July 21st, 2008

Has Halvar figured out super-secret DNS vulnerability?

Posted by Ryan Naraine @ 2:12 pm

Categories: Arbitrary Code Execution, Black Hat, Browsers, Complex Attacks, Denial of Service (DoS), Exploit code, Hackers, Malware, Patch Watch, Pen testing, Responsible disclosure, Reverse Engineering, Vulnerability research

Tags: DNS, Vulnerability, Server, Referral, Mallory, Domain Names, Networking, Security, Internet, Ryan Naraine

[ UPDATE:  Kaminsky has all but confirmed that, yes, the cat is out of the bag ]

It looks very much like the nitty gritty of Dan Kaminsky’s super-secret — and heavily hyped — DNS cache poisoning vulnerability has been figured out by reverse engineering guru Halvar Flake.

Clearly irked by a demand request from Kaminsky and others to avoid speculating on the details of the flaw until the patch is fully deployed, Flake (left) published a guess on how to reliably forge and poison DNS lookups.

Flake, CEO and head of research at Zynamics, said his speculation was driven by the need to discuss the vulnerability in public instead of  a one-month embargo that culminates with Kaminsky’s presentation at the upcoming Black Hat conference.

[ SEE: Dan Kaminsky breaks DNS, massive multi-vendor patch coming ]

“In a strange way, if nobody speculates publicly, we are pulling wool over the eyes of the general public, and ourselves,” Flake argued, before posting the following hypothesis:

Mallory wants to poison DNS lookups on server ns.polya.com for the domain www.gmx.net. The nameserver for gmx.net is ns.gmx.net. Mallory’s IP is 244.244.244.244.

Mallory begins to send bogus requests for www.ulam00001.com, www.ulam00002.com … to ns.polya.com.

ns.polya.com doesn’t have these requests cached, so it asks a root server “where can I find the .com NS?” It then receives a referral to the .com NS. It asks the nameserver for .com where to find the nameserver for ulam00001.com, ulam00002.com etc.

Mallory spoofs referrals claiming to come from the .com nameserver to ns.polya.com. In these referrals, it says that the nameserver responsible for ulamYYYYY.com is a server called ns.gmx.net and that this server is located at 244.244.244.244. Also, the time to live of this referral is … long …

Now eventually, Mallory will get one such referral spoofed right, e.g. the TXID etc. will be guessed properly.

ns.polya.com will then cache that ns.gmx.net can be found at … 244.244.244.244. Yay.

After the publication of Flake’s summation, Kaminsky gave a no-comment to The Register’s Dan Goodin.

Nate Lawson, head of Root Labs, had this to say: “It’s very plausible; I think he’s nailed it.”

[ SEE: Kaminsky and Ptacek comment on DNS flaw ]

Goodin, one of the more thorough security writers around, made a great point that if Flake’s speculation is unrelated to Kaminsky’s earlier discovery, then there are now two separate issues at play.   Only one of the two has been patched!

Perhaps it’s time for Kaminsky to throw his self-imposed embargo out the window and help all of us understand the true severity of this vulnerability.