poison the DNS cache by returning a bogus IP as a CNAME for a real server

Summary

Description:	You can poison DNS cache by returning a bogus IP as a CNAME for a real server.
Author:	Johannes Erdfelt outlined this type of attack originally.
Compromise:	Subvert DNS
Vulnerable Systems:	Almost all current DNS servers, including bind 8.1 and M$ DNS
Date:	14 June 1997 (It was actually discovered in April, apparently)

Details

-----BEGIN PGP SIGNED MESSAGE-----


        That url, http://apostols.org/toolz/dnshack.cgi, works even with the
supposed release version of bind 8.1 (05-06-97).  The culprit is a query for
DNS.test.15169.spoof.apostols.org, which returns that address as being a
CNAME for Ohhh.shit.My.DNS.server.is.vulnerable, and tacks a whole bunch of
other info into the response.  All of it ends up in everyone's cache.

        This is the same type of attack outlined by Johannes Erdfelt back in
April.  It's nothing difficult or fancy.  In about 2 minutes, I had my local
name server returning bogus information in the same genre of the test page
above.  All I had to do was tell my server it was authoritative for the
domain I was spoofing.

        Excuse me if I am completely wrong on this, but couldn't we just
ignore any RR's for stuff we didn't directly ask for?  Just let our local
server initiate another query for Ohhh.shit.My.DNS.server.is.vulnerable.?
The remote server is not authoritative for that domain, and would never get
a chance to answer.  Granted that this would increase latency and bandwidth,
but it would avoid the problem.

        I certainly wouldn't mind it if everyone had servers that injected
www.enemy.org for www.microsoft.com, but microsoft might. :)

David Dandar

- --
 /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\
| David M. Dandar                          ddandar@lcars.dyndns.com |
+-------------------------------------------------------------------+
|      PGP public key available via finger from above address.      |
| ddandar@erols.com ddandar@technet.tjhsst.edu dmdc00z@mail.odu.edu |
 \_________________________________________________________________/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM6MAyg37tpZWSzDdAQG32gP/XPpQ1PNOLFhsLGirmR4Bcpdv+a16wci0
2BmI9PKF8rysAv1BgDRALvDv4Y2EApuPv7bX/fpdIs6KNrtk9U36MfeCsDK2iOY0
KjG2CuvbRj2Lp/1AIYV8I3F4nIbpjj33+9S9ZHQzcPlCcCHsdB9MpW+ShSuC7Bf+
weVCyjJpYlo=
=rHVh
-----END PGP SIGNATURE-----

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: