Date: Tue, 14 Feb 2012 13:52:48 -0600
From: "Adam Behnke" <adam@...osecinstitute.com>
To: "'InterN0T Advisories'" <advisories@...ern0t.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: New DNS exploit - Ghost Domains

Good point, well said. Should have called it a technique. Will do so in other postings elsewhere. 

-----Original Message-----
From: InterN0T Advisories [mailto:advisories@...ern0t.net] 
Sent: Tuesday, February 14, 2012 1:05 PM
To: Adam Behnke
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] New DNS exploit - Ghost Domains

To question:

I don't get it, where's the vulnerability (or exploit)? DNS is supposed to
work this way, and because some name-servers like OpenDNS use longer TTL
values, it doesn't necessarily mean that it's a vulnerability or an
exploit. It's like saying because an IPv4-address is leased via DHCP for a
week, it's a vulnerability too even if the target host isn't using it.

I'd rather say it's a technique, that you can use to perform phishing,
botnet c&c control, spamming, etc., (as described in the paper mentioned in
the blog), without even having an official primary or secondary nameserver
linked to the domain, as the domain can live on other nameservers that have
cached it. 

The only weakness (not vulnerability or exploit) of long TTL values, is
that domains can exist as "ghosts" (aka ghost domains) for a long time
without even really existing officially.

But you can't attack anyone with this weakness, as it's just a way of
keeping a domain live on the Internet. 


If it's because the paper discusses it can be used to perform phishing,
botnet c&c, etc., well, so can active non-ghost too. The only difference is
that ghost-domains doesn't have an active primary and secondary nameserver,
but are instead cached in nameservers functioning as resolvers, such as
those used by ISP's, OpenDNS, etc.


Send an e-mail to Dan Kaminsky and tell him it's an exploit, I think he
might laugh. No offense intended.



Link:
https://www.isc.org/files/imce/ghostdomain_camera.pdf


Best regards,
MaXe

On Tue, 14 Feb 2012 11:09:13 -0600, "Adam Behnke"
<adam@...osecinstitute.com> wrote:
> To explain:
> 
> Whenever there is a query for a domain which is not in the resolver's
> cache,
> the process happens by traversing through the entire DNS hierarchy from
the
> root servers to the top-level domain (e.g., .com). The top-level domain
> (TLD) then gives us the information about the name server that has been
> delegated the responsibility of the domain whose IP address we are
looking
> for. We then get the information about that domain from its name server.
> The
> results are then cached by the DNS resolver with a particular value of
TTL
> (time-to-live), after which the entry in the cache expires.
> 
> The exploit targets a weakness in the cache update logic of some of the
DNS
> servers. The exploit allows the cache to be overwritten in such a way
that
> it is possible to continuously extend the TTL for the delegation data of
a
> particular domain and prevents it from ever expiring. The domain will be
> completely resolvable indefinitely even though it has been deleted from
the
> TLD servers. These types of domains have been termed Ghost Domain Names.
> 
> In this article we will discuss a recent DNS exploit which is present in
> most of the DNS servers that was discovered by researchers Jian Jiang,
> Jinjin Liang, Kang Li, Jun Li, Haixin Duan and Jianping Wu. 
> 
> Read the full article and view a sample Ghost Domain here:
> http://resources.infosecinstitute.com/ghost-domain-names/
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists