Re: [9fans] dns exploits (self-promotion remix)

9fans - fans of the OS Plan 9 from Bell Labs
 help / color / mirror / Atom feed

From: erik quanstrom <quanstro@quanstro.net>
To: 9fans@9fans.net
Subject: Re: [9fans] dns exploits (self-promotion remix)
Date: Sun, 27 Jul 2008 21:16:45 -0400	[thread overview]
Message-ID: <9a26ecb5639631b7d346a52c0c8e849d@quanstro.net> (raw)
In-Reply-To: <488CF492.70207@gmail.com>

> The exploit doesn't simply rely on the 16bit dns XID.
> Rather, it's reliant on the fact that bind servers
> (and some others) send requests from a static port.
> Obviously, if you control a DNS server or you can
> sniff the target DNS server's path, you can figure
> this out.
>
> The second part to the trick is wildcarding in DNS.
> I can make a large number of invalid queries to your
> DNS server if it allows recursing. Each query will
> be something like aaa.paypal.com, bbb.paypal.com, etc.
> Obviously, because I know your source port (or can
> figure it out) it's only a matter of time before I
> can spoof a response. So, you'll end up with a wacky
> A entry for somerand.paypal.com. The neat trick here
> is that I can also attach a NS record in the spoofed
> response and set the TTL very high for this entry.
> Now your DNS server will query my malicious DNS server
> for everything under paypal.com.
>
> So, yes, plan9 is vulnerable.

i don't understand this
1.  plan 9 never used a static source port for queries,
and more importantly

2.  who does recursive queries on external interfaces?
i would have considerd this a configuration error and
security problem ten years ago.

- erik

next prev parent reply	other threads:[~2008-07-28  1:16 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <261342.6156.qm@web27004.mail.ukl.yahoo.com>
2008-07-27 13:18 ` erik quanstrom
2008-07-27 15:56   ` Russ Cox
2008-07-27 15:57     ` erik quanstrom
2008-07-27 16:19       ` Russ Cox
2008-07-27 22:20         ` don bailey
2008-07-28  1:16           ` erik quanstrom [this message]
2008-07-28  2:53             ` a
2008-07-28  2:57             ` don bailey
2008-07-28  3:48               ` erik quanstrom
2008-07-28 20:53                 ` Wes Kussmaul
2008-07-27 22:22     ` don bailey

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9a26ecb5639631b7d346a52c0c8e849d@quanstro.net \
    --to=quanstro@quanstro.net \
    --cc=9fans@9fans.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).