dns

You are currently browsing the archive for the dns category.

DNS exploit comes back to bite HD Moore

July 31, 2008 in dns, exploit, networking, security by Daniel Nyström | No comments

Fromakeg on Flickr - http://flickr.com/photos/akeg/
From akeg on Flickr.

From VNUNET via Packetstorm:

H D Moore, who crafted the original DNS exploit module, said in a blog posting that an attacker managed to run the cache-poisoning attack on a server belonging to AT&T’s internet service in Austin, Texas.

As a result of the attack, servers at BreakingPoint Systems, the network security firm which employs Moore as director of security research, redirected employee machines from Google.com to a third-party site loaded with advertisements.

Apparently no real damage caused by it for them, but there must be loads of other users on AT&T’s DNS-servers.

I’m all for full disclosure but this is really affecting a lot of people. We are seeing a big increase in infected computers and the DNS flaw might be what’s behind this (but I have no concrete proof of it).

Anyhow, admins at larger ISP’s better get patching now if they haven’t started already.

Cheers,

Serious design flaw in DNS (BIND)

July 24, 2008 in dns, exploit by Daniel Nyström | No comments

Interwebz/tubes/etc.. ;)
From CNET:

On July 8, IOActive researcher Dan Kaminsky disclosed a flaw in the DNS but would not provide the details until all the affected vendors had released patches and all the systems worldwide could be patched. He figured that it would take about 30 days for that to happen.

The 30-day mark just happened to coincide with his speaking engagement at Black Hat in Las Vegas on August 6.

But on Monday, fellow Black Hat presenter Halvar Flake attacked Kaminsky’s plea that a security flaw such as this be kept a secret. Flake then proceeded to lay out what he thought the flaw was. Turns out, he was right and laid the foundation for others to create and publicize an exploit.

Other than what was linked in that article another exploit has also been added to the Packet storm exploit archive. Both of these are Metasploit modules and HD Moore (founder of the Metasploit project) is listed as one of the exploits authors.

Cheers and happy patching!

I do not use this phrase very often,

November 26, 2007 in dns, networking, security, vista by Daniel Nyström | 1 comment

but “L O L” at Microsofts latest security debacle ;)

I think their own advisory from 1999 (!!!) explains the issue pretty well:

The IE 5 Web Proxy Auto-Discovery (WPAD) feature enables web clients to automatically detect proxy settings without user intervention. The algorithm used by WPAD prepends the hostname “wpad” to the fully-qualified domain name and progressively removes subdomains until it either finds a WPAD server answering the domain name or reaches the third-level domain. For instance, web clients in the domain a.b.microsoft.com would query wpad.a.b.microsoft, wpad.b.microsoft.com, then wpad.microsoft.com. A vulnerability arises because in international usage, the third-level domain may not be trusted. A malicious user could set up a WPAD server and serve proxy configuration commands of his or her choice.

Well,

too bad they only protected their customers from this if their domains ended in .com, and that this issue has persisted through eight more years of code (how much new code did they say there were in Vista?). This little function seems to have remained unchanged for almost a decade anyhow…

Now let’s hope that Microsoft are faster than the bad guys… And in the meantime:

  • If you have a webfilter, block all adresses containing “wpad.” in them.
  • On most Windows operating systems, stopping the service “WinHTTP Web Proxy Auto-Discovery Service” would also do it, but some people have been having problems with this.

In other words, keep an eye on your network the next couple of weeks until MS produces a patch.

Cheers and browse safe!

Storm worm and fast-flux’ing

November 10, 2007 in dns, malware, networking by Daniel Nyström | No comments

Someone pointed out to me that the meaning of the term “fast-flux” is not widely known (when talking about the storm worm). Did a quick dig on wikipedia and found an OK explanation,

http://en.wikipedia.org/wiki/Fast_flux :

“The simplest type of fast flux, referred to as “single-flux”, is characterized by multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name. This combines round robin DNS with very short TTL (time to live) values to create a constantly changing list of destination addresses for that single DNS name. The list can be hundreds or thousands of entries long.
A more sophisticated type of fast flux, referred to as “double-flux”, is characterized by multiple nodes within the network registering and de-registering their addresses as part of the DNS SOA (start of authority) record list for the DNS zone. This provides an additional layer of redundancy and survivability within the malware network.”


Cheers,