On GameSpot: BlizzCon 2008: Diablo III's wizard
BNET Business Network:
BNET
TechRepublic
ZDNet

July 21st, 2008

Has Halvar figured out super-secret DNS vulnerability?

Posted by Ryan Naraine @ 2:12 pm

Categories: Patch Watch, Hackers, Browsers, Vulnerability research, Responsible disclosure, Exploit code, Black Hat, Pen testing, Denial of Service (DoS), Arbitrary Code Execution, Complex Attacks, Malware, Reverse Engineering

Tags: DNS, Vulnerability, Server, Referral, Mallory, Domain Names, Networking, Security, Internet, Ryan Naraine

Thomas Dullien Halvar Flake[ UPDATE:  Kaminsky has all but confirmed that, yes, the cat is out of the bag ]

It looks very much like the nitty gritty of Dan Kaminsky’s super-secret — and heavily hyped — DNS cache poisoning vulnerability has been figured out by reverse engineering guru Halvar Flake.

Clearly irked by a demand request from Kaminsky and others to avoid speculating on the details of the flaw until the patch is fully deployed, Flake (left) published a guess on how to reliably forge and poison DNS lookups.

Flake, CEO and head of research at Zynamics, said his speculation was driven by the need to discuss the vulnerability in public instead of  a one-month embargo that culminates with Kaminsky’s presentation at the upcoming Black Hat conference.

[ SEE: Dan Kaminsky breaks DNS, massive multi-vendor patch coming ]

“In a strange way, if nobody speculates publicly, we are pulling wool over the eyes of the general public, and ourselves,” Flake argued, before posting the following hypothesis:

Mallory wants to poison DNS lookups on server ns.polya.com for the domain www.gmx.net. The nameserver for gmx.net is ns.gmx.net. Mallory’s IP is 244.244.244.244.

Mallory begins to send bogus requests for www.ulam00001.com, www.ulam00002.com … to ns.polya.com.

ns.polya.com doesn’t have these requests cached, so it asks a root server “where can I find the .com NS?” It then receives a referral to the .com NS. It asks the nameserver for .com where to find the nameserver for ulam00001.com, ulam00002.com etc.

Mallory spoofs referrals claiming to come from the .com nameserver to ns.polya.com. In these referrals, it says that the nameserver responsible for ulamYYYYY.com is a server called ns.gmx.net and that this server is located at 244.244.244.244. Also, the time to live of this referral is … long …

Now eventually, Mallory will get one such referral spoofed right, e.g. the TXID etc. will be guessed properly.

ns.polya.com will then cache that ns.gmx.net can be found at … 244.244.244.244. Yay.

After the publication of Flake’s summation, Kaminsky gave a no-comment to The Register’s Dan Goodin.

Nate Lawson, head of Root Labs, had this to say: “It’s very plausible; I think he’s nailed it.”

[ SEE: Kaminsky and Ptacek comment on DNS flaw ]

Goodin, one of the more thorough security writers around, made a great point that if Flake’s speculation is unrelated to Kaminsky’s earlier discovery, then there are now two separate issues at play.   Only one of the two has been patched!

Perhaps it’s time for Kaminsky to throw his self-imposed embargo out the window and help all of us understand the true severity of this vulnerability.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the world. See his full profile and disclosure of his industry affiliations.

Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

  • Talkback
  • Most Recent of 29 Talkback(s)
Who are you to say it is an ethical no-no?
Halvar thought differently. He is of the school that the knowledge should be shared immediately so that those able to protect themselves can and do. Not sure I can fault him for that, certainly I can't call it an ethical no-no.

-Nate... (Read the rest)
Posted by: nmcfeters Posted on: 07/29/08 You are currently: Logged In | Log out
Good Lord! nmcfeters   | 07/21/08
in summary jon.oberheide   | 07/21/08
Well, and nmcfeters   | 07/22/08
Halvar Flake croberts   | 07/22/08
Self Serving? SeizeDDay   | 07/22/08
Yep nmcfeters   | 07/22/08
That is not fair at all nmcfeters   | 07/22/08
Well spoken croberts   | 07/22/08
I disagree nmcfeters   | 07/23/08
What an idiot halverisanidiot   | 07/22/08
And you are out of your element nmcfeters   | 07/22/08
RE: Has Halvar figured out super-secret DNS vulnerability? DigitalFrog   | 07/22/08
Excepting seanferd   | 07/22/08
RE: Has Halvar figured out super-secret DNS vulnerability? hmoulding@...   | 07/22/08
It is not the same nmcfeters   | 07/23/08
I would truely hate to be a Windows user right now. dayjm   | 07/22/08
Windows? croberts   | 07/22/08
Hahaha nmcfeters   | 07/23/08
Malware, Virus's, Spyware, etc. (NT) dayjm   | 07/23/08
But nothing to do with this particular issue <nt> seanferd   | 07/23/08
RE: Has Halvar figured out super-secret DNS vulnerability? HalvarFlake   | 07/22/08
And that about wraps it up, no? seanferd   | 07/22/08
Hey Halvar nmcfeters   | 07/23/08
Thread position error, nevermind. <nt> seanferd   | 07/22/08
RE: Has Halvar figured out super-secret DNS vulnerability? david@...   | 07/23/08
Not sure I agree nmcfeters   | 07/23/08
More of the same david@...   | 07/23/08
Everybody, stop thinking now. seanferd   | 07/23/08
Who are you to say it is an ethical no-no? nmcfeters   | 07/29/08

What do you think?

No Trackbacks Yet

The URI to TrackBack this entry is:
http://blogs.zdnet.com/security/wp-trackback.php?p=1520

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

ZDNet Blogs

advertisement
Click Here