DNS exploit in the wild


We’ve been tracking Metasploit commits since Matasano’s premature publication of [Dan Kaminsky]‘s DNS cache poisoning flaw on Monday knowing full well that a functional exploit would be coming soon. Only two hours ago [HD Moore] and [I)ruid] added a module to the Metasploit Project that will let anyone test the vulnerability (with comment: “ZOMG. What is this? >:-)“). [HD] told Threat Level that it doesn’t work yet for domains that are already cached by the DNS server, but it will automatically wait for the cached entry to expire and then complete the attack. You can read more about the bailiwicked_host.rb module in CAU’s advisory. For a more detailed description of how the attack works, see this mirror of Matason’s post. You can check if the DNS server you are using is vulnerable by using the tool on [Dan]‘s site.

[photo: mattdork]

4 thoughts on “DNS exploit in the wild

  1. This affects any server not already patched.
    If a major isp were to have an unpatched server someone could redirect sites to wherever they like.

  2. Time Warner never seemed keen on their DNS servers. I’ve had trouble before with their DNS servers not being up to date or simply not working right, and I bet the last thing they’d do to them is patch them immediately. Time Warner is a big ISP too, and I’d wish they’d wisen up on that a little, in case hell breaks lose.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s