Has Halvar figured out super-secret DNS vulnerability?

Has Halvar figured out super-secret DNS vulnerability?

Summary: [ UPDATE:  Kaminsky has all but confirmed that, yes, the cat is out of the bag ]It looks very much like the nitty gritty of Dan Kaminsky's super-secret -- and heavily hyped -- DNS cache poisoning vulnerability has been figured out by reverse engineering guru Halvar Flake.Clearly irked by a demand request from Kaminsky and others to avoid speculating on the details of the flaw until the patch is fully deployed, Flake (left) published a guess on how to reliably forge and poison DNS lookups.

SHARE:

Thomas Dullien Halvar Flake[ UPDATE:  Kaminsky has all but confirmed that, yes, the cat is out of the bag ]

It looks very much like the nitty gritty of Dan Kaminsky's super-secret -- and heavily hyped -- DNS cache poisoning vulnerability has been figured out by reverse engineering guru Halvar Flake.

Clearly irked by a demand request from Kaminsky and others to avoid speculating on the details of the flaw until the patch is fully deployed, Flake (left) published a guess on how to reliably forge and poison DNS lookups.

Flake, CEO and head of research at Zynamics, said his speculation was driven by the need to discuss the vulnerability in public instead of  a one-month embargo that culminates with Kaminsky's presentation at the upcoming Black Hat conference.

[ SEE: Dan Kaminsky breaks DNS, massive multi-vendor patch coming ]

"In a strange way, if nobody speculates publicly, we are pulling wool over the eyes of the general public, and ourselves," Flake argued, before posting the following hypothesis:

Mallory wants to poison DNS lookups on server ns.polya.com for the domain www.gmx.net. The nameserver for gmx.net is ns.gmx.net. Mallory's IP is 244.244.244.244.

Mallory begins to send bogus requests for www.ulam00001.com, www.ulam00002.com ... to ns.polya.com.

ns.polya.com doesn't have these requests cached, so it asks a root server "where can I find the .com NS?" It then receives a referral to the .com NS. It asks the nameserver for .com where to find the nameserver for ulam00001.com, ulam00002.com etc.

Mallory spoofs referrals claiming to come from the .com nameserver to ns.polya.com. In these referrals, it says that the nameserver responsible for ulamYYYYY.com is a server called ns.gmx.net and that this server is located at 244.244.244.244. Also, the time to live of this referral is ... long ...

Now eventually, Mallory will get one such referral spoofed right, e.g. the TXID etc. will be guessed properly.

ns.polya.com will then cache that ns.gmx.net can be found at ... 244.244.244.244. Yay.

After the publication of Flake's summation, Kaminsky gave a no-comment to The Register's Dan Goodin.

Nate Lawson, head of Root Labs, had this to say: "It's very plausible; I think he's nailed it."

[ SEE: Kaminsky and Ptacek comment on DNS flaw ]

Goodin, one of the more thorough security writers around, made a great point that if Flake's speculation is unrelated to Kaminsky's earlier discovery, then there are now two separate issues at play.   Only one of the two has been patched!

Perhaps it's time for Kaminsky to throw his self-imposed embargo out the window and help all of us understand the true severity of this vulnerability.

Topics: Browser, Networking, Security, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

29 comments
Log in or register to join the discussion
  • Good Lord!

    Whatever does happen, this has been fun to read about.
    nmcfeters
  • in summary

    Halvar's approach is to play a game in which you win with a low probability. If you are able to win the race with the authoritative server and guess one TXID, you will win the game with probability 1/(2^16). If you are able to guess more queries during the race with the auth server, you may be able to increase these odds.

    The kicker is that this game can be played an "unlimited" number of times (not truly unlimited as you are restricted by the possible combinations and max length of a particular domain name) by choosing domains that do not exist (eg. ulamYYYYY.com). By playing this low probability game a very large number of times, you can achieve a high probability of eventually guessing the TXID and slipping the NS glue record into the cache.

    Painfully simple in operation, I expect Dan to have extra secret sauce to reduce the expected number of queries to achieve poisoning.

    Regards,
    Jon Oberheide
    jon@oberheide.org
    jon.oberheide
    • Well, and

      the secret sauce will be using a client-side vector to force victim's system to continuously make those requests, and the fact that during that time, he's making requests trying to find the auth server. How do you do this? <img src="...">

      But of course, our good friend cross-site request forgery. Just a thought.

      -Nate
      nmcfeters
  • Halvar Flake

    What a self serving jerk. He couldn't remain quiet because he needed his 15 min of fame so that his clients could say "Oh, look how clever he is for figuring this out. I guess we were right to hire him!"

    These guys are all about money and ego - nothing else.
    croberts
    • Self Serving?

      It strikes me that this posting seems to be of the ilk that scofflawed at those who challenged other hoarders of information. Let me get this straight.

      There is a vulnerability.
      It has been published (though not in detail) along with what is vulnerable.
      [i]Someone[/i] will figure out the exploit.

      These appear to all be facts. The questions are 1) Do we wait until the [u]Oracle[/u] speaks to develop and release a patch? 2) Do we watch and see if a malicious party performs an actual exploit? or 3) Do we allow and encourage discussion on the vulnerability so that awareness is high and people can respond...prior to the patch?

      Methinks thou dost protest too strongly.

      Let the conversation roll! Keep the keen minds engaged. Eternal Vigilance is critical.

      My 2 cents...and worth every penny of what it cost you.

      :)
      SeizeDDay
      • Yep

        I think Dan tried to do what he could to give people time to patch. Not everyone bought into this. Doesn't make them at fault for disclosing. A lot of people refused to patch without that information.

        -Nate
        nmcfeters
    • That is not fair at all

      Do you know Halvar?

      I do.

      He's a great guy. Not everyone believes in the method that Dan decided to choose. Dan chose to disclose in the fashion he did. He also chose to ask the community to not speculate and not disclose if they did find something. Well, Halvar is of the camp that believes this should've came out full disclosure style from the get go. He did what he thought was right. He should not be faulted for that.

      Also, Halvar is not all about the money and the ego, for the record.

      -Nate
      nmcfeters
      • Well spoken

        I respect that you know the guy.

        However, now that the DNS has been patched, it really looks like he was trying to steal Kaminsky's thunder. Not cool...
        croberts
        • I disagree

          Halvar didn't give up everything the attack uses. In fact, even if he had, it was all stated in a very off-hand fashion. It is literally like Halvar said on his blog about going to see the expert talk about it.

          Think of it like this, your kid plays baseball and you have an opportunity to send him to camp to learn from Alex Rodriguez how to hit. On your way, I stop you and tell you some of the secrets of hitting. Would you now not go to the camp?

          -Nate
          nmcfeters
  • What an idiot

    "Clearly irked by a (demand) request from Kaminsky and others to avoid speculating on the details of the flaw until the patch is fully deployed, Flake (left) published a reliable method to forge and poison DNS lookups."

    Yes please show us your smart by posting the exact details of how this is done so kiddie hackers can try this out.
    You did none of the work associated with finding the exploit, and when it is announced, bash the guy who did. To top it off you say "Look, I know how it is done!" Awesome.Not.

    It is similar to being able to explain Einstein's Theory of Relativity. Once it's published anyone can do it, the real flash of genius is from being the person who discovers it.

    Your a follower not a leader, which is why your an idiot Halver Flake. Sabre Security's corporate name should be changed to Exploit's 'R' Us.
    halverisanidiot
    • And you are out of your element

      Halvar is for one, genius. He is one of the most well known figures in the security community.

      On top of that, you point out Halvar's biggest problem with how Dan handled this. You say:

      "It is similar to being able to explain Einstein's Theory of Relativity. Once it is published, anyone can do it, the real flash of genius is from being the person who discovers it."

      Yep, you are spot on with this. Which is exactly why Halvar posted details, I'm sure. If he could figure it out, he must know it is possible someone else has already figured it out. This is the problem. So, no one is patching cause there's no details, so Halvar goes and gets the details.

      Actually, for the record, Halvar is most definitely a leader, not a follower.

      -Nate
      nmcfeters
  • RE: Has Halvar figured out super-secret DNS vulnerability?

    Personally, I think both were off in their approach.

    I think that Halvar responded irresponsibly. If he thinks he discovered the flaw, he should have approached the vendors to confirm that it was being handled by the patch. If it wasn't, then give the vendors some lead time to get a new patch ready. I definitely think that, for all the good intentions he may have had, there was definitely some one-upmanship going on.

    While I think Kaminsky took a more responsible approach initially by helping get the fix in place before it became widely known, but he may be guilty of a bit of showmanship by holding on to the secret longer than was necessary. I think that he should have released at least an overview of the problem at the same time as the patch was released.
    DigitalFrog
    • Excepting

      There are still unpatched servers out there, not to mention clients, and Kaminsky wants to give everybody time to patch. His announcement is on the 24th anyway.

      Flake has a different, and equally valid, viewpoint.
      seanferd
  • RE: Has Halvar figured out super-secret DNS vulnerability?

    Well, it could be that age is taking its toll on me, but I distinctly remember this vulnerability being talked about years ago. I mean, how many different ways are there to forge DNS referrals?
    hmoulding1
    • It is not the same

      You're talking about something that was discussed from a theoretical standpoint. Dan's attack combines several pieces of research, as well as new attack vectors, into one extremely reliable attack.

      -Nate
      nmcfeters
  • I would truely hate to be a Windows user right now.

    It'll be bad enough just working with the phishing sites.
    dayjm
    • Windows?

      This was a systemic DNS design issue, not a Windows issue.

      So in case you didn't understand the abstract, you can be happily surfing with Opera on Linux, and your DNS server could potentially send you to the wrong physical machine when you request a URL.
      croberts
      • Hahaha

        Don't even bother croberts. Some of the sheep will never understand that the wolves don't care what operating system they use.

        -Nate
        nmcfeters
      • Malware, Virus's, Spyware, etc. (NT)

        NT.
        dayjm
        • But nothing to do with this particular issue <nt>

          ?
          seanferd