Search This Blog

Showing posts with label DNS poison attack. Show all posts

Critical Flaws Discovered in Linux that Enables DNS Cache Poisoning

 

Researchers at the University of California have unearthed security flaws in the DNS system that could leave vendors at risk of server attacks. 

The hackers can abuse the vulnerability by intercepting the connection from the DNS resolver to the nameserver, thus allowing them to change the server IP addresses linked to several web domains, researchers Keyu Man, Xin’an Zhou, and Zhiyun Qian wrote in a recently published research paper at the ACM CCS 2021 conference. 

"The attack allows an off-path attacker to inject a malicious DNS record into a DNS cache," University of California researchers stated. "SAD DNS attack allows an attacker to redirect any traffic (originally destined to a specific domain) to his own server and then become a man-in-the-middle (MITM) attacker, allowing eavesdropping and tampering of the communication." 

The central to the assault is how Linux manages DNS queries on servers, particularly Internet Control Message Protocol (ICMP) packets. The researchers discovered that these behaviors could be used to infer the User Datagram Protocol (UDP) port number between the resolver and nameserver, something that is otherwise randomized and seems impossible to guess. 

"Surprisingly, we uncover novel side channels that have been lurking in the Linux network stack for over a decade and yet were not previously known," the trio explained in their paper, adding that as much as 38% of DNS resolvers are susceptible to attacks.

However, researchers warned that Linux is not the only threat vector for this assault. "The side channels affect not only Linux but also a wide range of DNS software running on top of it, including BIND, Unbound, and dnsmasq." 

This particular research was based on a previous set of attacks the researchers uncovered and dubbed "SADDNS." The SADDNS research demonstrated how the rate limit on the UDP system could be used to infer the port for the nameserver connection. DNS cache poisoning was originally discovered by the late Dan Kaminsky in 2008. 

"In SADDNS, the key insight is that a shared resource, i.e., ICMP global rate limit shared between the off-path attacker and victim, can be leveraged to send spoofed UDP probes and infer which ephemeral port is used," researchers stated. "Unfortunately, it is unclear how many more such side channels exist in the network stack." 

To mitigate the risks, the researchers propose a number of solutions, such as randomizing the caching structure, rejecting ICMP redirect messages, and setting proper socket options such as IP_PMTUDISC_OMIT, which instructs an operating system to ignore so-called ICMP messages, and therefore completely mitigates the side channel-related processing in the kernel.

Hackers Dropping Malware via Free WinZip Trial Popup Vulnerability

 

Researchers have discovered a critical security flaw in WinZip 24 that targets users with malware. WinZip trial popup vulnerability allows hackers to perform arbitrary code execution and DNS poisoning.
 
When WinZip displays prompt informing about the expiry of the free trial and sends requests for checking updates, it communicates in plaintext over HTTP instead of HTTPS; the vulnerability has been reported to exist in the way WinZip communicated with its servers, making it susceptible to exploits by malicious actors who delivered malware through the same. 

WinZip is free to download ZIP tool program that is used to compress and decompress files easily. It enables users to zip and unzip almost all file formats including zip, tar, rar, and etc. However, the tool is available online free for a trial period, and to continue availing its services fully, users need to purchase a license for which the tool checks software status for users over a period of time, repeatedly. Once it detects the trial period being expired, the software displays a prompt using the abovementioned way of communication: That is where the bug was found.
 
It was in between that attackers could intercept the traffic and intervene in the communicated text and added an infected WinZip version. Furthermore, the users' concerns are aggravated by the fact that the update request also contains personal data of the user such as 'registered username', 'registration code', and other required information for the processing of the request. This information could also be accessed by the attacker meddling with the trial popup.
 
"WinZip 24 opens pop-up windows time to time when running in Trial mode. Since the content of these popups is HTML with JavaScript that is also retrieved via HTTP, it makes manipulation of that content easy for a network adjacent attacker," as told by Researchers from Trustwave.
 
"The application sends out potentially sensitive information like the registered username, registration code and some other information in query string as a part of the update request. Since this is over an unencrypted channel this information is fully visible to the attacker."
 
"This means anyone on the same network as user running a vulnerable version of WinZip can use techniques like DNS poisoning to trick the application to fetch “update” files from malicious web server instead of legitimate WinZip update host. As a result, unsuspecting user can launch arbitrary code as if it is a valid update," the researchers further added.

Romanian Google , Yahoo, Microsoft, Paypal, Kaspersky hacked By Algerian Hacker MCA-CRB

Google Romania hacked

Here is another DNS poison attack.  we can call this month as 'Month of DNS posion attack'. The report says hackers compromised the RoTLD - The Romanian Top Level Domain Registry and poisoned the DNS Records.


An Algerian Hacker group called MCA-CRB allegedly hijacked the domain registrar and change the DNS record such that it points to defacement page.

The list of affected Top Level Domains:
  • google.ro
  • yahoo.ro
  • microsoft.ro
  • paypal.ro
  • kaspersky.ro
  • windows.ro
  • hotmail.ro

Hackers modified the DNS records such that it points to an IP address located in the Netherlands: 95.128.3.172 (server1.joomlapartner.nl) .

The mirror of the defacement can be found here:
http://www.zone-h.org/archive/notifier=MCA-CRB

At the time of writing, the affected sites are back to online and working properly.

According to the Zone-H record, the hacker group MCA-DRB, has defaced 5,530 site websites so far, many of them appearing to cover government and public services sites from countries across Asia, Africa, Europe, Australia and the Americas.

Few days back, hackers break into the PKNIC site using SQL Injection vulnerability and changed the DNS records that results in hundreds of Top level pakistani domains hijack which includes Google , Microsoft, paypal and more domains.