Bill’s Security Blog

The DNS Bug

Background
The DNS system allows computers to find each other on the Internet.  Every computer on the Internet is identified uniquely by a numeric IP address.  The DNS system allows us to use a cute name rather than a number.

For example, when you type www.google.com, DNS servers resolve the name to Google’s unique server address:  66.233.169.104

There are countless thousands of DNS servers on the Internet.

The Itch
About 6 months ago, researcher Dan Kaminsky discovered a means of easily defeating a flaw in the DNS protocol.

He did not find a problem in a specific DNS server, he found a way to exploit the protocol itself.

Every DNS Server (except those using OpenDNS, OpenBSD, and possibly a few others [EDITED: add DJBDNS to the list]) are vulnerable.

Dan pulled together, in secret, a team of researchers and industry professionals that worked in secret for over 6 months to devise a means of patching the flaw.

On July 7, US-Cert announced the vulnerability.

Simultaneously, 16 vendors released patches for 60 different DNS products.

What followed was a broadcast from those involved in the research, and those close to Kaminsky: “Patch your DNS immediately.”  One of those closest to the incident is Rich Mogull of Securosis who pushed a blog post the morning of the CERT advisory.

Dan vowed he would do all he could to keep details of the vulnerability under wraps, but would fully disclose the exact nature of the vulnerability at Black Hat in August.

There wasn’t a security podcast, blog, chat room, or IRC channel that wasn’t buzzing with speculation.

The Scratch
On July 23, security researchers HD Moore and |)ruid developed a working exploit and introduced it into the Metasploit framework.  Metasploit is a free penetration testing platform.

The exploit is capable of poisoning the cache of an un-patched DNS server in just a few minutes.

With a weaponized payload in the wild, consequences could be dire.

Aftermath
What you can do?

• System administrators should ensure that all DNS servers under your control are patched immediately.  Patches are available for all major products.
• End users should run automatic updates as soon as possible.  Patches are available.
• The paranoid can manually configure their computers to use the OpenDNS servers.
• Many ISP’s have patched, and you can check their sites for more details.

Prelude
Today, Kaminsky released additional details about the vulnerability.  It’s worth a read.

Let’s hope next week is… well… booring.  I think we can all use a rest after these past two…

Bill

Ok, so it took longer than I expected…

But in the end, the process was exceedingly easy.

I’d like to thank toeknee over at h00d.org for his awesome post, “OAMP on OpenBSD 4.2 (OpenBSD, Apache, MySQL 5.0 & PHP5)” which basically walked me through the process.

Before finding toeknee’s article, I was trying to manually install Apache.

After a few hours of banging on the keyboard, I realized… like an idiot… that OpenBSD comes with a chrooted Apache install…

Ok… RTFM, Bill.

Next all i had to do was get MySQL and PHP working.

Toeknee’s page was perfect.

There are a few changes between 4.2 and 4.3 with regards to activating MySQL for PHP, but after doing PKG_ADD, the instructions were quite clear.

I had no problem getting Apache to start at boot, but I couldn’t get MySQL to start at boot. There was no real error message. When the server would boot, you could see MySQL being started, but then immediately it would shut down.

No worries. I just started it by hand, and linked the socket over to the chroot:

/usr/local/bin/mysqld_safe -user=_mysql -log
ln -f /var/run/mysql/mysql.sock \ /var/www/var/run/mysql/mysql.sock

Installing and configuring an instance of WordPress was a breeze.

Sweet… I’m sure I’ll play around with this box some more. Perhaps putting known-vulnerable apps on it to test web-penetration testing tools.

I like OpenBSD. It’s been a fun project. Now, if I can just get my boss to consider anything that isn’t M$FT…

Bill