:59 PM
Champion

Interesting...

This exploit attacks a fairly ubiquitous flaw in DNS implementations which
Dan Kaminsky found and disclosed ~Jul 2008. This exploit caches a single
malicious host entry into the target nameserver by sending random sub-domain
queries to the target DNS server coupled with spoofed replies to those
queries from the authoritative nameservers for the domain which contain a
malicious host entry for the hostname to be poisoned in the authority and
additional records sections. Eventually, a guessed ID will match and the
spoofed packet will get accepted, and due to the additional hostname entry
being within bailiwick constraints of the original request the malicious host
entry will get cached.



Unless I'm reading it wrong, It sounds as though this relies on being able to query a target nameserver so one key way to mitigate this would be to ensure that caching nameservers are not accessible from the Internet. (which obviously doesn't help ISPs, but most other organisations should not be exposing a resolver to the world anyway)

-----
Random spam line #7:
Give her womb a good massage with your newly augmented pole

TheSecret 
26/7/08 11:23:00 AM
Master
It's is not really so much a new attack, as a way to enable all the existing, considered harmless attacks.

-----
Part of the inhumanity of the computer is that, once it is competently programmed and working smoothly, it is completely honest.

spielentwickler 
27/7/08 5:24:51 PM
Guru

Some of the reporting about this has been atrocious. Aparently one large news paper from the US (I believe it was the NYT) reported that DNS is used for routing traffic around the internet.

It's 2008's millennium bug. There's an issue that needs to be resolved, but zombie botnets have a larger effect on the internet than this would. Any large scale ISP that's worth its salt will already have fixed the problem. Root name servers aren't effected by it. Most people in their daily life won't be effected by it.

Just like the millennium bug, there's a potential for things to go seriously wrong, but the media just wants something to report about.

Technologies get outdated all the time. Key-less entry systems on cars used to use a single ID code which could be detected near by and copied. Now they use changing codes. DNS needs an upgrade, and it's happening. It's really not news anymore.

-----
http://www.last.fm/user/spielentwickler/
<= knight of the 6fAOEC =>

TheSecret 
27/7/08 11:49:00 PM
Master
The problem itself should not be news, but the amount of ISP's who have not patched, and the fact that DNS is not getting the upgrade it needs, is still worth discussing.

-----
Part of the inhumanity of the computer is that, once it is competently programmed and working smoothly, it is completely honest.

spielentwickler 
28/7/08 1:41:00 AM
Guru

TheSecret, DNS IS getting the upgrades it needs. Upgrading a service that is so central to how the current Internet works isn't something that will happen within a few months, or even years. Look at IP, IPv6 has been in development for years and most people still run IPv4 networks.

In the short term, it's critical to patch an obvious exploit. After that, you start communicating on what current problems exist, find out how things can be improved, then you go on to start designing a new system.

There is already extensions to the DNS that are available for higher security that use other technologies to help secure it. You won't be seeing a new DNS widespread for at least 5 years though.

-----
http://www.last.fm/user/spielentwickler/
<= knight of the 6fAOEC =>

TheSecret 
28/7/08 3:20:56 AM
Master
It is not, at present, getting the upgrades. Although it is possible I don't know what you are referring to. I was thinking of DNSSEC, which is still quite a mess, and nowhere near ready to be implemented on a large scale. I won't consider that DNS is being improved until the research is actually being implemented, outside of small, specific setups. In fact, apart from NIST, I am not aware of it being deployed or even considered being deployed, which is hardly suprising seeing the mess it is.

-----
Part of the inhumanity of the computer is that, once it is competently programmed and working smoothly, it is completely honest.

spielentwickler 
28/7/08 3:53:37 AM
Guru

What "research" is there actually to implement at the moment? There are no production systems (apart, perhaps, from DNSSEC) that anyone has implemented. There isn't anything at this point in time that is a reasonable replacement for DNS.

There is a lot of research going into it though, these technologies are always being developed. This whole situation might give DNS development the kick it needs to start maturing outside of academia, but it is happening.

-----
http://www.last.fm/user/spielentwickler/
<= knight of the 6fAOEC =>

TheSecret 
28/7/08 5:35:00 AM
Master
Which is why I said DNS is not getting the upgrades it has needed for a long long time. DNSSEC is a pile of crap, and is a long way from being practical. But it is seemingly the only thing practical thing, so hopefully they will actually work it out in time.

A simpler fix would be to use EDNS0 to add a nonce RR (goes out in the Query, comes back in the Additional section). And while EDNS0 is subject to rollback attacks, DNSSEC depends on EDNS0, so there is not really an excuse not to use it eventually anyway.

-----
Part of the inhumanity of the computer is that, once it is competently programmed and working smoothly, it is completely honest.

  1  
Forums | Security