Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 24th, 2008

Researchers Released DNS Attack Code That Exploits Recently Disclosed Flaw

Days after details of a critical bug in the Domain Name System (DNS) software went public, researchers released attack code that can silently redirect users to unintended sites. Internet security experts warn that this code may give criminals a way to launch virtually undetectable phishing attacks against Internet users whose service providers have not installed the latest DNS server patches. Attackers could also use the code to silently redirect users to fake software update servers in order to install malicious software on their computers.

HD Moore, the creator of the Metasploit penetration testing framework, and a hacker who goes by the alias “I)ruid,” published the attack code in two parts yesterday and today to several security mailing lists and to the Computer Academic Underground Web site.

The two exploits do essentially the same thing, they both poison a DNS server’s cache, and therefore can, at least temporarily, replace the legitimate addresses in that cache with bogus destinations. Users steering to what they believe are valid sites could, if they pull the routing information from a victimized DNS server, be sent instead to a fake site such as a phony banking site, where they could be easily duped into divulging confidential information.

The exploit allows an attacker to poison a DNS server’s cache with a single malicious entry. The new attack code allows a hacker to poison large quantities of domains with one fell swoop. “This second exploit has the potential for a much larger impact and could result in potentially thousands of fake addresses inserted into a DNS server’s cache. The exploits have been added to the Metasploit framework but at the moment can be launched only from systems running Linux.

The single entry exploit of Tuesday gives attackers more anonymity, while today’s exploit requires hackers to have a real DNS server. It would be possible to trace the DNS requests back to the fake server operated by the attacker, then have it taken offline by, for instance, the host provider.

The DNS cache-poisoning bug exploited by Moore’s and I)ruid’s attack code was first announced earlier this month by Dan Kaminsky, director of penetration testing at Seattle-based IOActive Inc. The bug, which Kaminsky uncovered earlier this year, was patched that same day by several major vendors, including Cisco Systems Inc., Internet Systems Consortium Inc. and Microsoft Corp.

Although Kaminsky declined to publicly disclose technical information, he briefed several fellow security researchers after he was criticized for overstating the seriousness of the threat. Those researchers recanted, and said Kaminsky’s research was on target.

Share this item with others:

More on CyberInsecure:
  • Insecure Online Updates Toolkit For DNS Cache Poisoning Exploited In The Wild
  • Attack Code For Mozilla’s Firefox Zero-day Vulnerability Released By Researcher
  • WordPress 2.6.2 Released Due To PHP Weakness That Might Lead To Attack
  • Serious Security Flaw In Firefox 3.0.7, Exploit Already Available
  • Password-Stealing Trojan Spreads Through Latest Windows Zero-Day Vulnerability

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Researchers Released DNS Attack Code That Exploits Recently Disclosed Flaw

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.