DeepSec 2022 Talk: Melting the DNS Iceberg – Taking Over Your Infrastructure Kaminsky Style – Dipl.-Ing. Timo Longin BSc

Sanna/ September 7, 2022/ Conference/ 0 comments

What does DNS have in common with an iceberg? Both are hiding invisible dangers! Beneath an iceberg there is… even more ice. However, beneath the DNS there are hiding unexpected vulnerabilities!

If you want to resolve a name via DNS, there are multiple open DNS resolvers all across the Internet. A commonly used open DNS resolver is Google’s resolver with the IP address 8.8.8.8. However, not every system is using such an open resolver. Hosting providers, ISPs and the like, are often using resolvers that are not directly accessible from the Internet. These are the so called “closed” resolvers.

In my previous research “Forgot password? Taking over user accounts Kaminsky style,” I have unearthed critical vulnerabilities in DNS resolvers of web applications, but I haven’t shared a second thought about the fact that these web applications were most likely using closed resolvers. So, this time, I looked at the root of the problem.

In this talk, we’ll look at how we can indirectly access these closed resolvers from the Internet. Furthermore, I’ll introduce open-source tools and methods to discover vulnerabilities in them. How we can attack these closed resolvers and potentially compromise thousands of systems will lastly be shown in a proof-of-concept exploit of a fully patched WordPress instance.

Dipl.-Ing. Timo Longin answers a few more questions about his talk.

Please tell us the top 5 facts about your talk.

  1. DNS security is still a big problem and shouldn’t be taken for granted.
  2. DNS vulnerabilities in ISPs and hosting providers can lead to takeovers of thousands of servers.
  3. Internal DNS infrastructure can sometimes be attacked from the Internet.
  4. Fully patched systems (e.g., WordPress) can be compromised via DNS.
  5. Bug bounties are up for grabs!

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

After my past research for “Forgot password? Taking over user accounts Kaminsky style” I was wondering why certain web applications are vulnerable to DNS attacks. This led to the hypothesis that closed/internal DNS resolvers were most likely the cause. Now, we are looking at thousands of potentially vulnerable servers! As this is a serious issue that should get the attention it deserves, I felt obliged to create this talk.

Why do you think this is an important topic?

Simple. This attack vector affects thousands of servers worldwide and is pretty much unknown.

Is there something you want everybody to know – some good advice for our readers maybe?

As an incentive for the InfoSec community to inspect DNS security, I haven’t examined bug bounty domains for DNS vulnerabilities. This is your chance to get your hands dirty and get some juicy bounties!

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Due to its nature, the DNS is a slowly evolving technology. Even after 14 years, we can still find DNS infrastructure vulnerable to Kaminsky attacks. As new DNS security features arrive, so do bypasses and further issues. Where this path leads and where it ends is beyond my grasp.

 

Timo Longin is a security consultant at SEC Consult (an Atos company) at day and a security researcher at night. Aside from everyday security assessments, he publishes blog posts and security tools, holds talks at conferences and universities, and, most importantly, has a passion for CTFs. His primary focus is on web applications; however, infrastructure and hardware are not safe from him either. As a well-rounded offensive security researcher, he tries to find forgotten and new attack vectors that make the unthinkable possible.

 

 

Share this Post

Leave a Comment

Your email address will not be published.

*
*

This site uses Akismet to reduce spam. Learn how your comment data is processed.