-
Website
http://www.matasano.com/log -
Original page
http://www.matasano.com/log/1089/dan-kaminsky-could-have-made-hundreds-of-thousands-of-dollars-with-this-dns-flaw/ -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
I heard birthday attack wording here.
X <- Matasano Blog Entry
.
.
. <- whooosh area
.
.
O <- Nathan's head
|
/\
Key theory behind this is: We would have more chances to poison DNS cache if we would spoof million query RESPONSES with CONSTANT XID for million REQUESTS with RANDOM XID, than spoofing ~1000 RESPONSES with RANDOM XID for one RANDOM XID request. (approx 1k responses because we assume that we can send ~1000 fake responses packets before legitimate dns server answer).
Do you agree with this? Then lets continue to see how to accomplish that.
Seeing how Dan thinks, the key lies in CLIENT SIDE (think browser):
So the VICTIM opens page where there are million to force user make these million queries while performing spoofing with CONSTANT XID in spoofed response.
By here you should start think: what does *.attacker.controlled.host has to do with dns.to.spoof.com? Well, I haven't figured out that jet, but I think it has something to do with that CNAME shit which Dan likes so much.
And if this is true and this post gets world media attention, then I would like to greet r0t, r21vo, saime and other script kiddies from Latvia!!!111 lol.
http://www.amazon.com/Microbiology-multiple-que...
Helped me pass my nursing exam.
There's more, of course. But if you don't think there is, you have to at least admit that it's pretty cool to have the old stuff fixed. So, just imagine there's some crazy reason why now finally people are taking RFC 3833 and DJB seriously.
Here's to no more crappy name servers, for whatever reason.
Man, I know it's a big ask not to speculate publicly.
I know this.
But I'm trying to help the good guys here. Some of the smartest people I know hang out here -- your musings don't have to be published here too.
Look at it from my perspective: I've got some stuff -- maybe good, maybe bad, but I don't think there's any doubt that there's something -- but, to help the good guys, I have to remain silent. I have to subject myself to a lot of attacks, from people who are speculating. People who don't know what's up.
And that's OK. If the cost of protecting users, is that some people think there's nothing new to protect users against -- then I'm cool with that. We all respect DJB. We all know the birthday attacks sucked. Amit's stuff is real. This patch fixes all of it. That work was deeply overdue.
And, when Black Hat comes out -- I'll lay it all out on the table, and everyone can judge. There's an open offer to Ptacek -- I will mail him the slides at the beginnning of my talk, and whatever he thinks of them, he can put in a slide and that will be how I will end my presentation.
I'm trying to protect users. I'm asking for your help.
"your musings don’t have to be published here too."
so you ask the people with a clue not to speculate so your talk isn't blown but then you whore out minor details and FUD to everyone newspaper/magazine/publishing house so that your name can go all over google and gain 5 minutes of fame? This is why people hate you and wish you would work at McDonalds instead.
I'm going to suggest, once again, that you just be up front: you did good work, you want to present it on your terms. Those of us who've been in those shoes will understand that.
But hey, I've taken my hits for running my mouth too. Sometimes it's worth it. Your call!
Are you asking to go back to the days of the good ol' boys security club? Back when people talked on private mailing lists like Zardoz? When "someone" decided who was and wasn't qualified and responsible enough for information?
You can't have it both ways. You've benefited from people openly discussing their findings, and now you're asking people to not discuss whatever you found? Had DJB, Amit Klein, etc not made their findings public, would we be having this discussion?
Finally, I'd like you to recant your statement that DJB is a lucky programmer. I think all of us can agree that his material on forgery clearly indicates that is not that case. He recognized that 16-bit XID's were insufficient, identified other vulnerabilities in bind that further reduced the complexity in forgery, and implemented a fix in djbdns to address the real problem (16-bit XID's, for those taking notes).
http://www.theregister.co.uk/2008/07/09/dns_bug...
I found Sotirov's Heap Feng Shui attack myself, while working on my A+ last year, but I wrote it down on the back of a massage parlor receipt that I put through a cross-cut shredder. Identity theft is no joke, kids!
Kaminsky
welcome to Security 2.0...
It is all about media manipulation to hype own bugs.
I am so tired about this responsible disclosure (enlarge media attention) bullshit by guys who sell bugs to the government or worse...
I agree ... if pdp, kaminsky, and gadi would never work in sec again the industry would become 100x overnight
The public doesn't need minor details. The public does however need notification, and enough of eat to break through the everyday noise. Have you spent any time in corporate environments? Change is expensive. I'm asking people to sit through boring meetings and fix something that doesn't look broken. These are people who have no idea who the hell I am, as opposed to most people here who I've probably thrown back a shot with. These people react to bandwagons, and in a very real sense, to an implication that they should have known this was a problem.
This is the best way of making sure people should have known there was a problem, without spawning a full on crisis. The best thing possible would be for there to be no flaw. Barring that, this is the second best. I am totally open to new ideas however. Really, I've never done anything like this before.
Tom,
I can't give this talk without warning, because the bugs are quite bad. I also can't not give this talk, because then I'd be calling the credibility of the entire community into question, and everyone would be right to rip the vulnerability out into the open (or declare it irrelevant and unworthy of patch) immediately.
So, I've got me a rock, and I've got me a hard place. I'm asking for a third option. I will bust it all out, and I will throw myself on the mercy of the security community to judge whether it was worth all the noise or not. But give me enough time, so that when I do so, the rest of the public doesn't completely freak out.
Those are the terms I'm looking for -- full disclosure, lets just get people some warning to patch.
Jeremy--
The good ol' boys club sucks. It's a recipe for stagnation and irrelevance. We need the meritocracy to expose who's doing good work and frankly who isn't. But we also need the freedom to express our merits.
So, I'd like a few weeks. I can't demand it. It's a lot to ask for. But it's not forever. It's a hard, solid date -- August 6th, 2008 -- and everyone can decide then if what I did was right or wrong. (Needless to say, I don't show, I deserve everything that would ever be thrown at me. I'm all in.) Just let me give this talk, on my terms. I've convinced the vendors, using language they understand. I'm convincing the public, using language they understand. On August 6th, give me the opportunity to disclose in the deepest technical voodoo I can muster. You let me know then if it was enough.
As for DJB, you misunderstand. I'm saying there is no such thing as "luck" -- a master like DJB follows his design principles, and is more right than even he knows. We should all be as lucky as him.
Statler--
Cool! Another bug that this patch will fix. People should definitely apply to patch, to protect themselves from this student's attack.
If all I've done here is make people more like DJB, I'd be happy.
http://www.doxpara.com/?p=1162
Secondly, I arrive at a different interpretation than you do in Kaminsky calling DJB "lucky". Here's Kaminsky's opener: "Luck is the residue of design." aka luck favors the prepared.
Re: timing. Did everyone notice that this came out on Microsoft's Patch Tuesday? Does that tell you anything about whose schedule everyone was working to? This was the last Patch Tuesday before Black Hat.
Re: blood in the water. Researchers have to research. Good guys trying to corral vendors have to ask for time to patch. Smart people who don't like secrecy have to demonstrate they can figure it out on their own with the hints given. Everyone is doing their job.
You're about to find out that the security community is capable of generating enough noise that it won't be worth it, no matter how good your stuff is.
But with that said: it's disingenuous in the extreme to say that it's the security community that's generating the noise. This story hit the BBC and the Chicago Tribune. Pick an argument you can win.
qIDs have 16bits, not enough key space to avoid prediction/guessing NO MATTER WHAT. That has been clear and known "in theory" since the 1980s (search for Schuba and Spafford) and has been demonstrated in practice in 1996. Yeah,that's right, 12years ago, search for "res_random.txt". There's a reason why OpenBSD started to use something much closer to randomness than qid++ back then. There's also a reason why they choose not randomize the source port of every DNS query even tho. they been randomizing source ports -and many other things- for a lot similar purposes since the mid-90s.
Since then several others actually improved the efficiency of DNS poisoning attacks that relied on the same protocol weakness (there have been and are poisoning attacks that rely on other weaknesses or bugs). As of now (pending Dan Kaminsky's disclosure) Amit Klein's is the _last_ (not first) of a series of improvement to the same type of attacks that were presented in public to much fanfare and promptly followed by public campaigning in favor of DNSSEC...
I really do not understand the need for such secrecy. Should I assume that CVS commits are censored too? or that *all* "bad guys" are too dumb to infer the problem from the solution? If the apparent "solution" to the problem is to randomize the source port of all queries in order to add 16bits of entropy (in the absolute best case scenario) then I'll say that's just one of many ways to address the problem and perhaps not even the best one.
oh.. yeah.. DNSSEC is that list too and *NO* it is not the better way to solve this.
oops, i said DNSSEC twice, Ptacek will go wild!
(Source: http://www.isc.org/index.pl?/sw/bind/bind-secur...)
The ISC people said this "last time", in 1996 --- "we'd randomize source ports, but that won't fix the problem completely, and the real solution is DNSSEC. Let's do that!" The problem? The DNSSEC they were talking about then got SCRAPPED and rebuilt, because it was designed in ways that made it impossible to deploy.
We've all been misquoted, or underquoted. Goes with the territory :(
As he says, he thinks it's important to keep the details quite, but to encourage people to patch.
And he didn't ask you not to look, he asked you not to tell. To whatever degree those are separate.
Like I said, he's probably obliged to ask. Knowing it will be ignored.
I've got a bit of experience dealing with stories like these, and I don't think you hit the mainstream press by sitting back and doing nothing to promote your work.
The tactic is to claim this is old stuff and attack Dan for not doing interesting work while he can't say anything. Expectations will be raised so high by the time his presentation happens that he can't possibly meet them, and those who attacked him will claim victory.
See also: Trying to present on wireless driver vulnerabilities or embedded architectures where a null pointer overwrite is useful.
Dan is guilty of finding the flaw, "allowing" IOActive to put out a press release, and doing a couple of podcasts for technical blogs. And later, providing quotes for a couple of mainstream news outlets. I don't think he even wrote his own blog entry until a decent way into the process. I've done all the same before, I'm just rarely as successful at it.
Which of those steps would you have put a stop to, Tom?
In any case, all at Matasano should be happy now.. this randomized UDP source port thingie of will make firewall rules and logfiles such a fun thing to play with. I wonder if they had this in their playbook all along and just planted the idea in Dan's brain exactly at the right time to have it blossom now. That Rauch character probably did it, he posts only when strange things happen in the internec
vague disclosure + talking to the media + announcing that all we be made clear in the future (and the future tends to correspond to a talk at a security conference) = this situation.
I think researchers tend to get trapped by disclosing just enough information that when the mainstream press hears it, they make it sound like the world is going to end. Security folks are left with a lot of questions. I've had a couple of customers call me and ask how concerned they should be and they have their boss asking them if they are safe.
If the issue is fixed and the world knows how to fix it, what's changing between now and Black Hat that is impacts when the world can know about it? Is this about waiting for people to patch? Is there another patch coming?
The uninformed speculation is around why Dan won't disclose details. His stated reason is that he wants people to have more time to patch before the attacks start.
I believe Black Hat requires one to hold the good stuff for one's talk, yes?
I would be completely unsurprised if at least one of the coordinated vendors or Vixie or CERT requested that Dan hold details until his talk. Or perhaps Dan gave a drop-dead date of his talk, and someone is holding him to that.
Dan has zero control over others figuring out his attack and releasing details. Even when they do, he probably still can't say anything until his talk. The only possible schedule change Dan could have made here was to release details before someone else, right?
So are you and Tom saying that what you guys would be doing differently is that you would have shipped the exploit by now?
FWIW, Dan seems to me to not be a fan of blindsiding vendors. In a couple of the books I've done with Dan in the past, he was none too thrilled about people printing 0-day.
And it's also the case that a couple times we've hit the press on specific stuff we were at liberty to disclose, we got rolled a bit too.
In other news, leaving a shiny new BMW in a ghetto with keys inside and doors unlocked will lead to it being stolen.
While leaving an expensive car in a high-crime area is just a bad idea, running DNS is a necessity. You can consider it a "necessary evil", but the Internet would not function without it. So the best you can do is secure it as much as possible and hope for the best. Using products from security-conscious coders (i.e DJB) is a good start, but that's still not removing the 'shiny car' from the bad neighbor that is the Internet. The best you can is to put The Club on it, maybe an alarm, take the keys out and hope that 'bad guys' will target low-hanging fruit instead. (Does this analogy still make sense? Probably not, it's late.)
So the XID is like the fuel injection system, and the UDP port selection is like a non-synchronized transmission...
5 years after a vulnerability was first described publicly by DJB, Dan Kaminsky, a mediocre security consultant from a dark corner of the interweb, for no reason whatsoever manages to suddenly pull a number of important security vendors together on Microsoft Campus in march 2008. You have to at least admire this man's social engineering skills: no-one, not even DJB himself, nor a single one of all the smart guys posting comments on this page, has managed to convince just one of these vendors to fix this critical vulnerability in 5 years.
Back at Microsoft Campus, the mission of this gathering of high-profile IT professionals is laid out: to take a couple of days out of their busy schedules to reinvent a solution which already has been freely available to the public for 5 years. How about that. I heard Microsoft is also releasing a new version of their IP stack, referred to internally as 'the Kaminsky stack', which by design will route packets as inefficiently as possible - one day Ballmer simply told his boys to "make a stack that makes packets takes as many hops as humanly possible".
Anyway, after these bright developers from such previously respected companies as Cisco, Microsoft and the ISC - along with no-one less than Paul Vixie - adjourns from the 5-year-old-patch-reinvention-exercise and retreats to their usual high-paid day jobs, aforementioned Kaminsky steps up and fools everyone in security media into thinking that he has discovered a new, critical vulnerability in DNS. The story makes it across the globe and yet not a single one of the involved vendors, nor Paul Vixie, nor the CERT bothers challenging Kaminsky's public claims. They are all to busy working out the new least-efficient-routing-algorithm for Microsoft. That's what CERT is for anyway, right - to induce unwarranted panic and release information that is biased to boost some dude's personal PR-stunt. Yeah, its right there at the bottom of the security advisory they sent out to all those companies and organizations all over the world.
You were right guys, it's all so clear to me now: this Dan fellow is one heck of a smooth operator - and I can't wait to see him go down in flames at his talk in august. I bet he can't either - I mean, why stage something like this if you don't like to be the ridicule of the entire industry you work within for years to come. Surely, it must be some kind of humiliation fetish of he is betting his job on.
See you all at Black Hat in a month - and don't bother with those patches, its all bull anyway.
http://rhn.redhat.com/errata/RHSA-2008-0533.html
only tells part of the story.
RedHat's original and updated bind and caching-nameserver packages come with .conf files which specify
query-source port 53;
query-source-v6 port 53;
Users will need to comment that out and restart named to make BIND use random source ports when forwarding requests.
Let's just wait to see how things play out after the details are released.
If my 450 word attempt at sarcasm did not get through to you, shame on me. If you still think Dan has nothing, shame on you (reading your latest post, though, I know that's not the case).
I was merely addressing all the people calling 'media whore' on Dan on this page. To be clear: It is obvious from the circumstances that Dan has something of at least peripheral importance. Everyone has to stop pretending they have known about this vulnerability since 2003 and wait just 4 weeks for the full disclosure.
Where: Blackhat/Shadow Bar, Caesar's Palace, Las Vegas
What: Discuss over a drink ;)
I'm amazed reading through this blog as to how much you bash Kaminsky...prior to "accidently" publishing the exploit after it's disclosed to you. tell us, how does a security company accidently disclose such a serious vulnerability? all i see is a bruised ego looking to one up a fellow researcher.
and you guys pride yourself as being an infosec company?
lame...very very lame.