Tuesday, January 2, 2007

Can't see the forest for the trees

Yesterday was perhaps the laziest day I've had in quite some time, but it was worth it. I woke up at 10ish and spent the remainder of the day planted in front of my laptop hacking. Come midnight I realized that the ROI on my time was diminishing.

My challenge for the day was much like many of the other security adventures I've been on in the past few years -- something catches my eye, and I pursue it. This particular trait has proven quite useful in my pursuit of security success, but it is actually one that I acquired long before even owned my own computer -- and I mean "own" as in "it belonds to me", not "0wn". Growing up I spent the bulk of my time outdoors doing various things -- riding my bikes, camping, fishing, hiking, etc. For whatever reason, I had this ability to, without even trying, discover misplaced/lost belongings. As an example, on camping trips with the scouts, I'd routinely be walking along, doing whatever it was needed to be done at the time, and I'd see a silouhette or something that otherwise stood out ever so slightly. It would usually turn out to be a watch, a flashlight, or other outdoor goody. Eventually it got to the point that other people would actually suspect I was stealing these things or they'd get pissed off at me because I would always find these treasures that would've otherwise gone unnoticed.

Yesterdays challenge was something that I had casually noticed in a packet capture several days earlier -- a DNS request for the hostname 'netmask'.

The first several hours were spent verifying that the request had, in fact, come from what application I thought it came from, and then determining what, in particular, had made that request. Eventually I realized that what I was up against was a call to system("/sbin/route somestuffhere"), where somestuffhere was taken in part from a DNS response.

After a quick POC with Dug Song's dnsspoof, I knew I could manipulate that call, but dnsspoof only does simple A record responses, so all I could wind up doing was getting /sbin/route to do something funky with this particular call. While that is certainly a vulnerability all by itself, it wasn't quite what I was looking for. Its like fishing -- it was a nice catch, but there is something bigger/better out there. I debated hacking up dnsspoof to do my bidding, but that quickly proved to be more C than I had time for. I whipped up some perl that did exactly what dnsspoof did, and then modified it to do my bidding. It will respond to regex-matched DNS A record lookups with arbitrary records -- A, CNAME, MX, etc, that you define. Doing an nslookup lookup on google.com and getting back a TXT record of `/bin/id` is quite amusing.

Anyway, I'm finalizing this code and hope to make it available very soon.

No comments: