Joe Williams home
As some of you may have heard there is a new DNS cache poisoning 'sploit in the wild (CVE). Currently there are two exploits available, one for a domain and the other for a hostname. Check out the info on each here and here. The basic idea is described in the files.
This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver. This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.
Metasploit (the latest from their SVN) includes each exploit. This makes it easy to test and attempt the exploit against your servers. Luckily my name servers are running TinyDNS which does not have this flaw. For example:
msf auxiliary(bailiwicked_host) > check [*] Using the Metasploit service to verify exploitability... [*] UNKNOWN: This server did not reply to our vulnerability check requests
You will see some requests in your DNS logs that look like this:
2008-07-25 14:26:45.896813500 3ff6167e:373a:0009 - 0010 spoofprobe-check-1-11391593674.red.metasploit.com 2008-07-25 14:26:55.899392500 3ff6167e:373a:000a - 0010 spoofprobe-check-2-1139140392.red.metasploit.com 2008-07-25 14:27:05.903259500 3ff6167e:373a:000b - 0010 spoofprobe-check-3-11391648643.red.metasploit.com
So yeah, if you aren't running TinyDNS patch your name servers! More info at hackaday and Dan Kaminsky's blog.
Fork me on GitHub