Dan Kaminsky Disqualified from Most Overhyped Bug Pwnie

I can be pretty skeptical and cynical at times (part of what drives my interest in security) and I am especially skeptical of massively hyped vulnerabilities. If anything, I tend to underhype what I do and let others hype it for me if they think that it warrants more attention.

With all of the hype around Dan Kaminsky’s DNS vulnerability, I naturally doubted that all of the hype was warranted.  I was flattered, however, when Rich Mogull called and invited me onto a conference call with Dan Kaminsky and the other Doubting Thomas (Ptacek, that is).  Dan explained the full details and scope of his attack and both of us were impressed and agreed that it is way more serious than we had imagined.  Yes, I am being light on the specifics here because I was sworn to secrecy and if I were to break it, Dan would cause my nameservers to rickroll me until the end of time.

In summary, when the full details of Dan’s attack come out, you will most likely be impressed.  I definitely was.

Comments

  1. SecurityBob says:

    Let’s make the world believe that http://www.google.com is 127.0.0.1 :

    Step 1:

    – Create a malicious DNS zone (malicious.com)

    – Spread links to http://www.malicious.com all over the internet (spam, etc…)

    Step 2:

    – Victim clicks on the the link to http://www.malicious.com

    – Victim’s DNS resolver (ns.victim.com) talks to ns.malicious.com

    – ns.malicious.com answers by saying that “www.malicious.com” really is an alias for “www.google.com”

    => At this point, I, as an attacker, knows that ns.victim.com is going to ask ns.google.com what is the IP of “www.google.com”

    => ns.victim.com is using either a fixed or a non-random UDP source port for its queries

    => So I can flood ns.victim.com (posing as ns.google.com) with tons of fake DNS answers claiming that http://www.google.com is 127.0.0.1. All I have to figure out at this point is the XID that will be used, and given that it’s a 16 bits integer, it’s not the most complex thing of the world.

    => ns.malicious.com now believes that http://www.google.com is 127.0.0.1

  2. Lynn Taylor says:

    As someone who was not part of the discussion in the DNS community, but still has to maintain (i.e. write code) for a DNS server, I’d still like to know what I’m coding against.

    I understand (and respect) what Dan has done, but it was hard to find the details of the patch among all of the discussion.

    I hope I’ve interpreted it correctly.

    … and I hope I got it right.

  3. Tell me about the name server you’re coding against, and contact me privately.

  4. thanks I know randomness is hard (-;

    regards

    John Jones

    http://www.johnjones.me.uk

  5. Lynn Taylor says:

    Dan,

    I’ve posted two comments at DoxPara.com, those comments are marked “waiting moderation” — and the E-Mail address is valid.

    I promise to take the minimum amount of time.

    Thanks — Lynn

  6. Lynn Taylor says:

    Dan: thanks for your help.

Trackbacks

  1. DNS, DNS, DNS……

    Germaine, sort le deux-coups, le riz, les boites de cassoulet, les bouteilles d’eau et les sacs de sable, l’Internet mondial est en train de sombrer. À pic. Façon Titanic. Et oui chers lecteurs, DNS vient de prendre un coup de douze. Un autre…….

  2. [...] Thomas Ptacek (right), principal of Matasano Security, was the first to call BS on the secrecy.   Kaminsky immediately arranged a private conference call to spill the beans.   Dino Dai Zovi, another researcher with hacker cred, was included.   After the call, both Ptacek and Dai Zovi confirmed this was something super-serious that required immediate attention. [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 3,631 other followers

%d bloggers like this: