The SANS Institute installed and tested out Apple's fix for the underlying flaw in the domain name system (DNS) protocol, and found that a patched Leopard desktop (not Leopard Server) system hadn't changed risky behavior that's critical to avoiding this flaw being exploited.
As Rich Mogull and I noted in 'Apple Fails to Patch Critical Exploited DNS Flaw,' 2008-07-24, servers are at greatest risk from this DNS flaw. This flaw allows an attacker to push millions of fake responses for a DNS query to a server, and then poison the server's DNS entries if a forged entry that matches the right pattern beats to the punch the legitimate answer from the domain owner's DNS server.
However, computers used by individuals without DNS server software in operation can also be targeted by this flaw. With servers rapidly being patched worldwide, it's likely that the low-hanging fruit disappears, and vectors are designed to attack massive numbers of clients on ISP networks. Clients use stub resolvers, which forward requests for DNS answers to a full-blown, or recursive, DNS server run by their company, ISP, network provider, or co-location facility.
The flaw relies on a lack of predictability in how ports are assigned to outbound requests for domain name looks in a DNS query. If the ports are sequential - each query increments the port number used by one for each subsequent request - then an attacker has a smaller possible universe of forged responses they have to send.
By increasing entropy - choosing a random port - attackers can't produce enough packets fast enough to win the race with the legitimate DNS server, and can statistically nearly never poison the DNS cache. (This is a patch, not a fix, actually; DNS itself has to be overhauled to remove the fundamental weakness.)
I checked out my updated Leopard desktop system, and, sure enough, saw precisely what SANS saw: sequential UDP ports, which leaves Mac OS X clients vulnerable. To be fair, installing the patched BIND software directly left me equally exposed; this isn't an Apple-only problem, but it's hard to know the scope yet.
If you'd like to duplicate the SANS experiment, follow these steps:
- Launch Applications > Utilities > Terminal.
- Type the following, entering your administrative password when prompted.
- In another Terminal window, type a few times:
- In the window with tcpdump running, you'll see a series of lines that look like the following. (If you don't see any results add a space an '-i en1' after tcpdump above.)
- Press Control-C (not Command-C) to stop tcpdump from running.
sudo tcpdump | grep domain
10:01:28.991811 IP resolver1.opendns.com.domain > host-omitted.55640: 13930 1/0/0 A pundit2.forest.net (49)
10:01:29.144260 IP resolver1.opendns.com.domain > host-omitted.55641: 6961 0/0/0 (33)
10:01:29.153251 IP resolver1.opendns.com.domain > host-omitted.55642: 38658 0/0/0 (33)
In the example extracted from my work machine above, you'll notice 55640, 55641, and 55642 after 'host-omitted,' where I deleted my machine's host name.
We're not back where we started, but Apple - and others, since I haven't tested other operating system's client fixes - still have work to do.
'Copyright © 2008 Glenn Fleishman. TidBITS is copyright © 2008 TidBITS Publishing Inc. If you're reading this article on a Web site other than TidBITS.com, please let us know, because if it was republished without attribution, by a commercial site, or in modified form, it violates our Creative Commons License.
Special thanks this week to Francesco Faggionato, Steve Graham,
JoAnn Pedersen, and Lynn Rybarczyk for their generous support!