Dan Kaminsky, the researcher who discovered a serious flaw in the domain-name system (DNS), asked for thirty days and he got, at most, thirteen.
Late Wednesday, HD Moore, the founder of the Metasploit Project, and another researcher using the hacker handle |)ruid, released two exploits for the Metasploit framework. The first exploit allows an attacker to poison a DNS cache with a single host entry, if that entry is not already in the cache. Following a suggestion after they published the first exploit, the duo created a variant of the attack that gives the attacker the ability to completely overwrite the name servers for the target domain.
"You can replace all name servers for a particular domain, with one that you control, inside the cache server," Moore said. "It's much more usable, but the downside is that you have run your own DNS server to handle all the requests from people using that cache server. So it is definitely not sneaky."
The two exploits hit the Internet thirteen days after Kaminsky, the director of penetration testing at security firm IOActive, revealed an effort by software makers and domain-name service (DNS) providers to patch a flaw, of which they gave few details. On Monday, after a well-known researcher speculated on the nature of the flaw, a security firm that had been pre-briefed on the issue published, for a short time, details of the vulnerability. The Metasploit researchers said that details in that posting and in a subsequent interview with Kaminsky allowed them to create an exploit for the issue.
"I was content to wait for Kaminsky's presentation at BlackHat before coding these up, because I didn't have the details and was too busy to go figure them out," |)ruid wrote in a blog post on Thursday. "But once public speculation started nailing the issue -- form your own conclusions on whether the speculation itself was 'responsible' or not -- and then the accidental leak of the full details, followed by Kaminsky's describing the bug himself via a story on how he found it in an interview shortly thereafter, working exploits being created was only a -- likely, short -- matter of time."
Metasploit is available for download from the project's Web site.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos