DNS Issue Just Fixed in Windows

[m1ss1ontomars]

If I know you are vulnerable (User-Agent: OS X), and I can make you look up domains (image links on my evil site), then I can flood you with poison DNS replies and have a high degree of success.

DNS replies for what requests? I'd still only be requesting sites I'd never been to before, and those are all your sites in the first place. And anyway it's not even currently feasible to do this kind of attack.

Well, gee, it is only Apple that has failed to patch, in what is the largest coordinated security patch in Internet history.

It's still not as big a deal as you're making it. Mac OS X is vulnerable indeed, but vulnerable to an attack that will not be carried out on the client. All you have to do is be smart (i.e. use OpenDNS) until they patch it. And even after they patch it you should continue to use OpenDNS anyway.

 

[theyellowdart]

The only effort that goes in to the attempt is writing the software. Once that is done, you just drain bank accounts or install zombie software until the cows come home. It doesn't matter that attacking computers one at a time seems to be more effort than attacking a DNS server. It's just like spam. Zero cost.

Except the network resources involved in attacking a client computer isn't worth it when you can attack the DNS server. The payout just isn't there.

I still disagree. I am not describing an attack that comes randomly; I am describing an attack that comes at you once your browser can be directed to an evil site. Once that happens, the site can include IMG links to all the domains they want to poison; hence, they know you are going to be looking those domains up in only a few milliseconds. This increases their chances of success tremendously. They will even know when they succeeded, because your computer will be contacting their evil site to try to load those IMGs.

Yup, they certainly can. And if they have 500 sites listed there, and you haven't been to them, they can spam the crap out of your computer with a SMALL chance of success that the exploit will be successful. Now what does that mean? Pretty much nothing, because you would still need to go to one of the X sites they had listed before any type of exploit would be successful.

So, for your situation to work properly, I would need to go to an evil site, have them gather my IP, load hundreds of images on random sites that you wish to exploit, have the exploit be successful, and then GO to the one, hell lets say you were REALLY successful and guessed right twice, then go to one of the TWO out of 500 sites, all before I restart.

So... let me ask you this... why? I'm already on your "evil site" any exploit you could then trigger on the spoofed site could have been done on the evil site. Your idea wouldn't work in a situation like this message board, linking one img to your site, the rest to others. Because by the time you got the request form my DNS server, I would already be resolving the other sites, causing your exploit to be late.

If I know you are vulnerable (User-Agent: OS X), and I can make you look up domains (image links on my evil site), then I can flood you with poison DNS replies and have a high degree of success.
Until Apple patches.

You would not have a high degree of success. You're success rate would still be extremely extremely small, the only advantage you would have is the knowledge that I would be doing some form of DNS request. The odds of the exploit being successful are still the same.

Not to mention, if the DNS server you are using is already patched, then the client machine is also safe, since the fix (better randomization) would already be in place.

Now, I again want to point out i'm not saying this isn't an issue... it is an issue that needs to be addressed soon. It's nowhere close to being as serious as you believe for clients. You might want to check out the actual vulnerbility ( http://www.kb.cert.org/vuls/id/800113 ) to get some more information on what it does, and more information as to why DNS servers are the ones targeted here, not clients.

 

[Amdahl]

Not to mention, if the DNS server you are using is already patched, then the client machine is also safe, since the fix (better randomization) would already be in place.

I think you win right there. I would need a way to figure out the ports you are using for your client requests, and I just tested: that wouldn't be exposed to me. This only works on 10.4 to poison your own ISP website. 10.4 seems to use port 5353 each time to do certain lookups in the ISP domain. That would give me your email id & password, the next time you checked mail or used webmail.

 

[theyellowdart]

I think you win right there. I would need a way to figure out the ports you are using for your client requests, and I just tested: that wouldn't be exposed to me. This only works on 10.4 to poison your own ISP website. 10.4 seems to use port 5353 each time to do certain lookups in the ISP domain. That would give me your email id & password, the next time you checked mail or used webmail.

I started to write up a big post before I saw your edit : >


None the less, I don't disagree that the client isn't at risk in this situation... they are. But it's not a huge risk... it truly isn't. A lot of things have to fall right for the exploit to happen on a client machine, and the hacker can't go to town like they can on a DNS server... and boy can they go to town on one.

If you want more information as to why it's such a bigger issue for the DNS server, rather than the client, read this site a bit: http://www.doxpara.com/

Now if you want to be mad at apple... be mad at the fact they haven't released an update to OS X Servers DNS... that's a gigantic issue.

 

[Amdahl]

None the less, I don't disagree that the client isn't at risk in this situation... they are. But it's not a huge risk... it truly isn't. A lot of things have to fall right for the exploit to happen on a client machine, and the hacker can't go to town like they can on a DNS server... and boy can they go to town on one.

Well, there is one interesting detail that makes it a little more likely: It appears that 10.5 starts from the same port number on each boot; in the vicinity of 49163. TCP ports also seem to originate from this same area. The originating port of an image load request would tip off evilsite to a very tight range of ports that it could start flooding. If this is statistically significant, it would mean that a client attack is about 10 to 20 times more difficult than a server attack, rather than the 65,000 times more difficult that it would be if you didn't have any idea what port might be correct. But, even 10 to 20 times makes it hard to hit the right combination before the DNS server delivers the real reply.

If there is a trick that can be used to predict or narrow the pseudo-random transaction ID number, then you are still in the ballpark.

Apple better have a patch this week.

 

[theyellowdart]

If there is a trick that can be used to predict or narrow the pseudo-random transaction ID number, then you are still in the ballpark.

Apple better have a patch this week.

This is why it's so much more important for the server. To attack the client, you still need to wait for it to make a request and then go after it. You're not in complete control of when the request goes out. AND that vulnerability has been around for years and years and people have known about it for years and years.

The reason why servers are attacked it because the evil doer in this case can constantly request DNS lookups to that DNS server, causing that DNS server to go out, they can do this thousands of times a second and try to win the race vs the other DNS server, and guess the proper random ID.

Because, the root of the issue, is when you make a request that the DNS server doesn't have cached, it will then act as a DNS client and recursively go and try to find the result for you. So you make the request, causing it to try to find the result (thus turning it into a client) then go for the exploit (since you know what UDP port it will be using) and try to guess the ID, thus exploiting the server. On a client machine like a OS X box not acting as a DNS server, they don't have control of the requests. (The difference of say a very very optimistic 15 to 20 DNS requests a second on a client, to 1500+ on a server).

 

[Amdahl]

Security Update 2008-005 doesn't fix DNS

I am still seeing DNS requests come out consecutive ports.

And, in regard to my previous post in this thread, there does appear to be possible methods of finding out what port a client is going to use for DNS. Can they be automated to make my theoretical attack into a real attack? I think so.

If you get a client to communicate to you via a UDP protocol, you will have the immediate port ranges in use for DNS lookups. I used SMB to a server as a test. Perhaps there are others; in particular, if you create JavaScript, a Java applet, or Flash app on your evilsite, you can have it make a udp communication to evilsite, and that will give you the port. Can Java or Flash be used as images? If not, then your attack would have to make use of other tags besides just images on a webforum. Many forums don't permit that. But, if you can be convinced to load a page (tinyurl?) or others, you are pwned.

 

[lugesm]

Finally ! ! !

I started this thread on July 9, not from a position of knowledge, but from a position of fear of the unknown. As I stated in the beginning, I know very little about the DNS problem; but when I started this I had just received and installed a Windows fix from Microsoft for my only remaining PC on July 8.

This morning, August 1, I found that a patch was available from Apple. I immediately downloaded it and installed. No problems so far.

My final thought is: As a new Macintosh convert who still owns one Windows machine, I am extremely disappointed to note that Apple remained silent and unable or unwilling to even make a comment, while Microsoft acted on the DNS problem and provided a fix for my Windows machine, almost immediately. Not only did Apple not provide a fix for 3 weeks, they remained totally silent about the problem, leaving Mac owners in the dark about the potential of the problem or the possibility of a fix.

Very disappointing.

 

[theyellowdart]

I am still seeing DNS requests come out consecutive ports.

And, in regard to my previous post in this thread, there does appear to be possible methods of finding out what port a client is going to use for DNS. Can they be automated to make my theoretical attack into a real attack? I think so.

If you get a client to communicate to you via a UDP protocol, you will have the immediate port ranges in use for DNS lookups. I used SMB to a server as a test. Perhaps there are others; in particular, if you create JavaScript, a Java applet, or Flash app on your evilsite, you can have it make a udp communication to evilsite, and that will give you the port. Can Java or Flash be used as images? If not, then your attack would have to make use of other tags besides just images on a webforum. Many forums don't permit that. But, if you can be convinced to load a page (tinyurl?) or others, you are pwned.

Like I said before, that type of exploit has been in existence (and known) for some time. It's not anything new, and the rate of success is so unbelievably small. (1 in 33,000 or so). And you don't have solid control as to what website will be exploited... To much mess, to little success, to much effort for far to little of a payout. Even a script kiddy wouldn't waste his time.