lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5de3c09b0807131944x7ae14af0q6a34560fd8143b16@mail.gmail.com>
Date: Sun, 13 Jul 2008 21:44:19 -0500
From: "eugaaa@...il.com" <eugaaa@...il.com>
To: coderman <coderman@...il.com>
Cc: full-disclosure@...ts.grok.org.uk,
	Paul Schmehl <pschmehl_lists_nada@...rr.com>
Subject: Re: DNS Cache Dan Kamikaze (Actual Exploit
	Discussion)

If the nameserver is "down" most likely the resolver is going to try a
different one. Meaning you're back to square one. Which is why I asked
what happens if the resolver recv's a response after it's been told
the nameserver is down. In any case, I'm not even sure how resolvers
handle dest unreachables. And again, I think that avenue is moot.

As for your question about theory versus practicality. 2^16 seems
possible. This exact same problem exist with ASLR implementations as
well as stack protection mechanisms (canary values etc). I think even
vista's current address space randomization is 16-bits. However with
these DNS transaction ID's you're not looking at a random number. It's
scope is limited because you've seen the transaction ID's of each
request you've made. IE my first request was 125, my second was 133,
etc. Meaning you pick a number higher up (180) and try to win the
race.

Any BIND pros here?

On 7/13/08, coderman <coderman@...il.com> wrote:
> On Sun, Jul 13, 2008 at 5:26 PM, eugaaa@...il.com <eugaaa@...il.com> wrote:
>> What you wrote...
>
> please note that is not my post on that site; i merely link to it.  thanks.
>
>
>> Why flood with dest unreachables when your goal is to answer before
>> the nameserver?
>
> if the nameserver is "down", you no longer need to race against it.
>
>
>> Meaning it is a remote timing based attack...
>
> sure.  the bigger question is how large the temporal window of
> opportunity.  if you have a large window, practical attacks become
> widely possible.  a small niche and you're dealing with mostly
> theoretical impact.
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ