shift or die

security. photography. foobar.

The(?) DNS Bug

So, it’s out. Apparently, Halvar got pretty close and Matasano accidentally posted the whole thing on their blog — d’oh.

So, as hiding it now is definitely too late, I guess the »no speculation rule« is off the table as well. Here are some random thoughts of mine:

This is huge. It is pretty easy to exploit, so I wonder how stable DNS will be within the next few days (at work, I use a T-Mobile hotspot which apparently messes transparently with my DNS traffic, so dnscache refuses to work, thus I am vulnerable even though I could help it by running a local dnscache — bummer).

Lutz Donnerhacke keeps saying on the Heise forums that this is not Dan’s original exploit (which he claims to know, and I believe him), so I wonder whether this is something completely new or whether it’s just a variant on Dan’s exploit. On the »this is it« side is the testing of $random.toorrr.com, which closely matches the exploit scenario. Also, Dan has been looking at random subdomains of domains in the web context, which apparently with some providers don’t return NXDOMAIN but a provider specific page (this has the “nice” implication that if it can be exploited, the cookies for $domain are in danger even though the website that is compromised is not made by the real owner of $domain).

I would guess that there are some more tricks to it, as Dan returns ::1 on AAAA queries with his (obviously custom) nameserver, so I doubt this is by accident but serves some kind of purpose. Also, all of the advisories mention the birthday paradox which has not come into play with this exploit (yet) - this is just iterative guessing, but there is no such thing as having multiple outstanding queries for the same RR or so. Furthermore, Thomas Ptacek set pretty high expectations on when he would be impressed, and apparently he was …

This exploit would be particularly easy/fast if you could generate the spoofed responses at the requesting client as well, anyone knows if this is remotely possible using Flash, Java, or some other browser-based client stuff?

Well, interesting times to be a security researcher …