crossfire overtake soon !
•
24 Jul 2008, 18:21
•
Journals
some days ago an exploit came alive which allows to edit domains. means someone can copy crossfire on a new server(if he is able too.. exploit won´t do that part) and also edit the domain to that server. and if u enter crossfire.nu , you are on some other server where he could start loggin your pw/acc :o
Kamz doing that soon? god knows... but shoutout to fusen & netcoders.cc !!
I´m not 100% sure how it works and if every DNS is exploitable but as far as i read it is. And its not rly hard to use that exploit :o
So tbh i´m bit scared cause that shit could happen with ever site (bank,mails,msn,...)
@edit: also read that some german-bank sites are already exploited.. and on some sites there are also warning that u should wait with online.banking & stuff until this is fixxed :o
Kamz doing that soon? god knows... but shoutout to fusen & netcoders.cc !!
I´m not 100% sure how it works and if every DNS is exploitable but as far as i read it is. And its not rly hard to use that exploit :o
So tbh i´m bit scared cause that shit could happen with ever site (bank,mails,msn,...)
@edit: also read that some german-bank sites are already exploited.. and on some sites there are also warning that u should wait with online.banking & stuff until this is fixxed :o
Release Date: 2008.07.23
published at thursday 24.7.08
@edit:
Exploit ID: CAU-EX-2008-0002
Release Date: 2008.07.23
Title: bailiwicked_host.rb
Description: Kaminsky DNS Cache Poisoning Flaw Exploit
Tested: BIND 9.4.1-9.4.2
Attributes: Remote, Poison, Resolver, Metasploit
Exploit URL: http://www.caughq.org/exploits/CAU-EX-2008-0002.txt
Author/Email: I)ruid <druid (@) caughq.org>
H D Moore <hdm (@) metasploit.com>
The DNS protocol uses a 16bit key to identify the returning UDP packet. This key was supposed to be random, but they found that apparently it wasn't random enough. So if you attack a DNS server with massive ammounts of requests and that server isn't handling DNS for that domain (for instance crossfire.nu), it will request it from the DNS server that does handle the crossfire.nu domain. Meanwhile at the same time you send massive ammounts of return requests for WWW.crossfire.nu with random 16bit keys. With the bugged state you could get a validated returning packet into the targeted DNS server within about 10 seconds. The result would be that the IP given for www.crossfire.nu would be stored in the targeted DNS server for the amount of time that it expires (usually around 24 hours) so for the next 24 hours anyone using the targeted DNS server would get a different IP back for the request of www.crossfire.nu.
Not to worry though. Most ISP's have had plenty of time to patch their DNS servers. And if they didn't well tough luck :P
[*asking that because my I use "asdasd" as my password for online banking]
in general the web-adress should be https
&
in sweden you receive some kind of password remote-control. so you do not log in with passwords and usernames. one needs to type lots of numbers n stuff to finally log in, it's not complicated but very effective.
as far as i know, these remotes are not used in for example germany and probably many other countries
\ o /
wont be logging into my bank account for a while :(
but even that is hardly happening. The bug is a bit hyped. It's a serious bug, true, but it doesn't deserve this much hype imo.