by Ryan Naraine
July 21st, 2008 @ 2:12 pm

[ UPDATE: Kaminsky has all but confirmed that, yes, the cat is out of the bag ] It looks very much like the nitty gritty of Dan Kaminsky’s super-secret — and heavily hyped — DNS cache poisoning vulnerability has been figured out by reverse engineering guru Halvar Flake.

Clearly irked by a demand request from Kaminsky and others to avoid speculating on the details of the flaw until the patch is fully deployed, Flake (left) published a reliable method to forge and poison DNS lookups. Flake, CEO and head of research at Sabre Security, said his speculation was driven by the need to discuss the vulnerability in public instead of a one-month embargo that culminates with Kaminsky’s presentation at the upcoming Black Hat conference.

“In a strange way, if nobody speculates publicly, we are pulling wool over the eyes of the general public, and ourselves,” Flake argued, before posting the following hypothesis: Mallory wants to poison DNS lookups on server ns.polya.com for the domain www.gmx.net. The nameserver for gmx.net is ns.gmx.net. Mallory’s IP is 244.244.244.244. Mallory begins to send bogus requests for www.ulam00001.com, www.ulam00002.com … to ns.polya.com.

ns.polya.com doesn’t have these requests cached, so it asks a root server “where can I find the .com NS?” It then receives a referral to the .com NS. It asks the nameserver for .com where to find the nameserver for ulam00001.com, ulam00002.com etc. Mallory spoofs referrals claiming to come from the .com nameserver to ns.polya.com. In these referrals, it says that the nameserver responsible for ulamYYYYY.com is a server called ns.gmx.net and that this server is located at 244.244.244.244. Also, the time to live of this referral is … long …....