Nytro Posted October 25, 2011 Report Posted October 25, 2011 DNS poisoning via Port ExhaustionToday we are releasing a very interesting whitepaper which describes a DNS poisoning attack against stub resolvers.It discloses two vulnerabilities:A vulnerability in Java (CVE-2011-3552, CVE-2010-4448) which enables remote DNS poisoning using Java applets. This vulnerability can be triggered when opening a malicious webpage. A successful exploitation of this vulnerability may lead to disclosure and manipulation of cookies and web pages, disclosure of NTLM credentials and clipboard data of the logged-on user, and even firewall bypass.A vulnerability in multiuser Windows environments which enables local DNS cache poisoning of arbitrary domains. This vulnerability can be triggered by a normal user (i.e. one with non-administrative rights) in order to attack other users of the system. A successful exploitation of this vulnerability may lead to information disclosure, privilege escalation, universal XSS and more.The whitepaper can be found here.http://blog.watchfire.com/files/dnsp_port_exhaustion.pdfA few video demos of our Proof-of-Concept:Attack: Remote DNS poisoning via Java Applets: Cookie theft.Environment: Ubuntu 11.04, Firefox 7.0.1. http://www.youtube.com/watch?v=eSEvFmsw55AAttack: Remote DNS poisoning via Java Apples: NTLM credentials and Clipboard theft.Environment: Windows 2008, Internet Explorer 9. http://www.youtube.com/watch?v=i-Fmk7-pFFAAttack: Remote DNS poisoning via Java Applets: Firewall bypass.Environment: Windows 2008, Firefox 7.0.1.http://www.youtube.com/watch?v=7CFq_pofeBUAttack: Local DNS poisoning via port exhaustion.Environment: Windows 2008.http://www.youtube.com/watch?v=m2GkLL9d68EWe would like to thank Oracle and Microsoft for their cooperation.-Roee Hay and Yair AmitSursa: IBM Rational Application Security Insider: DNS poisoning via Port Exhaustion Quote
