OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Full-disclosure] Re : CAU-EX-2008-0002: Kaminsky DNS Cache Poisoning Flaw Exploit

From: H D Moore (fdlistdigitaloffense.net)
Date: Fri Jul 25 2008 - 14:38:20 CDT


On Friday 25 July 2008, tixxDZ wrote:
> I do not want to offend anyone (Metasploit people), this is a simple
> joke: can you share with us all the logs of the vulnerable servers ?
> ;) , the exploit will use the Metasploit service to verify
> exploitability. ex checking my Opendns:

The exploit needs a service to determine the source port used by the
target name server. The 'check' command will do this and could probably
use a better warning about information disclosure. The exploit itself
will also query the Metasploit service if you set SRCPORT to 0. While
this means we *could* capture a list of vulnerable nameservers which
query this service, honestly we don't care and aren't logging it. There
are much more effective ways to scan for exploitable cache servers :-)

The source code for the helper service is also a Metasploit module and can
be found under modules/auxiliary/server/dns/spoofhelper.rb

If you want to use your own server for this, just change
*.red.metasploit.com to be a domain handled by your own copy of the
spoofhelper module. In the future, we will add an option to specify a the
nameserver used for this check.

To clarify:

 - Nothing is sent to metasploit.com unless SRCPORT is manually set to '0'
or the check command is run (non-standard for aux modules).

 - The only information we receive is the IP and source port of the tested
nameserver. No information is sent about the user's system or their own
IP address.

 - Even though this information could be logged and sorted and whatnot, we
honestly don't care and just added it as a convenience feature. We dont
keep records of the queries hitting the server and have no plans to start
doing so.

 - If you don't like it, don't run 'check' and don't set SRCPORT to '0'
for automatic mode. It won't hurt our feelings and you are free to modify
the module to point at your own helper service.

Cheers,

-HD

PS. You can use the service outside of the module to check various
servers. For example:

while true; do dig +short -t TXT `date +%s`.red.metasploit.com 4.2.2.3;
sleep 1; done
"209.244.4.227:33165 1217014609.red.metasploit.com"
"209.244.4.227:32728 1217014610.red.metasploit.com"
"209.244.4.227:29607 1217014611.red.metasploit.com"
"209.244.4.227:28032 1217014612.red.metasploit.com"
"209.244.4.227:25992 1217014613.red.metasploit.com"
"209.244.4.227:31301 1217014614.red.metasploit.com"
"209.244.4.227:22884 1217014615.red.metasploit.com"
"209.244.4.227:33722 1217014616.red.metasploit.com"

^- changing ports means the box is patched.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/