A few thoughts

Alex Pennace alex at pennace.org
Thu Jun 2 17:49:09 PDT 2005


On Thu, Jun 02, 2005 at 11:07:23AM +0100, Martin Atkins wrote:
> In order to perform a DNS poisoning attack, the attacker would need to 
> misdirect both the user-agent and the consumer, since both need to fetch 
> items from the same identity server for the transaction to succeeed. 
> While misdirecting a user-agent wouldn't be too hard, it's less likely 
> that a consumer could be fooled, and even less likely that both parties 
> could be simultaneously fooled.

A consumer could just as easily be tricked by DNS cache poisoning.

Scenario: An attacker with control of the example.com nameservers and
control of the web server at 1.2.3.4 adds the following records to the
example.com zone file:

	badguy.example.com NS victim.livejournal.com
	victim.livejournal.com A 1.2.3.4

And then establishes an OpenID server at 1.2.3.4.

The attacker has the OpenID consumer attempt to contact the OpenID
server running at badguy.example.com. This doesn't succeed, but
because the poor OpenID consumer is served by an old BIND cache that
is vulnerable to poisoning, subsequent DNS lookups for
victim.livejournal.com will return the address 1.2.3.4.

At this point, the attacker may use these bogus credentials to help gain
access to victim.livejournal.com's account on the OpenID consumer, or
he can just stop his attack right there: victim.livejournal.com will
not be able to log in to the OpenID consumer site until
victim.livejournal.com's poisoned DNS record expires from the BIND
cache.

While modern nameservers are less vulnerable to this attack, keep in
mind that many OpenID consumers will wind up on cheap hosting sites
that have neither a modern nameserver nor a functional NTP daemon (as
you pointed out earlier).


More information about the yadis mailing list