Exploit code released for DNS vulnerability

Share this article:
Exploit code was released Wednesday for the domain name system (DNS) cache poisoning vulnerability, details of which became public earlier this week.

White-hat hacker H.D. Moore, creator of the hacking toolkit Metasploit, released the code, developed in conjunction with a researcher using the handle I)ruid.

Moore, director of security research at BreakingPoint Systems, told SCMagazineUS.com on Thursday that he and his partner were easily able to build the code based on information they culled from a Wired magazine interview this week with Dan Kaminsky, who discovered the vulnerability.

First, the pair had to determine from which DNS servers to spoof a response and to which source ports on the target email server to send spoofs, Moore said. Then, they had to spam fake spoof responses to that port to get rogue DNS entries cached.

Since Kaminsky revealed the bug about two weeks ago, security experts have warned businesses and internet service providers to patch their recursive DNS servers as soon as possible to avoid repercussions, such as users being unknowingly directed to phishing sites.

That urgency increased this week, when the chief executive of Zynamics.com and researchers from Matasano Security published details on the vulnerability. Minutes after posting the details in a blog, Matasano removed its entry, saying it regretted publicly releasing the information.

By then, though, it was too late. Many web publications had already picked up the post.

Victor Larson, director of research and development at security firm VirnetX, told SCMagazineUS.com on Thursday that the attack is particularly dangerous because a successful exploit allows malicious individuals to interact with cache servers – without them being previously compromised.

“People need to patch their servers,” Larson said. “It's an attack where if certain servers don't randomly select the ports they use for doing DNS transactions, a third-party could basically guess at the next port that is going to be used…And then they can pretend they are that server and, as a third-party, inject phony DNS records into a caching server. By doing that, they can point people to phishing sites and do malicious things like that.”

Kaminsky said on Thursday during a Black Hat webcast that the flaw is unlike any previous DNS vulnerability he has seen and it could take down an entire nation of internet users.

But Moore said he doubts any major attacks will result from the exploit code going public.

“It's not that big of a deal to start with,” Moore said. “Honestly, people were doing these types of attacks against Windows DNS servers for the past four years straight. I don't think the internet is going to melt down.”
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.