> On Wed, Jul 23, 2008 at 9:44 PM, Joe Greco <[EMAIL PROTECTED]> wrote: > >> Except this time your reply comes with an additional record > >> containing the IP for www.gmail.com to the one you want to redirect it > >> to. > > > > Thought that was the normal technique for cache poisoning. I'm pretty > > sure that at some point, code was added to BIND to actually implement > > this whole bailiwick system, rather than just accepting arbitrary out- > > of-scope data, which it ... used to do (sigh, hi BIND4). > > Joe, > > I think that's the beauty of this attack: the data ISN'T out of scope. > The resolver is expecting to receive one or more answers to > 00001.gmail.com, one or more authority records (gmail.com NS > www.gmail.com) and additional records providing addresses for the > authority records (www.gmail.com A 127.0.0.1).
I think the response to that is best summarized as **YAWN**. One of the basic tenets of attacking security is that it works best to attack the things that you know a remote system will allow. The bailiwick system is *OLD* tech at this point, but is pretty much universally deployed (in whatever forms across various products), so it stands to reason that a successful attack is likely to involve either in-scope data, or a bug in the system. The fact that this was known to be a cross-platform vulnerability would have suggested an in-scope data attack. I thought that part was obvious, sorry for any confusion. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
