We’ve been tracking Metasploit commits since Matasano’s premature publication of [Dan Kaminsky]’s DNS cache poisoning flaw on Monday knowing full well that a functional exploit would be coming soon. Only two hours ago [HD Moore] and [I)ruid] added a module to the Metasploit Project that will let anyone test the vulnerability (with comment: “ZOMG. What is this? >:-)“). [HD] told Threat Level that it doesn’t work yet for domains that are already cached by the DNS server, but it will automatically wait for the cached entry to expire and then complete the attack. You can read more about the bailiwicked_host.rb module in CAU’s advisory. For a more detailed description of how the attack works, see this mirror of Matason’s post. You can check if the DNS server you are using is vulnerable by using the tool on [Dan]’s site.
[photo: mattdork]
does the exploit affect the dns servers running the internet or just home systems?
This affects any server not already patched.
If a major isp were to have an unpatched server someone could redirect sites to wherever they like.
Time Warner RoadRunner DNS servers in Florida are still unpatched. :(
Time Warner never seemed keen on their DNS servers. I’ve had trouble before with their DNS servers not being up to date or simply not working right, and I bet the last thing they’d do to them is patch them immediately. Time Warner is a big ISP too, and I’d wish they’d wisen up on that a little, in case hell breaks lose.