About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

DNS Vulns - Spoofing and Memory Corruption- 369

jsofPosted 5 Years Ago
  • The classic DNS spoofing attack is back! In a particular DNS implementation, there are several issues. As a brief history, DNS is how a domain (google.com) gets turned into an IP address. The process for this is unauthenticated and over UDP, which creates issues.
  • To resolve a domain, the DNS server goes and asks another server to see if it knows. A callback ID is sent with the request and the server waits. This goes up and up until somebody knows the domain. The major issue with this (discovered by Kaminsky in 2008) is that if someone knows the callback ID, then they can spoof the connection.
  • DNS is broken by itself. At this point, the implementations are putting a band-aid in order to make the internet still work. In order to make this attack not feasible, a bunch of randomization is added, such as a larger callback ID, randomized ports and other things. Breaking the randomness makes it feasible launch the original attack.
  • The first issue is that the random ID of a UDP packet is 26 bits instead of 32. Although this is not going to be brutforcible but itself, this helps remove some of the randomness.
  • The second issue has to do with the verification of the proper request. It has to have a proper challenge-responses and a proper ID. In order to validate this, a hash is taken of the values. The issue stems from the fact that the hashing algorithm is not cryptographically secure (CRC32) making it possible to guess these values to return the wrong domain name.
  • An additional bug is that multiple requests for the same domain name can be used. When this is done, ANY valid response will work for this. Practically, this means that an attacker needs to guess any one of the ports and any one of the TXIDs right! Using these three bugs, the odds of spoofing a DNS request are 2^19 or half a million requests. This takes about 5 minutes from a single computer to send and is a practical attack.
  • The typical solution for DNS spoofing is to a) add more randomness or b) change to DNSSEC. But, what if there are vulnerabilities in DNSSEC!?
  • DNSSEC is safe. However, 4 buffer overflow vulnerabilities were identified that could be useful for memory corruption primitives. The most impactful (heap based buffer overflow) is caused because an attacker controlled size value for a write, but the buffer is static in size.
  • Another one of the buffer overflows was caused by hitting the same code and with different path. Using this path, the location of the buffer was offset by a length value and could be used to write OOB, even with nullbytes.
  • The final two bugs were wildcopys from length validation issues that are only good for DoS attacks.
  • An interesting set of bugs! Vulnerabilities in popular DNS software (such as this) could be used to make a large impact. To me, the DNS spoofing was a little overhyped because most connections use HTTPS, which means the certificate needs to be validated with a wrongful domain name (which won't work).

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed