DNS

You are currently browsing the archive for the DNS category.

Evilgrade Attacks Automatic Updates

July 30, 2008 in DNS

Last week I wrote about the DNS cache poisoning vulnerability that affects nearly all vendors’ DNS implementations.  If you haven’t patched your servers yet, now would be a good time to do so.  On Monday a security research group in Argentina called Infobyte released a toolkit that uses DNS cache poisoning to fool automatic update utilities into connecting to fake servers where malicious code is installed instead.  The aptly named exploit tool contains modules to mimic the structure of automatic update utilities of such popular applications as iTunes, Java, MacOS, Winzip and many others.  Oh, and if that isn’t enough, it can also use other attack vectors such as ARP and DHCP spoofing.

When using DNS cache poisoning as an attack vector, Evilgrade starts by injecting bogus DNS information into the cache of a vulnerable name server causing the victim’s machine to connect to a server of the hacker’s choosing.  Next, when an application like iTunes attempts to update either automatically or manually, instead of connecting the Apple update server it will connect to a server maintained by the hacker where malicious software will be installed rather than a software update from the vendor.  Nice.  Not only doesn’t the machine get the update it expects, but it gets compromised to boot.

Given that two-thirds of the vulnerable DNS servers on the Internet have yet to be patched, this tool provides the bad guys with an easy method to infect computers.  And given that most of us rely on DNS servers managed by our ISP, there is little we can do to protect ourselves if their name servers are vulnerable.  Let’s all hope this lights a fire under the collective bottoms of DNS server administrators to get this problem resolved.

The DNS Mess

July 24, 2008 in DNS | 1 comment

This week the details of a major vulnerability in the software that runs the Domain Name System (DNS) were released to the public.  This occurred only a couple of weeks after software vendors released patches to fix the vulnerability.  This bug affects virtually every vendors’ DNS implementation including Microsoft, Cisco and ISC just to name a few.  The details of the bug have been discussed in many places, but the long and short of it is that any DNS server that allows recursive queries (which most of them do) is subject to a cache poisoning attack.

Whenever a DNS server receives a request to resolve a host name for a client, if it does not have it cached it will contact a root name server to find out which DNS server is authoritative for the domain being requested.  Once the DNS server has this information it will then query the authoritative name server for that domain to obtain the address of the server being requested (e.g. infosecstuff.com).  Finally, it will remember (cache) this information for a period of time in case it is requested again in the future.

The DNS vulnerability allows an attacker to make many requests to a recursive name server, spoof responses to that server so that they appear to come from a root name server and thus fool the server to add bogus information into its cache.  The attacker can inject his own DNS server as authoritative for any domain he chooses.  The attacked DNS server will then unwittingly provide this bogus information to clients when they request the address of hosts in the targeted domain(s).

What is the practical effect of this vulnerability?  An attacker could convince an ISP’s name server, for example, that the authoritative DNS server for bigbank.com is the attacker’s machine rather than the actual DNS server for bigbank.com.  Then when you attempt to access your bank account at www.bigbank.com, you will actually be sent to the hacker’s fake bank site (that look slike www.bigbank.com) where you will happily hand over your account credentials to the hacker.  You can guess what happens next.

There is not much that home users can do to protect themselves.  This is a problem for system and network administrators.  Fortunately, patches are available.  If you are responsible for a DNS server, install the patch immediately.  If you manage the IT staff at a company, make sure they have a plan to install the patch.  This is one you don’t want to put on the back burner.

Copyright © 2011 InfoSecStuff.com — All Rights Reserved