Security: BIND9 exploit is out. please check your DNS!
I am pleased (?) to annunce that BIND9 exploit is out (CVE-2008-1447).
This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver.
This exploit caches a single malicious host entry into the target nameserver.
By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.
This issue was fixed in ubuntu via USN-622-1 but more ISP are now vulnerable.
emgent@amnistia:~$ sudo su root
[sudo] password for emgent:
root@amnistia:/home/emgent# echo “nameserver 208.67.222.222” > /etc/resolv.conf
root@amnistia:/home/emgent# echo “nameserver 208.67.220.220” >> /etc/resolv.conf
root@amnistia:/home/emgent# exit
exit
emgent@amnistia:~$
Background on #ubuntu-quality:
[SNIP]
(04:36) ( emgent) hello
(04:37) ( LaserJock) hi emgent
(04:37) ( emgent) I’m plased to annunce that BIND9 exploit is now pubblic.
(04:37) ( emgent) s/plased/pleased/
(04:38) ( persia) It the solution also public, and distributed?
(04:38) ( emgent) sure. fixed some week ago in ubuntu.
(04:38) * LaserJock wonders if he should clap or not
(04:39) ( emgent) but more ISP are vulnerale now..
(04:40) ( emgent) persia: you can check your dns on http://www.doxpara.com/ (right menu)
(04:42) ( emgent) s/vulnerale/vulnerable/
(04:44) ( Hobbsee) oh good! telstra isn’t.
(04:45) ( emgent) nice, Telecom Italia now is vuln.
(04:45) ( persia) NTT is vulnerable, but that is bot unsurprising and unlikely to cause issues.
(04:45) ( emgent) I use Open DNS
(04:47) ( LaserJock) mine is vulnerable it says
(04:47) ( emgent) switch to open dns
(04:49) ( emgent) exploit was pubblished some hours ago.. and there is a big problem.. now all people can hack vuln DNS and redirect google.com to sarcazzo.com for example.
(04:50) ( emgent) i go to write a post in planet.
(04:50) ( LaserJock) interesting
[SNIP]
happy defending! 
Is it possible with OpenDNS to NOT have it change the way automatic search is done in the Firefox “awesome bar”? I switched to OpenDNS briefly because apparently Time Warner Cable’s Roadrunner DNS servers remain exploitable according to doxpara.com but the way it changed that behavior had a major impact on the way I like to use Firefox and I switched it back… for now.
Comment by Matt Philmon — July 24, 2008 @ 5:16 am
Since your blog turned the quotes into spiffy ones, they weren’t deleted, and I had some fun time getting my internet working again…
(thankfully the GUI worked and fixed everything)
Comment by Vadim P. — July 24, 2008 @ 12:59 pm
Changing the resolv.conf like you did wont work in ubuntu. If you use dhcp the resolv you set will be overwritten on the next reboot. Unfortunately I don’t know how to fix that.
Comment by No Name — July 24, 2008 @ 3:15 pm
@No Name: It`s false, you can write a bash script and put it in dhclient-exit-hooks.d or if you prefer change your default dns in your router.
Comment by emgent — July 24, 2008 @ 5:30 pm
You can always submit them to ubuntubash.org emgent
Comment by Tiago Faria — July 27, 2008 @ 12:55 pm