lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 25 Jul 2008 14:38:20 -0500
From: H D Moore <fdlist@...italoffense.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Re : CAU-EX-2008-0002: Kaminsky DNS Cache
	Poisoning Flaw Exploit

On Friday 25 July 2008, tixxDZ wrote:
> I do not want to offend anyone (Metasploit people), this is a simple
> joke: can you share with us all the logs of the vulnerable servers ?
> ;) , the exploit will use the Metasploit service to verify
> exploitability. ex checking my Opendns:

The exploit needs a service to determine the source port used by the 
target name server. The 'check' command will do this and could probably 
use a better warning about information disclosure. The exploit itself 
will also query the Metasploit service if you set SRCPORT to 0. While 
this means we *could* capture a list of vulnerable nameservers which 
query this service, honestly we don't care and aren't logging it. There 
are much more effective ways to scan for exploitable cache servers :-)

The source code for the helper service is also a Metasploit module and can 
be found under modules/auxiliary/server/dns/spoofhelper.rb

If you want to use your own server for this, just change 
*.red.metasploit.com to be a domain handled by your own copy of the 
spoofhelper module. In the future, we will add an option to specify a the 
nameserver used for this check.

To clarify:

 - Nothing is sent to metasploit.com unless SRCPORT is manually set to '0' 
or the check command is run (non-standard for aux modules).

 - The only information we receive is the IP and source port of the tested 
nameserver. No information is sent about the user's system or their own 
IP address.

 - Even though this information could be logged and sorted and whatnot, we 
honestly don't care and just added it as a convenience feature. We dont 
keep records of the queries hitting the server and have no plans to start 
doing so.

 - If you don't like it, don't run 'check' and don't set SRCPORT to '0' 
for automatic mode. It won't hurt our feelings and you are free to modify 
the module to point at your own helper service.

Cheers,

-HD


PS. You can use the service outside of the module to check various 
servers. For example:

while true; do dig +short -t TXT `date +%s`.red.metasploit.com @4.2.2.3; 
sleep 1; done
"209.244.4.227:33165 1217014609.red.metasploit.com"
"209.244.4.227:32728 1217014610.red.metasploit.com"
"209.244.4.227:29607 1217014611.red.metasploit.com"
"209.244.4.227:28032 1217014612.red.metasploit.com"
"209.244.4.227:25992 1217014613.red.metasploit.com"
"209.244.4.227:31301 1217014614.red.metasploit.com"
"209.244.4.227:22884 1217014615.red.metasploit.com"
"209.244.4.227:33722 1217014616.red.metasploit.com"

^- changing ports means the box is patched.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ