• Hi Guest: Welcome to TRIBE, the online home of TRIBE MAGAZINE. If you'd like to post here, or reply to existing posts on TRIBE, you first have to register. Join us!

DNS Cache Poisoning + EvilGrade = End of The Interwebs?

Dr. Grinch

TRIBE Member
So the link I'm posting is an SWF video which shows the exploitation of the current DNS Cache Poisoning attack, blended with a "man in the middle" type exploitation of the Sun Java update engine. The machine they show the attack against would be a fully patched Windows XP machine running an AV engine.
These tools are available publicly. This type of attack could be used against other self updating platforms/apps like iTunes (HI MAC USERS!), Winamp, AntiVirus, Firefox, Firefox Add-ons, etc.

http://tinyurl.com/6qc536
 
Cannabis Seed Wedding Bands

~atp~

TRIBE Member
I don't get it ... this is nothing new at all, really. Unless I have misunderstood, upgrade sites are already mitigating by performing auto-updates using asymmetric encryption based on a one-time shared public key from the authentic host. So in this SWF example, if I had the public key from Java's website, I would encrypt all my communication using that public key and only the private key could decrypt and sensibly reply.

This is by no means the end to auto-updates.
 

urbanriot

TRIBE Member
~atp~ said:
This is by no means the end to auto-updates.

^^ exactly. Not to mention, some DNS serving hardware and software is inherently secure (to various levels) or is / will be patched to prevent it. IMO you have to have a lot of time on your hands to cause people trouble...

Kaminsky's sensationalism is starting to get annoying...
 
tribe cannabis accessories silver grinders

Dr. Grinch

TRIBE Member
~atp~ said:
I don't get it ... this is nothing new at all, really. Unless I have misunderstood, upgrade sites are already mitigating by performing auto-updates using asymmetric encryption based on a one-time shared public key from the authentic host. So in this SWF example, if I had the public key from Java's website, I would encrypt all my communication using that public key and only the private key could decrypt and sensibly reply.

This is by no means the end to auto-updates.

Clearly as demonstrated, Sun's Java engine is not using an encrypted or authentication based update mechanism. The average home user is not going to take any steps to ensure these things are secure either.
Secondly, Rogers (that little ISP nobody is on) still haven't secured their DNS and are vulnerable to poisoning as of this afternoon.
So this example here, used appropriately could effectively root a few thousand desktops without any user intervention aside from updating an already installed component.
It's not so much that it's an end to auto-updates, it's just a practical application of the DNS Cache Poisoning issue in use.
 

oddmyth

TRIBE Member
^^^^ exactly, the number of ISP's with DNSs still vulnerable as of late last night that I tested was staggering.

Just for safekeeping I temporarily moved all of our DNS useage over to OpenDNS and flushed the caches on all the machines and internal DNS servers.

Not that anyone besides me and one other fellow can auto-update anything, I don't need to take that chance regardless. The only thing that auto-updates in our studio without intervention is the firewall and I've been assured by Cisco support that those updates are not prey to cache poisoning.
 

Dr. Grinch

TRIBE Member
^^

Only under REALLY specific conditions is Cisco gear vulnerable. You'd have to be doing recursion on your devices, which most people don't enable. The IOS is technically vulnerable though, but not in default configuration.

All of the major Canadian FIs have been mandated to report their updating progress to CanCERT on this issue. That really hasn't happened before, so people in high places are predicting potential fallout in many areas from this is proper mitigation doesn't take place...


I've heard OpenDNS sometimes serves adds through their DNS resolution. Could just be a rumor, or could be how they pay the bills. Either way it's still safer than trusting most upstream ISPs right now.

88000 nodes patched, 21000 to go. Oi.
 

~atp~

TRIBE Member
Dr. Grinch said:
Clearly as demonstrated, Sun's Java engine is not using an encrypted or authentication based update mechanism. The average home user is not going to take any steps to ensure these things are secure either.
Secondly, Rogers (that little ISP nobody is on) still haven't secured their DNS and are vulnerable to poisoning as of this afternoon.
So this example here, used appropriately could effectively root a few thousand desktops without any user intervention aside from updating an already installed component.
It's not so much that it's an end to auto-updates, it's just a practical application of the DNS Cache Poisoning issue in use.

I was just toning down the sensationalism. As well, the hack here is nothing new, it's just exaggerated more than ever due to the scale and high-availability automation of update services. I agree that various services -- DNS included -- rely on a protocol that do not require non-repudiation mechanisms, but I'm not convinced that's the job of DNS as a service. Sometimes the answer is found when you take the end-to-end process into consideration and not just a single vulnerability in isolation.
 
Top