It looks like Dan Kaminsky's DNS vulnerability has been released as a pair of metasploit modules, which means the script kiddies are about to unleash it on the unpatched (so patch already).
From the Metasploit Blog:
So, on to our new modules. There's no reason to rehash the deep tech regarding packet formats and spoofing techniques, as most of the speculation linked above was correct, and the original leak has been mirrored just about everywhere. In short, the way this flaw works is that it combines two previously known but somewhat mitigated flaws to achieve success. The first flaw is that since DNS (over UDP) is connectionless, it can easily be spoofed. The original mitigation for this was to make use of a transaction ID to correlate requests and replies that the attacker would have to guess. This makes spoofing harder, but not an insurmountable task. The second flaw was that additional records would be inserted into the cache which were included in replies from another nameserver during a recursive lookup. This original problem was somewhat mitigated by creating the in-bailiwick constraints that essentially limits the domain space for additional records that could be sent in the replies to hostnames from a given domain. Sounds reasonable; this prevents nameservers from doing malicious things to domains that they aren't authoritative for, while still allowing nameservers who are authoritative for a domain to update the records they need to. When you combine attacks for these two flaws however, an attacker can essentially pretend to be the authoritative nameserver, and update the nameserver record for a domain to point to a malicious nameserver address. Because the nameserver's name doesn't change, the update is in-bailiwick. You can also use this trick to inject cache entries for individual hostnames as long as those hostnames are not already cached, and also in-bailiwick.
The two Metasploit modules which implement these attacks are "DNS BailiWicked Host Attack" for injecting individual uncached host records into the target nameserver's cache, and "DNS BailiWicked Domain Attack" for replacing a target domain's nameserver records in a target nameserver's cache. Currently these must be run from the trunk development branch, as they rely on Net::DNS and raw sockets functionality which currently only exists in the development branch for MSF. The raw sockets code also currently only works when running MSF under Linux. [From BailiWicked]
For those who haven't been following the news this month, here is an executive overview, a recording of the press conference is available here, and on a more authoritative note, here is the US-CERT vulnerability note.
Comments