DNS exploit in the wild

posted Jul 23rd 2008 7:00pm by Eliot
filed under: news, security hacks

We’ve been tracking Metasploit commits since Matasano’s premature publication of [Dan Kaminsky]‘s DNS cache poisoning flaw on Monday knowing full well that a functional exploit would be coming soon. Only two hours ago [HD Moore] and [I)ruid] added a module to the Metasploit Project that will let anyone test the vulnerability (with comment: “ZOMG. What is this? >:-)“). [HD] told Threat Level that it doesn’t work yet for domains that are already cached by the DNS server, but it will automatically wait for the cached entry to expire and then complete the attack. You can read more about the bailiwicked_host.rb module in CAU’s advisory. For a more detailed description of how the attack works, see this mirror of Matason’s post. You can check if the DNS server you are using is vulnerable by using the tool on [Dan]‘s site.

[photo: mattdork]

Read

Comments [4]

tagged: cache, dankaminsky, dns, druid, exploit, hdmoore, matasano, metasploit

4 Responses to DNS exploit in the wild

ejonesss says:

July 24, 2008 at 7:46 am

does the exploit affect the dns servers running the internet or just home systems?

Reply Report comment

Mark says:

July 24, 2008 at 9:49 am

This affects any server not already patched.
If a major isp were to have an unpatched server someone could redirect sites to wherever they like.

Reply Report comment

User says:

July 24, 2008 at 7:38 pm

Time Warner RoadRunner DNS servers in Florida are still unpatched. :(

Reply Report comment

winphreak says:

July 24, 2008 at 9:26 pm

Time Warner never seemed keen on their DNS servers. I’ve had trouble before with their DNS servers not being up to date or simply not working right, and I bet the last thing they’d do to them is patch them immediately. Time Warner is a big ISP too, and I’d wish they’d wisen up on that a little, in case hell breaks lose.

Reply Report comment