From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <9a26ecb5639631b7d346a52c0c8e849d@quanstro.net> To: 9fans@9fans.net From: erik quanstrom Date: Sun, 27 Jul 2008 21:16:45 -0400 In-Reply-To: <488CF492.70207@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] dns exploits (self-promotion remix) Topicbox-Message-UUID: f2b550d0-ead3-11e9-9d60-3106f5b1d025 > The exploit doesn't simply rely on the 16bit dns XID. > Rather, it's reliant on the fact that bind servers > (and some others) send requests from a static port. > Obviously, if you control a DNS server or you can > sniff the target DNS server's path, you can figure > this out. > > The second part to the trick is wildcarding in DNS. > I can make a large number of invalid queries to your > DNS server if it allows recursing. Each query will > be something like aaa.paypal.com, bbb.paypal.com, etc. > Obviously, because I know your source port (or can > figure it out) it's only a matter of time before I > can spoof a response. So, you'll end up with a wacky > A entry for somerand.paypal.com. The neat trick here > is that I can also attach a NS record in the spoofed > response and set the TTL very high for this entry. > Now your DNS server will query my malicious DNS server > for everything under paypal.com. > > So, yes, plan9 is vulnerable. i don't understand this 1. plan 9 never used a static source port for queries, and more importantly 2. who does recursive queries on external interfaces? i would have considerd this a configuration error and security problem ten years ago. - erik