From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <488CF492.70207@gmail.com>
Date: Sun, 27 Jul 2008 16:20:02 -0600
From: don bailey <don.bailey@gmail.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080421)
MIME-Version: 1.0
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
References: <20080727161735.B8D881E8C1C@holo.morphisms.net>
In-Reply-To: <20080727161735.B8D881E8C1C@holo.morphisms.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [9fans] dns exploits (self-promotion remix)
Topicbox-Message-UUID: f29adba6-ead3-11e9-9d60-3106f5b1d025

The exploit doesn't simply rely on the 16bit dns XID.
Rather, it's reliant on the fact that bind servers
(and some others) send requests from a static port.
Obviously, if you control a DNS server or you can
sniff the target DNS server's path, you can figure
this out.

The second part to the trick is wildcarding in DNS.
I can make a large number of invalid queries to your
DNS server if it allows recursing. Each query will
be something like aaa.paypal.com, bbb.paypal.com, etc.
Obviously, because I know your source port (or can
figure it out) it's only a matter of time before I
can spoof a response. So, you'll end up with a wacky
A entry for somerand.paypal.com. The neat trick here
is that I can also attach a NS record in the spoofed
response and set the TTL very high for this entry.
Now your DNS server will query my malicious DNS server
for everything under paypal.com.

So, yes, plan9 is vulnerable.

D