July 8th, 2008
Don't doubt Deputy Dan
Well, it would seem that Tom Ptacek may have figured out something to do with Dan Kaminsky’s earlier DNS flaw, and this may actually be the vulnerability to fear that we had originally heard. Let’s just say this, I’ve read Tom’s postings on the Matasano blog for quite some time now, and he’s a smart enough guy to not be easily impressed.
The last time I saw a post where he looked truly this impressed was when Mark Dowd actually pulled off that ridiculous null pointer exploit.
From the Matasano blog:
Dan Kaminsky could have made hundreds of thousands of dollars with this DNS flaw!
Thomas Ptacek | July 08th, 2008 | Category: Uncategorized
Java JSESSIONID: BB16479A0338D3DCF26D11712F138BC1
.NET ASPESSIONID: HHODHGFDJOJAKDIPPJCKHGOE
SiteMinder SMESSIONID:
su/hxP2nLeaZBdEn8qClOdeCGwG2xfLaBfXQF2QpSCSxKYBLVTF7OfqtVcHxLITpuNa6+1W c2ZJ9MKWInlFlEe5GqZAjobgyzInCwe3JiTebqyJaftWtVht/La0qlvjLF9oaI5y1aIdtUGiTmQI OW28AL0gLJe4pdA0sw2fq4cBG8ZWPMblwX4nGCGXGU8JQ1PtOhm8ohtSQcXZ7lm35t29 P5tcbfDrQs3z4g43zrLRO5M68m91xP7xcHY0uLuSYUSMFIrUbaEVSVVewFY4tskjPYecoWT uLV0deSJilKpfSTVyekbzGXO2ejhIPxsE5cvPVNPt5AoJ6KIdvWMezUHz+KQt3uVuJEHpZkU QhEfLrWAdJ2TwE++na2G3GI8BqlSOB+KRl3rz19/9nqpE87c/IWsscSfOQLemzwd/Z3DZfn ioKB/tFsZWLndqdNq5XmDuRvRN2+EVMT8QFYEq1c+mNhsOIeFCjo8JOOXPG3F+r6h0kXN M4zjRtgN/qSYRAycXluqKozAIMgr5qemW1UItwCyqJu1cDMLuKgkSq9XXA3Cru6PVPF74D1 t8l2IvV2HWmxL2PP4RdIXa5Ofb1sCLc6AUZ9opLGhwYHt7S3PnxXzKoYsMJwoFm7nGqjKp J7S9e0iRTMUqY7fOgSQALLw+hsac7hhNCUtB3/xEhvfJ7Y4b1Xj26jWJAujEnHgF+DUJQHvX hkLl7Rr2dbCPJu/8hDMOKdfz4QJXAQSbCJyA4MrJLXn4UZLpgwMeIVMddvloO4dZatrxQT9m ZQtqvow5jKcpUKhtxqqf7M4MFDMOEvQdIT3U8WRsbjk1lT4UajljxyTa9TSF9sCid1BH/O3Hq YyJtfpDcr7QxqHXr9AZYtHbO93DX/I82bQ3mcCco
DNS XID: 04d8
Getting To File This Week’s Front Page Security Story Before Changing Out Of Your Pajamas: Priceless.
There are some vulnerabilities money can’t buy. For everything else: there’s the DNS.
Yeah, it would seem that Tom is impressed. One can guess at the issue here… it’s obviously not just dealing with randomization of source ports, but also with the weak entropy in the DNS transfer id (DNS XID). When Tom was impressed with Dowd’s paper on null pointer exploitation, I spent a week reading and then re-reading the paper tons of times to make sure I wasn’t getting duped. Maybe Dan will produce some serious fireworks for Black Hat this year, like he did for ToorCon Seattle. One thing seems to be clear, don’t doubt Deputy Dan (for those who didn’t know, Deputy Dan is the inside nickname given to Kaminsky by Microsoft employees who say he is pretty immovable once convince of a security issue) apply that patch ASAP.
-Nate
Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.
