Earlier today, noted researchers |)ruid and HD Moore released exploit code for the Metasploit tool for attacking the DNS flaw that was originally reported by Dan Kaminsky. The release was only part of the bigger picture of the exploit; however, and the second piece of exploit code has been released on the Computer Academic Underground blog and on Full-Disclosure. There is a subtle but important difference in the two pieces of exploit code, which is only readily apparent from reading the comments in the source code.
[...]
So let’s analyze this a bit, see if we can figure out what’s different. Good friend and noted researcher, Billy Rios, assisted me with some code review, and we tried to find as much as we could about this new twist on events. We found several things of note. The most obvious, the exploit just got worse. Now the code will use spoofed replies to hijack the name server entries for a target domain, allowing control over an entire domain, whereas the original hijacked an individual host. For example, before, we could hijack www.myaddress.com, now we can hijack all of myaddress.com.
Further, within the credits portion of the code, |)ruid adds credit to a new researcher for “helping with the NS injection” confirming the idea that this is now about attacking nameserver entries, and not just address records.
[...]
Next, Rios clued me into a very interesting observation… as he said, “it went from rev 5585 5591 that’s 6 different changes in a few hours… it’s still being tuned.” Which means it’s going to get faster. Dan originally stated he could pull this off in a matter of seconds. With able programmers refining the existing code, it’s only a matter of time before this exploit becomes lightning quick.
Work to make the exploit quicker may be confirmed by noting that there has been changes to the rand code for the xidbase.
So things are getting worse. If you have not patched by now… well, you’re on your way to being pwned, so I’d get to it ASAP.
No comments:
Post a Comment