Re: [9fans] dns exploits (self-promotion remix)

9fans - fans of the OS Plan 9 from Bell Labs
 help / color / mirror / Atom feed

From: don bailey <don.bailey@gmail.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: Re: [9fans] dns exploits (self-promotion remix)
Date: Sun, 27 Jul 2008 16:20:02 -0600	[thread overview]
Message-ID: <488CF492.70207@gmail.com> (raw)
In-Reply-To: <20080727161735.B8D881E8C1C@holo.morphisms.net>

The exploit doesn't simply rely on the 16bit dns XID.
Rather, it's reliant on the fact that bind servers
(and some others) send requests from a static port.
Obviously, if you control a DNS server or you can
sniff the target DNS server's path, you can figure
this out.

The second part to the trick is wildcarding in DNS.
I can make a large number of invalid queries to your
DNS server if it allows recursing. Each query will
be something like aaa.paypal.com, bbb.paypal.com, etc.
Obviously, because I know your source port (or can
figure it out) it's only a matter of time before I
can spoof a response. So, you'll end up with a wacky
A entry for somerand.paypal.com. The neat trick here
is that I can also attach a NS record in the spoofed
response and set the TTL very high for this entry.
Now your DNS server will query my malicious DNS server
for everything under paypal.com.

So, yes, plan9 is vulnerable.

D

next prev parent reply	other threads:[~2008-07-27 22:20 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <261342.6156.qm@web27004.mail.ukl.yahoo.com>
2008-07-27 13:18 ` erik quanstrom
2008-07-27 15:56   ` Russ Cox
2008-07-27 15:57     ` erik quanstrom
2008-07-27 16:19       ` Russ Cox
2008-07-27 22:20         ` don bailey [this message]
2008-07-28  1:16           ` erik quanstrom
2008-07-28  2:53             ` a
2008-07-28  2:57             ` don bailey
2008-07-28  3:48               ` erik quanstrom
2008-07-28 20:53                 ` Wes Kussmaul
2008-07-27 22:22     ` don bailey

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=488CF492.70207@gmail.com \
    --to=don.bailey@gmail.com \
    --cc=9fans@9fans.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).