On Wed, Jul 23, 2008 at 9:44 PM, Joe Greco <jgreco@ns.sol.net> wrote:
Except this time your reply comes with an additional record containing the IP for www.gmail.com to the one you want to redirect it to.
Thought that was the normal technique for cache poisoning. I'm pretty sure that at some point, code was added to BIND to actually implement this whole bailiwick system, rather than just accepting arbitrary out- of-scope data, which it ... used to do (sigh, hi BIND4).
Joe,
I think that's the beauty of this attack: the data ISN'T out of scope. The resolver is expecting to receive one or more answers to 00001.gmail.com, one or more authority records (gmail.com NS www.gmail.com) and additional records providing addresses for the authority records (www.gmail.com A 127.0.0.1).
I think the response to that is best summarized as **YAWN**. One of the basic tenets of attacking security is that it works best to attack the things that you know a remote system will allow. The bailiwick system is *OLD* tech at this point, but is pretty much universally deployed (in whatever forms across various products), so it stands to reason that a successful attack is likely to involve either in-scope data, or a bug in the system. The fact that this was known to be a cross-platform vulnerability would have suggested an in-scope data attack. I thought that part was obvious, sorry for any confusion. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.