Application security, Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Exploit code released for DNS vulnerability

Exploit code was released Wednesday for the domain name system (DNS) cache poisoning vulnerability, details of which became public earlier this week.

White-hat hacker H.D. Moore, creator of the hacking toolkit Metasploit, released the code, developed in conjunction with a researcher using the handle I)ruid.

Moore, director of security research at BreakingPoint Systems, told on Thursday that he and his partner were easily able to build the code based on information they culled from a Wired magazine interview this week with Dan Kaminsky, who discovered the vulnerability.

First, the pair had to determine from which DNS servers to spoof a response and to which source ports on the target email server to send spoofs, Moore said. Then, they had to spam fake spoof responses to that port to get rogue DNS entries cached.

Since Kaminsky revealed the bug about two weeks ago, security experts have warned businesses and internet service providers to patch their recursive DNS servers as soon as possible to avoid repercussions, such as users being unknowingly directed to phishing sites.

That urgency increased this week, when the chief executive of and researchers from Matasano Security published details on the vulnerability. Minutes after posting the details in a blog, Matasano removed its entry, saying it regretted publicly releasing the information.

By then, though, it was too late. Many web publications had already picked up the post.

Victor Larson, director of research and development at security firm VirnetX, told on Thursday that the attack is particularly dangerous because a successful exploit allows malicious individuals to interact with cache servers – without them being previously compromised.

“People need to patch their servers,” Larson said. “It's an attack where if certain servers don't randomly select the ports they use for doing DNS transactions, a third-party could basically guess at the next port that is going to be used…And then they can pretend they are that server and, as a third-party, inject phony DNS records into a caching server. By doing that, they can point people to phishing sites and do malicious things like that.”

Kaminsky said on Thursday during a Black Hat webcast that the flaw is unlike any previous DNS vulnerability he has seen and it could take down an entire nation of internet users.

But Moore said he doubts any major attacks will result from the exploit code going public.

“It's not that big of a deal to start with,” Moore said. “Honestly, people were doing these types of attacks against Windows DNS servers for the past four years straight. I don't think the internet is going to melt down.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.