Thursday, October 7, 2010

DNS Cache Poisoning Reviewed Tools + Video Demo

THIS IS FOR EDUCATIONAL PURPOSES ONLY!]

Disclaimer: When reading this you accept that Http://hackguide4u.blogspot.com holds No responsibility for the information's that you gain when reading this Post.
This Is additional information about the DNS Vulnerability found by Dan Karminsky, which truly shows how effective it can be and why people should patch/update their systems to the latest version.Of course i hope all ISP's has updated as an attack against those would or could be devastating if successful. I must state, that even though a strong random number generator has been added, that does not completely fix the bug, only for now. (in the future the protocol would have to be changed)


General Information
SecurityFocus wrote:
Quote:
Insecure update services open to DNS attack

A group of security researchers demonstrated on Monday one way to use the recent domain-name service (DNS) security issue to compromise computers by redirecting insecure update services to fake servers that install malicious code instead.

The attack tool -- dubbed Evilgrade by its creators at non-profit Infobyte Security Research -- will enable penetration testers to exploit computers using the automated update feature of Sun Microsystems' Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit, according to the group.

"It works with modules -- each module implements the structure needed to emulate a false update of specific applications/systems," the group said in the ReadMe file availlable on its site. "Evilgrade needs the manipulation of the victim DNS traffic."

The fully developed attack tool is the latest setback for domain-name system (DNS) security, since a group of software vendors and network infrastructure experts announced earlier this month that a major flaw existed in the protocol. Last week, the details of the flaw were made public and, two days later, the Metasploit Project released two exploits that could allow an attacker to poison a servers DNS cache using the flaw.
After reading it, i had to read more about the project and so i did. I also wondered why this hadn't
been fixed by all the different vendors of software, because usually it is only on linux platforms that
packages are digitally signed, though that is not always proof enough that they are valid/legit.
Metasploit:
Quote:
Evilgrade Will Destroy Us All

Francisco Amato of Infobyte Security Research just announced ISR-evilgrade v1.0.0, a toolkit for exploiting products which perform online updates in an insecure fashion. This tool works in conjunction with man-in-the-middle techniques (DNS, ARP, DHCP, etc) to exploit a wide variety applications.

The demonstration video uses the CAU/Metasploit DNS exploit in conjunction with the Sun Java update mechanism to execute code on a fully patched Windows machine. For more information, see the README and slide deck. The first release includes exploits for Sun Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit
That was quite disturbing, how can One be sure that packages are secure
on Windows systems now? Well if you're directly connected to the internet
and not on a LAN, you can always try doxpara's tool to check your DNS.

Well, i watched the video and was quite amazed, and probably even more
after reading the whitepaper and readme which contained interesting info.
Evilgrade:
Quote:
..:: DESCRIPTION ::..

ISR-evilgrade: is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates.

* How does it work?

It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems.
Evilgrade needs the manipulation of the victim dns traffic.

Attack vectors:
--------------

Internal scenary:
- Internal DNS access
- ARP spoofing
- DNS Cache Poisoning
- DHCP spoofing

External scenary:
- Internal DNS access
- DNS Cache Poisoning

* What are the supported OS?

The framework is multiplaform, it only depends of having the right payload for the target platform to be exploited.

Implemented modules:
-------------------
- Java plugin
- Winzip
- Winamp
- MacOS
- OpenOffices
- iTunes
- Linkedin Toolbar
- DAP [Download Accelerator]
- notepad++
- speedbit
So what is it exactly you need to be able to exploit the insecure updates
bug along with the DNS Vulnerability and what do you need to be succesful?

First you need Metasploit, then you need to implement atleast the variation
of the dns exploit released recently, and also the evilgrade framework as well.
(thus you need to be running Metasploit on a Linux platform as the current
exploit developed by HD Moore and |)ruid is only supported on that OS.)

I'm not going to explain it much more further of what else you need to do,
to be able to do a succesful attack, but instead of just trying on random
nameservers, it would help to f.ex. fingerprint them.


Additional Information

Demo Video:
http://www.infobyte.com.ar/demo/evilgrade.htm

Download Links:
http://metasploit.com/framework/download/
http://www.infobyte.com.ar/down/isr-...e-1.0.0.tar.gz
Exploit Information:
http://www.infobyte.com.ar/down/isr-...ade-Readme.txt
Evilgrade Whitepaper:
http://www.infobyte.com.ar/down/Fran...%20-%20ENG.pdf
Exploit Links:
http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
http://www.caughq.org/exploits/CAU-EX-2008-0003.txt

External Links:
http://www.securityfocus.com/brief/783
http://blog.metasploit.com/2008/07/e...oy-us-all.html
http://www.infobyte.com.ar/developments.html
http://blog.metasploit.com/2008/07/bailiwicked.html
http://blog.wired.com/27bstroke6/200...ky-on-how.html
http://www.kb.cert.org/vuls/id/800113
Extra Information:
http://www.trusteer.com/bind9dns
http://www.trusteer.com/bind8dns
http://www.trusteer.com/microsoftdns
http://www.trusteer.com/windowsresolver
http://en.wikipedia.org/wiki/DNS_cache_poisoning
Personal Review:
I hope you enjoyed the information's given in this Post, as that is pretty
much everything there is about this issue right now of what i know. Though
in the future there might be additional problems with the DNS protocol, but
for now a fully patched/updated name-server should solve the problem.

......................................................................................................................................................... .................................................................
......................................................................................................................................................... .................................................................
......................................................................................................................................................... ................................................................ 

0 comments:

Post a Comment