Attack code released for Kaminsky DNS flaw

Security vendor Websense says IT pros will have their work cut out following the release of exploit code for a DNS flaw that affects multiple vendors

Attack code has been released for a DNS flaw discovered by security researcher Dan Kaminsky.

The attack code has been added to the penetration-testing tool Metasploit by its creator, HD Moore, and researcher 'Druid', and was published on Wednesday.

"This exploit targets a fairly ubiquitous flaw in DNS implementations which allows the insertion of malicious DNS records into the cache of the target nameserver," the Metasploit description states.

The exploit enables a hacker to cache a malicious host entry into the target nameserver by sending random sub-domain queries to the target DNS server, coupled with spoofed replies to those queries, which have specific parts of the data packet poisoned: the authority and additional records sections.

Eventually, one of the random sub-domain queries will match, and the spoofed packet will get accepted. The malicious host entry will then get cached, due to 'bailiwick constraints', in which resolvers check they are not caching any new address for any website in any one transaction. Up until now, bailiwick constraints were a security safeguard designed to stop a certain kind of DNS poisoning: RRset poisoning.

The exploit uses a similar method to a speculative hypothesis made by researcher Halvar Flake on Monday.

Flake's proposed method starts with hackers sending "floods" of faked requests to a nameserver, which converts text domain names into numeric IP addresses. The attacker sets up a web page with tags that point to a compromised nameserver. When a user visits that web page, the browser will try to resolve to a legitimate nameserver.

However, that bona fide nameserver will then resolve the browser query to the compromised nameserver, with a specific part of the data packet poisoned. This will then poison the bona fide nameserver, and anyone who visits it from then on will unwittingly be pointed to a malicious site.

Security vendor Websense said the flaw and published exploit code amounted to a "significant event".

"IT professionals will have their work cut out," said Carl Leonard, Websense's European security research manager. "Metasploit is widely used by malware authors."

Kaminsky's flaw has been the subject of speculation, as the researcher has not yet given out technical details, preferring instead to work with affected vendors. Kaminsky will reveal details at the Black Hat security conference in Las Vegas in August.

Leonard said Flake's hypothesis about the DNS flaw could potentially be correct, especially as exploit code has now appeared which works along the same principles.

"[Flake's hypothesis] certainly does seem plausible," said Leonard. "Everyone is geared up to see what Kaminsky has to say."

The DNS flaw caused multiple vendors to issue patches earlier this month. Websense recommended that IT professionals make sure that any affected products have been patched, that suitable workarounds have been put in place, or that service providers have taken appropriate action.