[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Exploit for DNS Cache Poisoning - RELEASED

Subject: Exploit for DNS Cache Poisoning - RELEASED
From: dot at dotat.at (Tony Finch)
Date: Thu, 24 Jul 2008 13:21:07 +0100
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]>

On Wed, 23 Jul 2008, Kevin Day wrote:
>
> The new way is slightly more sneaky. You get the victim to try to
> resolve an otherwise invalid and uncached hostname like 00001.gmail.com,
> and try to beat the real response with spoofed replies. Except this time
> your reply comes with an additional record containing the IP for
> www.gmail.com to the one you want to redirect it to. If you win the race
> and the victim accepts your spoof for 00001.gmail.com, it will also
> accept (and overwrite any cached value) for your additional record for
> www.gmail.com as well.

RFC 2181 says the resolver should not overwrite authoritative data with
additional data in this manner.

I believe the Matasano description is wrong.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
FORTIES CROMARTY FORTH TYNE DOGGER: EAST OR SOUTHEAST 3 OR 4, INCREASING 5 OR
6 LATER. SLIGHT OR MODERATE. FOG PATCHES. GOOD, OCCASIONALLY VERY POOR.

References:
- Exploit for DNS Cache Poisoning - RELEASED
  - From: jgreco at ns.sol.net (Joe Greco)
- Exploit for DNS Cache Poisoning - RELEASED
  - From: toasty at dragondata.com (Kevin Day)

Prev by Date: Exploit for DNS Cache Poisoning - RELEASED
Next by Date: XO contact
Previous by thread: Exploit for DNS Cache Poisoning - RELEASED
Next by thread: Exploit for DNS Cache Poisoning - RELEASED
Index(es):
- Date
- Thread