DNS exploit code is in the wild

As of Wednesday, an exploit code allowing someone to attack the domain name system (DNS) was available in various places on the Internet.

On July 8, IOActive researcher Dan Kaminsky disclosed a flaw in the DNS but would not provide the details until all the affected vendors had released patches and all the systems worldwide could be patched. He figured that it would take about 30 days for that to happen.

The 30-day mark just happened to coincide with his speaking engagement at Black Hat in Las Vegas on August 6.

But on Monday, fellow Black Hat presenter Halvar Flake attacked Kaminsky's plea that a security flaw such as this be kept a secret. Flake then proceeded to lay out what he thought the flaw was. Turns out, he was right and laid the foundation for others to create and publicize an exploit.

On Thursday, Kaminsky will be a guest on the second Black Hat Webinar. This is the second of what is hoped to be a monthly series produced by the conference. Kaminsky will be joined by Jerry Dixon, former director of the Department of Homeland Security's cybersecurity division; Rich Mogull, founder of Securosis; and Joao Damas, a senior program manager at the Internet Systems Consortium. The Webinar begins at 1 p.m. PT.

To see if your connection to the Internet is vulnerable to DNS cache posioning, use this test on Kaminsky's site. As of Monday, researcher Neal Krawetz was reporting that servers at several high-profile ISPs remained vulnerable.

[jamalystic]

Well now that Kaminsky's solution is public, don't you think the bad guys will figure how this work and try to circumvent it in the future as this expert suggested: DNS Revolutions & Evolutions(http://www.internetevolution.com/author.asp?section_id=495&doc_id=158621&F_src=flftwo)

[livecrunch]

I notified my IT staff week ago about it. But also isn't this something we are already dealing with for past 10 years now?

[n3td3v]

I guess HD Moore doesn't like Dan Kaminsky very much since he told people like HD Moore not to release such code until after the Blackhat Conference.

Where does this leave HD Moore on the world stage as responsible security researcher? Oh wait, he isn't one and never was a responsible security researcher.

Metasploit frame work is used primarily by the bad guys, so we can see what HD Moore's intentions are.

In other news, why isn't HD Moore in jail yet?

[Seaspray0]

My suggestion is to not trust any transaction that isn't secured with an SSL certificate from a trusted root certificate authority. The SSL is tied to the DNS name of the website. While the DNS flaw may be able to redirect you to a bogus IP for that site, it won't have the SSL certificate of the original site.

[GlennF]

Re: Livecrunch: No, this is a different problem. If I understand the history correctly, more than a decade ago, two problems were fixed: insufficient randomization of transaction IDs, and the ability to provide additional RRs that include domains outside the domain being queried. This attack allows an in-domain attack.

Re: n3td3v: I don't know that I agree with your statement or with HD Moore's behavior overall, but Moore released practical exploitation code only after Matasano Chargen posted a blog entry that explained the attack with great specificity. Moore is doing a service by allowing penetration/vulnerability testing with a common tool now that the knowledge is in the hands of black hats.

Re: Seaspray0: Great suggestion. Also, DNSSEC is finally moving forward, which would allow signing of information among DNS servers, and thus defeat any known poisoning attack.

[n3td3v]

re:GlennF

To me HD Moore is a black hat though who is just using a loop hole in the law to make the Metasploit frame work and to distribute exploit code to the other bad guys.

If Metasploit was a legitimate attack platform, it would only be available to companies with credentials who can prove who they are and that they have permission and legitimate reason to use Metasploit for the small amount of folks who use Metasploit for legal above board reasons.

With Metasploit, anyone can walk off the street and download it and thats got to be a bad thing, but im not entirely sure that HD Moore cares about the bad guys using Metasploit, as long as he is known as an elite hacker and is worshipped like a god.

[The_Decider]

Metasploit is a legitimate academic and pentest platform as well.

Nearly every network tool that is used legitimately has illegitimate uses also. With your logic wireshark, nessus, dsniff, nikto, hydra, nmap, ettercap,netstumbler. kismet, various fuzzers, etc should all be banned and its authors jailed. Don't stop there, we should ban network and programming security courses from CS depeartments and jail all of us who can write tools that can be used for evil.

[cohaver]

Windows New Desktop Search Faces the Same Problems as this. Notice the latest update to Vista Desktop Search software

[Tsee]

Kaminsky's site recommends OpenDNS, which is NOT open-source.

[pmbx]

I'm tired of 'black hat experts' just looking for exploits to gain notoriety. I'm ready for the first lawsuits against Kaminsky for real damages that occurred because of his irresponsibility. He put his own self-interests first in order to be the one to blast this dns deficiency on the stage. It all about the bucks he'd get from his 'expertise.' All these security 'experts' are probably the same. Why isn't there legislation to make this kind of action worthy of jail time!