Has Halvar figured out super-secret DNS vulnerability?

Summary:[ UPDATE:  Kaminsky has all but confirmed that, yes, the cat is out of the bag ]It looks very much like the nitty gritty of Dan Kaminsky's super-secret -- and heavily hyped -- DNS cache poisoning vulnerability has been figured out by reverse engineering guru Halvar Flake.Clearly irked by a demand request from Kaminsky and others to avoid speculating on the details of the flaw until the patch is fully deployed, Flake (left) published a guess on how to reliably forge and poison DNS lookups.

Thomas Dullien Halvar Flake
[ UPDATE:  Kaminsky has all but confirmed that, yes, the cat is out of the bag ]

It looks very much like the nitty gritty of Dan Kaminsky's super-secret -- and heavily hyped -- DNS cache poisoning vulnerability has been figured out by reverse engineering guru Halvar Flake.

Clearly irked by a demand request from Kaminsky and others to avoid speculating on the details of the flaw until the patch is fully deployed, Flake (left) published a guess on how to reliably forge and poison DNS lookups.

Flake, CEO and head of research at Zynamics, said his speculation was driven by the need to discuss the vulnerability in public instead of  a one-month embargo that culminates with Kaminsky's presentation at the upcoming Black Hat conference.

[ SEE: Dan Kaminsky breaks DNS, massive multi-vendor patch coming ]

"In a strange way, if nobody speculates publicly, we are pulling wool over the eyes of the general public, and ourselves," Flake argued, before posting the following hypothesis:

Mallory wants to poison DNS lookups on server ns.polya.com for the domain www.gmx.net. The nameserver for gmx.net is ns.gmx.net. Mallory's IP is 244.244.244.244.

Mallory begins to send bogus requests for www.ulam00001.com, www.ulam00002.com ... to ns.polya.com.

ns.polya.com doesn't have these requests cached, so it asks a root server "where can I find the .com NS?" It then receives a referral to the .com NS. It asks the nameserver for .com where to find the nameserver for ulam00001.com, ulam00002.com etc.

Mallory spoofs referrals claiming to come from the .com nameserver to ns.polya.com. In these referrals, it says that the nameserver responsible for ulamYYYYY.com is a server called ns.gmx.net and that this server is located at 244.244.244.244. Also, the time to live of this referral is ... long ...

Now eventually, Mallory will get one such referral spoofed right, e.g. the TXID etc. will be guessed properly.

ns.polya.com will then cache that ns.gmx.net can be found at ... 244.244.244.244. Yay.

After the publication of Flake's summation, Kaminsky gave a no-comment to The Register's Dan Goodin.

Nate Lawson, head of Root Labs, had this to say: "It's very plausible; I think he's nailed it."

[ SEE: Kaminsky and Ptacek comment on DNS flaw ]

Goodin, one of the more thorough security writers around, made a great point that if Flake's speculation is unrelated to Kaminsky's earlier discovery, then there are now two separate issues at play.   Only one of the two has been patched!

Perhaps it's time for Kaminsky to throw his self-imposed embargo out the window and help all of us understand the true severity of this vulnerability.

Topics: Browser, Networking, Security, Servers

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.