Tuesday, July 22, 2008

The big DNS security hole hype exposed

Dan Kaminsky released a little bit ago a joint effort to fix a major and "critical" security flaw with multiple vendors regarding DNS. Dan had stated he was not going to release the vulnerability until his BlackHat speaking in July, but it appears it was already leaked.

DNS Cache Poisoning is nothing new, on July 22, 1999 Hillary Clinton's site was subject to DNS cache poisoning:

http://www.cnn.com/TECH/computing/9907/22/hillary.idg/

It appears that the vulnerability itself is due to predictable TXID's and the lack of port randomization in DNS. Based on TXID inspection (and the blog from Microsoft) it appears that the 4-8 bits are predictable and are able to determine the PRNG state and predict the TXID.

To fix DNS Cache Poisoning, the PRNG algorithm was applied to the TXID or transaction ID's. The vulnerability lies within TXID where the 4-8 bits are predictable allowing the attacker to predict the next TXID. Here's how the attack is suppose to work (hypothetically):

Attacker queries nameserverA for yahoo.com's IP address through DNS. nameserverA doesn't know the IP of yahoo.com. nameserverA goes to the root name servers and says wheres the listings for .com, nameserverA goes to the listings for all .com and looks for the authoritative DNS server for yahoo.com. After that the IP is resolved and you can browse normally to yahoo.com. Where the attack is performed is the request from nameserverA to the authoritative DNS server, when nameserverA sends a request to the root server, the root server sends back a "referral" which tells nameserverA where to go for the .com listings. Contained in this exchange of information is the TXID. It keeps going down the list to various DNS servers, ultimately to the authoritative DNS server.

Our guess at where the attack occurs is the response back from the root server to respond on where yahoo.com's server resides. If an attacker can spoof a valid TXID and say yahoo.com's nameserver is really at ns.badhacker.com and not ns.yahoo.com and ultimately resolves to 1.1.1.1 instead of 2.2.2.2, we can perform cache poisoning of that name server.

So initial speculations that this is bad is pretty accurate and why all the hush was kept to allow all vendors to patch the systems accordingly. Kudos goes out to Dan Kaminsky for taking all of the scrutiny over all of this and allowing vendors time to patch the systems to something that was in fact not just hype but could have major implications if exploited successfully.

I hope all of your DNS servers are patched, a POC should be pretty easy to write off of this.

Special thanks to Microsoft for releasing details about the patch and letting us know what the vulnerability was:

http://blogs.technet.com/swi/archive/2008/04/09/ms08-020-how-predictable-is-the-dns-transaction-id.aspx

Special thanks to John Melvin from SecureState for helping me out on this.

Again this is purely hypothetical, this hasn't been confirmed nor denied.

UPDATE: Update to this post, it appears that it has been confirmed and found by Halvar Flake blog. In addition matasano also discovered it but the site was put up temporarily and taken down when discovered, a mirrored site can be found at: http://beezari.livejournal.com/141796.html. Patch your servers folks!

PATCH: What the patch appears to do, pretty cut and dry, it makes the TXID truly random and randomizes the DNS ports pretty much making this attack useless.

No comments: