lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <c2888f8c0807230722j70e228ebk5ff60ab0ca1e6dec@mail.gmail.com>
Date: Wed, 23 Jul 2008 15:22:15 +0100
From: "Robert McKay" <robert@...ay.com>
To: monsieur.aglie@...hmail.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: The cat is indeed out of the bag

On Tue, Jul 22, 2008 at 3:36 AM, <monsieur.aglie@...hmail.com> wrote:

> from chargen 19/udp by ecopeland
>
> 0.
>
> The cat is out of the bag. Yes, Halvar Flake figured out the flaw
> Dan Kaminsky will announce at Black Hat.
> 1.


I believe I may have found an important optimisation to this attack.

Basically I observed that if you make a DNS request with a very long QNAME
then nameservers start dropping GLUE records in order to fit the reply into
the maximum UDP packet size.

If you query X.root-servers.net for <long-garbage>.whatever.com then the
reply you get from the root-servers can include as little as ONE actual GLUE
record for .COM. Now obviously .COM will be cached by almost everyone, but
the attack works on many TLDs.


Consider the following query:

rm@...i:~$ dig @a.root-servers.net.
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaa.csis-scrs.gc.caa

; <<>> DiG 9.3.1 <<>> @a.root-servers.net.
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaa.csis-scrs.gc.caa
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9857
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 1

;; QUESTION SECTION:
;
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaa.csis-scrs.gc.ca.
IN A

;; AUTHORITY SECTION:
ca.             172800  IN      NS      TLD3.ULTRADNS.ORG.
ca.             172800  IN      NS      NS-EXT.ISC.ORG.
ca.             172800  IN      NS      CA01.CIRA.ca.
ca.             172800  IN      NS      CA02.CIRA.ca.
ca.             172800  IN      NS      CA03.CIRA.ca.
ca.             172800  IN      NS      CA04.CIRA.ca.
ca.             172800  IN      NS      CA05.CIRA.ca.
ca.             172800  IN      NS      CA06.CIRA.ca.
ca.             172800  IN      NS      TLD1.ULTRADNS.NET.
ca.             172800  IN      NS      TLD2.ULTRADNS.NET.

;; ADDITIONAL SECTION:
CA01.CIRA.ca.           172800  IN      A       192.228.27.11

;; Query time: 137 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Wed Jul 23 15:16:14 2008
;; MSG SIZE  rcvd: 505


It always returns CA01.CIRA.ca. as the only GLUE record for .CA - No matter
which of the X.root-serveres.net is used. It seems to me that this should
greatly simply the task of gaining NS control of a TLD as you know exactly
which of the nameservers to spoof your replies from.

Rob.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ