[framework] Exploit for the DNS cache poisoning vulnerability...

Jarrod Frates jfrates.ml at gmail.com
Wed Jul 23 20:40:15 CDT 2008

On Wed, Jul 23, 2008 at 2:20 PM, H D Moore <hdm at metasploit.com> wrote:
> Woops:
> http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
> _______________________________________________
> http://spool.metasploit.com/mailman/listinfo/framework

I've been pondering the effects of this vulnerability for much of the
day, and it keeps getting better and better for me (management thinks
its worse and worse, especially with this module release, but therein
lies the difference between management and the trenches).

I've seen a couple of mailing lists that have pointed out that direct
DNS queries are not the only way to get this to work.  Purely internal
DNS servers that are hidden behind NATs or firewalls are protected to
some degree from this.  However, what about a XSS attack that runs
down a long list of domains, triggering lookups?  A loop that causes
it to periodically request a record from an attacker-controlled server
could provide needed input for an attacker to start sending spoofed
responses as well predict source ports, if from a vulnerable
implementation, or else provide enough information to show that the
system is patched and therefore requires a slightly less elegant
solution.  Other suggestions included mail servers (send to
someone at aaaaaa.yahoo.com, someone at aaaaab.yahoo.com, etc.) or possibly
FTP servers that will perform server-to-server transfers (getting very
rare but still around).  These would be slower, but still possibly
effective, and possibly also more likely to fly in under the radar.

I'm also wondering about whether there's some way to force this attack
to affect lookups to TLDs, as owning an entire TLD presents some very
ominous possibilities.  Does the bailiwick mechanism compare only
against subdomains of TLDs, or might TLDs themselves also be subject
to this attack?
Jarrod Frates

More information about the framework mailing list