Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: The cat is indeed out of the bag
From: "Robert McKay" <robert () mckay com>
Date: Wed, 23 Jul 2008 15:22:15 +0100

On Tue, Jul 22, 2008 at 3:36 AM, <monsieur.aglie () hushmail com> wrote:

from chargen 19/udp by ecopeland


The cat is out of the bag. Yes, Halvar Flake figured out the flaw
Dan Kaminsky will announce at Black Hat.

I believe I may have found an important optimisation to this attack.

Basically I observed that if you make a DNS request with a very long QNAME
then nameservers start dropping GLUE records in order to fit the reply into
the maximum UDP packet size.

If you query X.root-servers.net for <long-garbage>.whatever.com then the
reply you get from the root-servers can include as little as ONE actual GLUE
record for .COM. Now obviously .COM will be cached by almost everyone, but
the attack works on many TLDs.

Consider the following query:

rm () wari:~$ dig @a.root-servers.net.

; <<>> DiG 9.3.1 <<>> @a.root-servers.net.
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9857
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 1


ca.             172800  IN      NS      TLD3.ULTRADNS.ORG.
ca.             172800  IN      NS      NS-EXT.ISC.ORG.
ca.             172800  IN      NS      CA01.CIRA.ca.
ca.             172800  IN      NS      CA02.CIRA.ca.
ca.             172800  IN      NS      CA03.CIRA.ca.
ca.             172800  IN      NS      CA04.CIRA.ca.
ca.             172800  IN      NS      CA05.CIRA.ca.
ca.             172800  IN      NS      CA06.CIRA.ca.
ca.             172800  IN      NS      TLD1.ULTRADNS.NET.
ca.             172800  IN      NS      TLD2.ULTRADNS.NET.

CA01.CIRA.ca.           172800  IN      A

;; Query time: 137 msec
;; WHEN: Wed Jul 23 15:16:14 2008
;; MSG SIZE  rcvd: 505

It always returns CA01.CIRA.ca. as the only GLUE record for .CA - No matter
which of the X.root-serveres.net is used. It seems to me that this should
greatly simply the task of gaining NS control of a TLD as you know exactly
which of the nameservers to spoof your replies from.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]