Hidden DNS (domain name system) resolvers create a means for carrying out email redirection and account takeover attacks, security researchers warn.
In a technical blog post, SEC Consult explains how it’s possible to manipulate the DNS name resolution of these so-called closed DNS resolvers using a variant of cache poisoning attacks (PDF), which were first unveiled by celebrated network security researcher Dan Kaminsky way back in 2008.
Cache from chaos
Previous research by SEC Consult has shown how it’s possible for an attacker to take over user accounts of web applications by manipulating DNS name resolution.
Closed DNS resolvers are used by numerous hosting providers and other internet service providers (ISPs) to provision services to their clients. As the name suggests, closed DNS resolvers reside on closed networks or intranets.
However, ‘closed’ is a bit of a misnomer in the context of SEC Consult’s research because the researchers have shown how it might be possible for external actors to abuse the functionalities of web applications to readily attack closed resolvers.
They found that attack reconnaissance is possible by exploiting how closed DNS resolvers interact with spam protection mechanisms on the open internet.
This could help an attacker understand DNS security features like source port randomization, DNSSEC, IP fragmentation, and, more simply by exploiting registration, password-reset, as well as newsletter functionalities of web applications that rely on closed resolvers.
Scouring the web
SEC Consult used two open source tools – DNS Reset Checker and the DNS Analysis Server – to analyze DNS traffic from targeted systems in order to identify vulnerabilities.
In practical terms, this attack reconnaissance work involved sending emails to some well-known domains and specifying the analysis domain as the sending domain. This allowed the researchers to identify thousands of systems that used static source ports, a security oversight that left them vulnerable to Kaminsky-style attacks.
“After sending emails to roughly 50k domains, we’ve received and analyzed DNS data for approximately 7,000 of them,” SEC Consult explains. “Among those 7,000 domains, at least 25 were using static source ports. By going down the rabbit hole again, thousands of more domains using static source ports were discovered.”
None of a sample of 25 vulnerable resolvers were using or enforcing additional security features such as DNSSEC, SEC Consult discovered.
Affected services were running behind domains operated by both small and big businesses, and sites delivering governmental services and political campaigns.
DNS cache poisoning insecurities can be abused to manipulate records and redirect emails – a security shortcoming that would allow an attacker to abuse the password reset functionalities of WordPress and Joomla installations, among others.
The attack technique can be used to hijack even a fully patched WordPress installation, SEC Consult was able to demonstrate.
The infosec firm has held back on publicly releasing the exploit code it developed to attack WordPress systems, because of concerns that awareness of the issue is low, which would leave many web-based systems accessible through closed DNS resolvers open to attack.
SEC consult spoke to ISPs, hosting providers, and computer emergency response teams (CERTs) about the issue in the months prior to going public with its findings last week.
Cache out
Independent DNS security experts said that the research highlighted a valid concern.
Cricket Liu, chief DNS architect at Infoblox, told The Daily Swig: “I don’t think this is particularly novel – we talked about this sort of thing back in the heyday of the Kaminsky vulnerability – but it’s relevant because there are still some DNS servers out there that don’t use source port randomization.”
Containing exotic attacks
Even though legacy Kaminsky attacks are definitely not the ‘next big thing’ it would be unwise to dismiss the issue as unfashionable, according to SEC Consult.
Timo Longin, a security consultant at SEC Consult, told The Daily Swig: “The DNS provides very exotic and unknown attack vectors that should be brought to the attention of the infosec community! For example, we found some hosting providers where it would potentially be possible to compromise all hosted servers by password-reset hijacking users via the providers’ control panel”.
To safeguard systems, vulnerable DNS resolvers must be patched and configured securely. Some best practices for securing your own DNS resolvers can be found at Google and at DNS flag day. Alternatively, large public DNS providers such as Google, Cloudflare, or Cisco can also be used.
Countermeasures for new DNS attacks are usually implemented quickly by these large providers, according to SEC Consult.