 |
0x01 Introduction
DNS Multiple Race Exploiter is a tool that exploits an inherent flaw in the DNS Server Cache. By sending many queries to a DNS server, that processes recursive queries, along with fake replies, an attacker can successfuly writes a fake new entry in the DNS cache. Also, this type of attack can overwrite an existing entry. For example, if the DNS server's cache already has www.example.com => 1.2.3.4, the attack can overwrite it with www.example.com => 4.3.2.1. Initially, the attack was easy since the majority of DNS servers did not randomize the UDP source port number. However, patched DNS servers randomize the UDP source port number but that will not eliminate the flaw; it will only increase the time required to poison the cache. Poisoning unpatched systems would take a period seconds, however, poisoning patched systems would take a period of hours. DNS Multiple Race Exploiter is made to attack both patched and upatched systems.
To successfully inject an entry into a remote DNS cache, there are pre-requisites elements the auditor needs to know:
- The auditor needs to know if the target DNS server processes recursive queries or not. If not, then the server is not susceptible to cache poisoning.
- If the target DNS server processes recursive queries, the auditor needs to know if the server forwards the DNS request to a farwarder server or performs the request directly. If "forwarder" is configured, the auditor needs the IP address of the forwarder system.
- The auditor needs to know the static source port number used by the target DNS server only in case of unpatched systems. For patched systems, this is not needed.
|
0x02 Features
- The tool can be directed towards two kinds of DNS servers: servers configured with forwarder(s), and servers configured with direct recursion. The attack modes differ in the "flags" carried in the DNS fake replies. Since a DNS with server forwarder(s) sends a query with the "recursion desired" bit set, the reply has to have this bit set, too. Also, the reply has to have the "recursion available" bit set. On the other hand, a DNS server with recursion sends query with the recursion bit unset (i.e. iteration query), the reply has to have this bit unset, too.
- The tool can be directed towards patched and unpatched systems.
- The tool can automatically finds the Nameservers of a particular domain, which is part of the entry the user is trying to inject. The tool sends all spoofed replies using the IP addresses of all Nameservers.
- The tool utilizes CNAME Record Type to inject the false entry. The way the poisoning is implemented is by sending two answer Resource Records (RRs): One is a CNAME RR, and the second is an A record. Every fake reply contains something like:
[1] abdc.example.com is a CNAME of IN Class for www.example.com
[2] www.example.com is an A of IN Class for IP 11.22.33.44
- The tool sends multiple fake replies with different TXIDs to increase the probability of hitting the correct TXID. This is useful in reducing the time needed to generate a "hit". For a server that does not randomize the source port number, the maximum number of iterations needed is 65546 (an average would 32768). However, by sending 10 to 15 TXIDs, for example, the probability of
making a "hit" is higher in a shorter time; an average of ~3000 iterations are needed.
|
0x03 Code
0x04 Examples
- Example 1:
- Example 2:
- Example 3:
|
0x06 Author
| AR Samhuri <ar[at]securebits[dot]org> |
0x07 Credits
The following people have made useful contribution during the development of the tool:
Saddam - Wafa - Nicolai - Ghassan - Vasilis - Danett
|
|
|
 |
