2008-08-07

Updated: DNS Vulnerability Worse Than Originally Thought

A while back I posted about the DNS vulnerability that was discovered. It was a large vulnerability to begin with, but now it has been officially revealed at Black Hat this week by Dan Kaminsky. Now we know it's much worse than originally reported.

It is not only possible to poison DNS caches, but the attack can also affect a wide array of other protocols and servers. That includes FTP, mail servers, or even your spam filter. Even worse is the attack could potentially be used against software update servers, including Microsoft and Apple OS update servers. This could potentially trick users into downloading and installing malicious patches.

Dan talked a lot about the domino affect of a hacked DNS server. It's very interesting, but also unnerving. Tools have already surfaced for exploiting this flaw.

One of the examples Dan gave involved an attacker intercepting mail and copiyng it, corrupting it or even removing/replacing attachments with malicious software. Not a pleasant man-in-the-middle scenario.

The source article covers Dan's talk a bit and gives some disturbing statistics about the current state of patched and protected DNS servers.

If you're interested in understanding DNS and the attack and have some free time I also suggest listening to the latest "Security Now" podcast (#155). If you aren't already subscribed to the podcast on your device-of-choice, you can download the episode from here.

Update: I want to flesh this out a bit more with a better explanation. Lets use one of the most likely target of an attack like this, www.paypal.com.

Lets say your ISP is vulnerable to this attack and an attacker poisons the DNS server(s) with a record for www.paypal.com with a fake IP address. The attacker can increase that records TTL (Time To Live) to such a high value that the record will never expire.

Then, an unsuspecting customer of that ISP will try to visit www.paypal.com and get the fake site. Since PayPal redirects you to a secure page for login and most people would never think to double-check that they were redirected correctly there is no need to spoof PayPal's security certificates. The user is simply redirected, they log in ignorant to the fact they are not on the real www.paypal.com and supply the attacker with login information.

Phishing filters won't pick this up because the browser is on www.paypal.com. The domino effect is obvious here. If the ISP does not patch the vulnerability then very single one of their customers is liable to pick up this bad record and be redirected to a fake site.

The really scary thing is the ISP has no way of detecting a poisoned cache record on their own until customers begin complaining about something being wrong with www.paypal.com, www.amazon.com... whatever.

It's interesting to note that this exploit is only available on Linux currently and it's being brought to Mac OSX because it requires raw ports capability. Windows does not have this capability because of just this sort of thing.

You can test your ISP's DNS servers by visiting this site (http://snipurl.com/dnstest). Thanks to Steve Gibson of Security Now for setting up that simple URL for the test.

Source

No comments: