|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Dave Aitel (dave
immunityinc.com)
Date: Sat Jul 12 2008 - 12:38:35 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have to wonder about a strategy that implies that Paul Vixie is not
owned by lots of different people.
Anyways here is my guess of the day.
There's 4 things that DNS checks, two of which are random in the
"immune" djbdns code. One is the TXID (16 bits) and one is the source
port. Assuming the "fix" for broken implementations is to randomize the
source port, this means the TXID must be easily guessed. Amit's paper
talks a bit about doing this sort of thing, but doesn't come into "easy"
range.
So here's what I think the exploit is, which is a slightly advanced
method of some of Amit's stuff. I'm not a DNS (or crypto, for that
matter) expert, so feel free to fill me in on where I'm missing stuff.
1. You can use the TTL to find out when to do your spoofing.
2. Use your own DNS to respond to some requests setting TTL=0 to get a
long list of TXIDs from the resolver.
3. Map this list of TXIDs into an internal RNG state using a rainbow
table. This lets you predict the next set of TXID's with just a hash lookup.
4. Make a request for mail.google.com and send your spoofed packets to
infect the cache.
- -dave
P.S.: Kudos to the thousand people who posted about MOV RAX, RAX.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD4DBQFIeOwatehAhL0gheoRArf2AJUWsIr+YtCUeNtkglCenHegFqB7AJ4pXm5z
M8td0TvVvWmrxHWN52NNSQ==
=vtaV
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]